diff --git a/README.md b/README.md index b675dc4..d9afc05 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,12 @@ An automated code auditing tool powered by langchain. +Tool interface: + ![](assets/img-01.png) +Result Export: + +![](assets/img-02.png) + I welcome your suggestions for interesting tools :smile: \ No newline at end of file diff --git a/app/__init__.py b/app/__init__.py index 753a2b9..d2f8043 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -44,5 +44,5 @@ def update_config(key, value): def audit_code(base_url, api_key, src_root, language, reasoning_model, embedding_model, process_output_callback, result_output_callback, event): audit = Audit(base_url, api_key, reasoning_model, embedding_model, process_output_callback, result_output_callback) - audit.load_source_files(src_root, language) + audit.build_directory_tree(src_root, language) audit.audit(event) diff --git a/assets/img-01.png b/assets/img-01.png index 308b03f..dd71248 100644 Binary files a/assets/img-01.png and b/assets/img-01.png differ diff --git a/assets/img-02.png b/assets/img-02.png new file mode 100644 index 0000000..4507257 Binary files /dev/null and b/assets/img-02.png differ diff --git a/audit/__init__.py b/audit/__init__.py index 9bc8d7d..51b6837 100644 --- a/audit/__init__.py +++ b/audit/__init__.py @@ -1,3 +1,4 @@ +import json import os import re import uuid @@ -12,8 +13,6 @@ from langchain_community.document_transformers import EmbeddingsRedundantFilter from langchain.retrievers import ContextualCompressionRetriever from langchain.retrievers.document_compressors import EmbeddingsFilter, DocumentCompressorPipeline from langchain_text_splitters import CharacterTextSplitter - -from audit.rules import FROTIFY_RULES from logger import Logger from audit import callback from audit.prompt import SYSTEM_PROMPT @@ -23,12 +22,12 @@ xml_pattern = r'.*?' class Audit: - def __init__(self, base_url, api_key, reasoning_model, embedding_model, process_output_callback, result_output_callback): + def __init__(self, base_url, api_key, reasoning_model, embedding_model, process_output_callback, + result_output_callback): self.raw_chain = None - self.source_files_list = [] + self.directory_tree = None self.reasoning_model = reasoning_model self.embedding_model = embedding_model - self.fortify_rules = FROTIFY_RULES self.process_output_callback = process_output_callback self.result_output_callback = result_output_callback self.chat_history = ChatMessageHistory() @@ -73,10 +72,6 @@ class Audit: ]) def audit(self, event): - if len(self.source_files_list) <= 0: - self.log.error('没有找到源代码文件') - return - self.log.info('开始代码审计流程') self.log.info(f'当前推理模型:{self.reasoning_model}') self.log.info(f'当前嵌入模型:{self.embedding_model}') @@ -98,10 +93,20 @@ class Audit: if xml_match := re.search(xml_pattern, result, re.DOTALL): try: xml_content = xml_match.group(0) + xml_content = re.sub( + r'()(.*?)()', + r'\1\3', + xml_content, + flags=re.DOTALL + ) + root = ET.fromstring(xml_content) action = root.find('action').text content = root.find('content').text + + if content and content.startswith(''): + content = content[9:-3] except Exception as e: print(result) print(e) @@ -109,30 +114,35 @@ class Audit: input_content = 'ILLEGAL OUTPUT' continue - if action == 'QUERY STRUCTURE': - self.log.info('请求查询项目结构') - input_content = '\n'.join(x for x in self.source_files_list) + try: + if action == 'QUERY STRUCTURE': + self.log.info('请求查询项目结构') + input_content = self.print_tree(self.directory_tree) + self.store_messages_in_faiss(input_content) + continue + elif action == 'QUERY SOURCE': + self.log.info(f'请求查询源代码:{content}') + input_content = open(content, 'r', encoding='utf-8').read() + self.store_messages_in_faiss(input_content) + continue + elif action == 'OUTPUT RESULT': + self.log.warning('输出代码审计结果') + dict_content = eval(content) + json_content = json.loads(json.dumps(dict_content)) + output_content = f'漏洞类型:{json_content["漏洞类型"]}\n漏洞文件:{json_content["漏洞文件"]}\n相关代码:\n{json_content["相关代码"]}\n修复建议:\n{json_content["修复建议"]}\n' + self.result_output_callback(output_content) + self.store_messages_in_faiss(output_content) + input_content = 'ok' + continue + elif action == 'FINISH TASK': + self.log.info('代码审计任务已完成') + return + else: + self.log.error(f'动作指令未定义:{action}') + return + except Exception as e: + self.log.error(e) continue - elif action == 'QUERY SOURCE': - self.log.info(f'请求查询源代码:{content}') - input_content = open(content, 'r', encoding='utf-8').read() - continue - elif action == 'QUERY FORTIFY': - self.log.info(f'请求查询规则库:{content}') - input_content = '\n'.join(x for x in self.fortify_rules if x == content) - continue - elif action == 'OUTPUT RESULT': - self.log.warning('输出代码审计结果') - self.result_output_callback(content) - self.store_messages_in_faiss(content) - input_content = 'ok' - continue - elif action == 'FINISH TASK': - self.log.info('代码审计任务已完成') - return - else: - self.log.error(f'动作指令未定义:{action}') - return def send_message(self, input_content): self.response_callback.temp_content = '' @@ -166,18 +176,58 @@ class Audit: text_embedding = self.embedding.embed_query(message) doc_id = str(uuid.uuid4()) self.messages_db.add_embeddings([(doc_id, text_embedding)], metadatas=[{"id": doc_id}]) - self.log.info(f"代码审计结果已缓存,文档编号:{doc_id}") - def load_source_files(self, path, lang): + def build_directory_tree(self, path, lang): if lang in LANGUAGE: suffixes = LANGUAGE[lang] else: - self.log.error('不支持的编程语言') + self.log.error(f'不支持的语言:{lang}') return - for root, _, files in os.walk(path): - self.source_files_list.extend( - os.path.join(root, file).replace('\\', '/') for file in files if any(file.endswith(suffix) for suffix in suffixes) - ) + absolute_path = os.path.abspath(path).replace('\\', '/') + tree = {absolute_path: {}} - self.log.info(f'源代码文件加载完成,共:{len(self.source_files_list)} 个') + for root, _, files in os.walk(absolute_path): + relative_path = os.path.relpath(root, absolute_path) + current_node = tree[absolute_path] + + if relative_path != '.': + parts = relative_path.split(os.sep) + for part in parts: + if part not in current_node: + current_node[part] = {} + current_node = current_node[part] + + for suffix in suffixes: + lang_files = [file for file in files if file.endswith(suffix)] + if lang_files: + if 'files' not in current_node: + current_node['files'] = [] + + current_node['files'].extend(lang_files) + + self.print_tree(tree) + self.directory_tree = tree + + def format_tree(self, node, level=0): + result = [] + indent = ' ' * level + for key, value in node.items(): + if key == 'files': + for file in value: + result.append(f"{indent}- {file}") + else: + result.append(f"{indent}- {key}/") + if isinstance(value, dict): + result.extend(self.format_tree(value, level + 1)) + + return result + + def print_tree(self, tree): + formatted_str = '' + formatted = self.format_tree(tree) + for line in formatted: + formatted_str += f"{line}\n" + # print(line) + + return formatted_str diff --git a/audit/prompt.py b/audit/prompt.py index 7a7d98f..f3205ee 100644 --- a/audit/prompt.py +++ b/audit/prompt.py @@ -1,58 +1,51 @@ SYSTEM_PROMPT = """ You are a professional code audit security expert, responsible for helping users audit possible vulnerabilities and security issues in source code. You will perform code audits according to the following process: - 1. Query project structure -You input the action command in the following format, and the user will send you the absolute path of all source files in the project below: +You input the action command in the following format, and the user will send you the project structure below: QUERY STRUCTURE -2. Query the vulnerability detection rule base -You input the action instructions in the following format, and the user will send you the vulnerability detection rule library extracted from Fortify as a reference for your code audit: - -QUERY FORTIFY -The language you want to query, options are: c, cpp, go, php, jsp, java, python, javascript - - -3. Query the source code +2. Query the source code You input the action command in the following format, and the user will send you the source code you need below: QUERY SOURCE the absolute path of the file you want to query -4. Output code audit results +3. Output code audit results You input the code audit results in the following format, and the user will send you "ok", then you can proceed to the next step of the audit: OUTPUT RESULT the audit results you want to output -5. Finish audit task +4. Finish audit task When you are sure that all source code files have been audited, you can output the action instructions to end the task in the following format: FINISH TASK -All your output can only be one of the five actions mentioned above. Any other form of output is strictly prohibited. +All your output can only be one of the 4 actions mentioned above. Any other form of output is strictly prohibited. Some additional information, which are some specifications when you perform actions: -1. The format of the vulnerability detection rule base provided to you is as follows: -{ - 'language': - 'vuln_kingdom': - 'vuln_category': -} +1. The project structure format sent to you is as follows. You need to construct the complete absolute path of the file you want to query based on these hierarchical relationships: +- C:/Users/yvling/Desktop/test/ + - dir_1/ + - 1.php + - dir_2/ + - 2.php + - dir_3/ + - 3.php -2. When you output the code audit results, you must use Chinese output and follow the following format: -漏洞类型: -漏洞文件: -相关代码: -修复建议: +2. When you output the code audit results, you must use Chinese output and follow the following format(Python dict): +{'漏洞类型': 'SQL Injection', '漏洞文件': 'main.java', '相关代码': '```java\nString id=request.getParameter("id");\nres = st.executeQuery("SELECT* FROM\"IWEBSEC\".\"user\" WHERE \"id\"="+id);\n```', '修复建议': 'your suggestions...'} + +Most important: Only output audit results with vulnerabilities, and prohibit output without vulnerabilities! Some Mandatory regulations: 1. Output Format: @@ -73,4 +66,5 @@ Some Mandatory regulations: b. High-risk vulnerabilities (such as injection and RCE) are handled first c. If multiple vulnerabilities are found in the same file, they need to be output multiple times d. For vulnerabilities that may span files, the audit can only begin after the relevant files have been queried as needed + e. Only output audit results with vulnerabilities, and prohibit output without vulnerabilities """ diff --git a/audit/rules.py b/audit/rules.py deleted file mode 100644 index d8b3d0a..0000000 --- a/audit/rules.py +++ /dev/null @@ -1,10845 +0,0 @@ -FROTIFY_RULES = [ - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i)(NONCE_KEY|LOGGED_IN_KEY|AUTH_KEY|SECURE_AUTH_KEY)\"\n and fc.arguments[2] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i)(NONCE_KEY|LOGGED_IN_KEY|AUTH_KEY|SECURE_AUTH_KEY)\"\n and arguments[2] is [Expression e:\n e.constantValue is [None:]\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i)(NONCE_KEY|LOGGED_IN_KEY|AUTH_KEY|SECURE_AUTH_KEY)\"\n and fc.arguments[2] is [Expression e:\n e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i)(NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|SECURE_AUTH_SALT)\"\n and arguments[2] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i)(NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|SECURE_AUTH_SALT)\"\n and arguments[2] is [Expression e:\n e.constantValue is [None:]\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i)(NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|SECURE_AUTH_SALT)\"\n and arguments[2] is [Expression e:\n e.constantValue == \"\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Android Internal Storage", - "predicate": "\n FunctionCall call:\n call.function is [Function f:\n f.name matches \"put.*\"\n and f.enclosingClass.name == \"android.content.SharedPreferences$Editor\"\n ]\n and call.arguments[0].constantValue matches \"(?i).*token$|^ssn.*|.*ssn$|.social.*security.*|.*encrypt(?!ed).*|plaintext|cleartext|.*creditcard.*|.*card(num|no).*|.*cvv.*|.*pin$\"\n and not call.enclosingClass contains [Function anyFunc:\n anyFunc contains [FunctionCall:\n possibleTargets contains [Function:\n name == \"create\"\n and enclosingClass.supers contains [Class:\n name == \"androidx.security.crypto.EncryptedSharedPreferences\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Android Internal Storage", - "predicate": "\n FunctionCall call:\n call.function is [Function f:\n f.name matches \"put.*\"\n and f.enclosingClass.name == \"android.content.SharedPreferences$Editor\"\n ]\n and call.arguments[0].constantValue matches \"PUT_REGEX_HERE\"\n and not call.enclosingClass contains [Function anyFunc:\n anyFunc contains [FunctionCall:\n possibleTargets contains [Function:\n name == \"create\"\n and enclosingClass.supers contains [Class:\n name == \"androidx.security.crypto.EncryptedSharedPreferences\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Android Internal Storage", - "predicate": "\n FunctionCall call:\n call.function is [Function f:\n f.name matches \"put.*\"\n and f.enclosingClass.name == \"android.content.SharedPreferences$Editor\"\n ]\n and call.arguments[0].constantValue matches \"PUT_REGEX_HERE\"\n and not call.enclosingClass contains [Function anyFunc:\n anyFunc contains [FunctionCall:\n possibleTargets contains [Function:\n name == \"create\"\n and enclosingClass.supers contains [Class:\n name == \"androidx.security.crypto.EncryptedSharedPreferences\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Android Internal Storage", - "predicate": "\n FunctionCall call:\n call.function is [Function f:\n f.name matches \"put.*\"\n and f.enclosingClass.name == \"android.content.SharedPreferences$Editor\"\n ]\n and call.arguments[0].constantValue matches \"(?i).*pass(wd|word|phrase).*|.*token$|^ssn.*|.*ssn$|.social.*security.*|.*encrypt(?!ed).*|plaintext|cleartext|.*creditcard.*|.*card(num|no).*|.*cvv.*|.*pin$\"\n and not call.enclosingClass contains [Function anyFunc:\n anyFunc contains [FunctionCall:\n possibleTargets contains [Function:\n name == \"create\"\n and enclosingClass.supers contains [Class:\n name == \"androidx.security.crypto.EncryptedSharedPreferences\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n (constructor or name == \"init^\")\n and enclosingClass.supers contains [Class:\n name == \"androidx.credentials.CreatePasswordRequest\"\n ]\n ]\n and arguments[1] is [Expression:\n constantValue == \"\"\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n (constructor or name == \"init^\")\n and enclosingClass.supers contains [Class:\n name == \"androidx.credentials.CreatePasswordRequest\"\n ]\n ]\n and arguments[1] is [Expression:\n constantValue matches \".+\"\n and not constantValue is [None:]\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privilege Management", - "vuln_subcategory": "Overriding Permission Verification", - "predicate": "\n FunctionCall fc: fc.function is [Function f: f.name == \"invoke\" and f.enclosingClass is [Class: name == \"android.webkit.GeolocationPermissions$Callback\"]] and\n fc.enclosingFunction is [Function: name == \"onGeolocationPermissionsShowPrompt\" and enclosingClass.supers contains [Class: name == \"android.webkit.WebChromeClient\"]] and\n fc.arguments[1] is [BooleanLiteral b: b.value is true]*\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "Android Permission Check", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"checkCallingOrSelf(Uri)?Permission\" and\n f.enclosingClass.name matches \"android\\.content\\.(Context|ContextWrapper)\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Code Injection", - "predicate": "\n FunctionCall fc: fc.function.name == \"addJavascriptInterface\" and fc.function.enclosingClass.name == \"android.webkit.WebView\"\n and fc.arguments[0].type.definition is [Class c: c.labels contains \"AndroidJavascriptVulnerable\"]*\n\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "Android Permission Check", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"checkCallingOrSelf(Uri)?Permission(s)?\" and\n f.enclosingClass.name matches \"android\\.content\\.(Context|ContextWrapper)\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Overly Broad Certificate Trust", - "predicate": "\n ReturnStatement:\n enclosingFunction is [Function:\n name == \"getAcceptedIssuers\"\n and enclosingClass.directSupers contains [Class:\n name == \"javax.net.ssl.X509TrustManager\"\n ]\n ]\n and expression is [NoneLiteral: ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Android Socket", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"createSocket\" and\n f.enclosingClass.name == \"android.net.SSLCertificateSocketFactory\"] and\n call.arguments[0].type.name is \"java.net.InetAddress\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Android Socket", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"getInsecure\" and\n f.enclosingClass.name == \"android.net.SSLCertificateSocketFactory\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Android Customized Implementation", - "predicate": "\n Class c: c.supers contains [Class sc: sc.name matches \"javax\\.net\\.ssl\\.X509TrustManager|org\\.apache\\.http\\.conn\\.ssl\\.SSLSocketFactory\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n\n FunctionCall call : call.function is [Function f: f.name matches \"fromParts\" and\n f.enclosingClass.name matches \"android\\.net\\.Uri\"] and\n call.arguments[0].constantValue is [String s: s matches \"(?i)http.*\" ]\n\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n\n FunctionCall call : call.function is [Function f: f.name matches \"fromParts\" and\n f.enclosingClass.name matches \"android\\.net\\.Uri\"] and\n call.arguments[0].constantValue is [String s: s matches \"(?i)http.*\" ]\n\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Insecure Storage", - "vuln_subcategory": "Android World Readable or Writeable", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(getSharedPreferences|getDir|openFileOutput|openOrCreateDatabase)\" and\n f.enclosingClass.name matches \"android\\.content\\.(Context|ContextWrapper)\"] and\n (call.arguments[1].constantValue matches \"1|2\" or call.arguments[1] is [Operation o: o.lhs.constantValue matches \"1|2\"\n or o.rhs.constantValue matches \"1|2\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Unreleased Resource", - "vuln_subcategory": "Android SQLite Database", - "predicate": "\n /* An Android Activity class */\n Class: supers contains [Class: name is \"android.app.Activity\"] and\n /* ...that invokes the SQLiteOpenHelper class */\n contains [Function: reaches [Function:\n constructor and\n enclosingClass.name is \"android.database.sqlite.SQLiteOpenHelper\"]* ] and\n /* ...but does not have a stop/destroy method to properly close the connection */\n not contains [Function: name matches \"on(Stop|Destroy)\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Unreleased Resource", - "vuln_subcategory": "Android SQLite Database", - "predicate": "\n /* Find the pause/stop/destroy callback */\n Function: name matches \"on(Pause|Stop|Destroy)\" and\n /* ...of an Android Activity class */\n enclosingClass.supers contains [Class: name is \"android.app.Activity\"] and\n /* ...that invokes the SQLiteOpenHelper class */\n enclosingClass contains [Function: reaches [Function:\n constructor and\n enclosingClass.name is \"android.database.sqlite.SQLiteOpenHelper\"]* ] and\n /* ...but never invokes close() upon terminating the Activity */\n not reaches [Function:\n name is \"close\" and\n enclosingClass.name is \"android.database.sqlite.SQLiteOpenHelper\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Unreleased Resource", - "vuln_subcategory": "Android Media", - "predicate": "\n /* An Android Activity class */\n Class: supers contains [Class: name is \"android.app.Activity\"] and\n /* ...that constructs a media object */\n contains [Function: reaches [Function:\n (constructor or name is \"create\") and\n enclosingClass.name matches \"android\\.media\\.(MediaRecorder|MediaPlayer|AudioRecord)\"]* ] and\n /* ...but does not have a stop/destroy method to properly release the resource */\n not contains [Function: name matches \"on(Stop|Destroy)\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Unreleased Resource", - "vuln_subcategory": "Android Media", - "predicate": "\n /* Find the pause/stop/destroy callback */\n Function: name matches \"on(Pause|Stop|Destroy)\" and\n /* ...of an Android Activity class */\n enclosingClass.supers contains [Class: name is \"android.app.Activity\"] and\n /* ...that constructs a media object */\n enclosingClass contains [Function: reaches [Function:\n (constructor or name is \"create\") and\n enclosingClass.name matches \"android\\.media\\.(MediaRecorder|MediaPlayer|AudioRecord)\"]* ] and\n /* ...but never invokes release() upon terminating the Activity */\n not reaches [Function:\n name is \"release\" and\n enclosingClass.name matches \"android\\.media\\.(MediaRecorder|MediaPlayer|AudioRecord)\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privilege Management", - "vuln_subcategory": "Missing API Permission", - "predicate": "\n // anything that passes validation. Will be replaced or deleted entirely.\n FunctionCall call: name == \"_FORTIFY_NON_EXISTENT_\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privilege Management", - "vuln_subcategory": "Missing API Permission", - "predicate": "\n // anything that passes validation. Will be replaced or deleted entirely.\n FunctionCall call: name == \"_FORTIFY_NON_EXISTENT_\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privilege Management", - "vuln_subcategory": "Missing API Permission", - "predicate": "\n // anything that passes validation. Will be replaced or deleted entirely.\n FunctionCall call: name == \"_FORTIFY_NON_EXISTENT_\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Android Bad Practices", - "vuln_subcategory": "Leftover Debug Code", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name == \"setWebContentsDebuggingEnabled\"\n and enclosingClass.supers contains [Class:\n name == \"android.webkit.WebView\"\n ]\n ]\n and arguments[0].constantValue is [Boolean: is true]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n Class:\n functions contains [Function:\n name == \"onReceivedSslError\"\n and enclosingClass.supers contains [Class:\n name == \"android.webkit.WebViewClient\"\n ]\n and reaches [Function:\n contains [FunctionCall:\n possibleTargets contains [Function:\n name == \"proceed\"\n and enclosingClass.supers contains [Class:\n name == \"android.webkit.SslErrorHandler\"\n ]\n ]\n ]\n ]\n and not reaches [Function:\n contains [FunctionCall:\n possibleTargets contains [Function:\n name == \"cancel\"\n and enclosingClass.supers contains [Class:\n name == \"android.webkit.SslErrorHandler\"\n ]\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Android Bad Practices", - "vuln_subcategory": "Encryption Secret Held in Static Field", - "predicate": "\n Field f:\n static\n and type.definition.supers contains [Class:\n name == \"javax.crypto.SecretKey\"\n or name == \"javax.crypto.spec.AlgorithmParameterSpec\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe Deserialization", - "predicate": "\n Class exportActivity: /* TEMPLATED */\n functions contains [Function:\n contains [FunctionCall:\n function.name matches \"getExtras|get(Boolean|Bundle|Byte|Char|CharSequence|Double|Float|Int|IntegerArrayList|Long|Parcelable|Serializable|Short|String|StringArrayList)?(Array)?Extra\"\n ]*\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Fragment Injection", - "vuln_subcategory": None, - "predicate": "\n Class exportedActivity: /* TEMPLATED */\n supers contains [Class:\n name == \"android.preference.PreferenceActivity\"\n ]\n and (\n /* since it must be implemented, it indicates its a pre-KitKat app */\n not functions contains [Function:\n name == \"isValidFragment\"\n ]\n /* function always returns true in at least one path. No whitelisting is applied */\n or functions contains [Function:\n name == \"isValidFragment\"\n and contains [ReturnStatement:\n /* see bug 57773 */\n expression.constantValue is [Boolean: is true]\n or expression is [VariableAccess:\n variable is [Variable:\n uses contains [VariableAccess va:\n enclosingStatement is [AssignmentStatement:\n lhs is [VariableAccess va2: va2 is va]\n and rhs.constantValues contains [Boolean: is true]\n ]\n ]\n ]\n ]\n ]\n ]\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Android Bad Practices", - "vuln_subcategory": "Leftover Debug Code", - "predicate": "\n FunctionCall fc:\n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass is [Class:\n name == \"android.os.StrictMode.ThreadPolicy.Builder\"\n ]\n ]\n or function is [Function:\n name == \"forName\"\n and enclosingClass.supers contains [Class:\n name == \"java.lang.Class\"\n ]\n and fc.arguments[0].constantValue == \"android.os.StrictMode\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: \n \tfa.field.name matches \"(?i)token|pin\"\n \tand not fa.field.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n \tand fa in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === fa.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand rhs.constantValue == \"\"\n \t]\n \tand fa.field is [Field f:]*\n and (\n fa.field.type.name == \"java.lang.String\"\n or fa.field.type.name == \"java.lang.StringBuffer\"\n or fa.field.type.name == \"byte\"\n or fa.field.type.name == \"char\"\n or fa.field.type.name == \"kotlin.String\"\n or fa.field.type.name == \"kotlin.ByteArray\"\n or fa.field.type.name == \"kotlin.CharArray\"\n )\n \tand not fa.field.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t] \n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: \n \tfa.field.name matches \"(?i)(.*token$|.*pin$)\"\n \tand not fa.field.name matches \"(?i)token|pin\"\n \tand fa in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === fa.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand rhs.constantValue == \"\"\n \t]\n \tand fa.field is [Field f:]*\n and (\n fa.field.type.name == \"java.lang.String\"\n or fa.field.type.name == \"java.lang.StringBuffer\"\n or fa.field.type.name == \"byte\"\n or fa.field.type.name == \"char\"\n or fa.field.type.name == \"kotlin.String\"\n or fa.field.type.name == \"kotlin.ByteArray\"\n or fa.field.type.name == \"kotlin.CharArray\"\n )\n \tand not fa.field.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t\tor type == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: \n \tva.variable.name matches \"(?i)token|pin\"\n \tand not va.variable.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n \tand va in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === va.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand rhs.constantValue == \"\"\n \t]\n \tand va.variable is [Variable v:]*\n and (\n va.variable.type.name == \"java.lang.String\"\n or va.variable.type.name == \"java.lang.StringBuffer\"\n or va.variable.type.name == \"byte\"\n or va.variable.type.name == \"char\"\n or va.variable.type.name == \"kotlin.String\"\n or va.variable.type.name == \"kotlin.ByteArray\"\n or va.variable.type.name == \"kotlin.CharArray\"\n )\n \tand not va.variable.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: \n \tva.variable.name matches \"(?i)(.*token$|.*pin$)\"\n \tand not va.variable.name matches \"(?i)token|pin\"\n \tand va in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === va.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand rhs.constantValue == \"\"\n \t]\n \tand va.variable is [Variable v:]*\n and (\n va.variable.type.name == \"java.lang.String\"\n or va.variable.type.name == \"java.lang.StringBuffer\"\n or va.variable.type.name == \"byte\"\n or va.variable.type.name == \"char\"\n or va.variable.type.name == \"kotlin.String\"\n or va.variable.type.name == \"kotlin.ByteArray\"\n or va.variable.type.name == \"kotlin.CharArray\"\n )\n \tand not va.variable.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t\tor type == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: \n \tfa.field.name matches \"(?i)token|pin\"\n \tand not fa.field.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n \tand not fa.sourceLocation.None\n \tand not fa.field.sourceLocation.None\n \tand fa.sourceLocation.startLine != fa.field.sourceLocation.startLine\n \tand fa in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === fa.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand rhs.constantValue is [None:]\n \t]\n \tand fa.field is [Field f:]*\n and (\n fa.field.type.name == \"java.lang.String\"\n or fa.field.type.name == \"java.lang.StringBuffer\"\n or fa.field.type.name == \"byte\"\n or fa.field.type.name == \"char\"\n or fa.field.type.name == \"kotlin.String\"\n or fa.field.type.name == \"kotlin.ByteArray\"\n or fa.field.type.name == \"kotlin.CharArray\"\n )\n \tand not fa.field.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t] \n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: \n \tfa.field.name matches \"(?i)(.*token$|.*pin$)\"\n \tand not fa.field.name matches \"(?i)token|pin\"\n \tand not fa.sourceLocation.None\n \tand not fa.field.sourceLocation.None\n \tand fa.sourceLocation.startLine != fa.field.sourceLocation.startLine\n \tand fa in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === fa.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand rhs.constantValue is [None:]\n \t]\n \tand fa.field is [Field f:]*\n and (\n fa.field.type.name == \"java.lang.String\"\n or fa.field.type.name == \"java.lang.StringBuffer\"\n or fa.field.type.name == \"byte\"\n or fa.field.type.name == \"char\"\n or fa.field.type.name == \"kotlin.String\"\n or fa.field.type.name == \"kotlin.ByteArray\"\n or fa.field.type.name == \"kotlin.CharArray\"\n )\n \tand not fa.field.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t\tor type == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: \n \tva.variable.name matches \"(?i)token|pin\"\n \tand not va.variable.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n \tand not va.sourceLocation.None\n \tand not va.variable.sourceLocation.None\n \tand va.sourceLocation.startLine != va.variable.sourceLocation.startLine\n \tand va in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === va.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand rhs.constantValue is [None:]\n \t]\n \tand va.variable is [Variable v:]*\n and (\n va.variable.type.name == \"java.lang.String\"\n or va.variable.type.name == \"java.lang.StringBuffer\"\n or va.variable.type.name == \"byte\"\n or va.variable.type.name == \"char\"\n or va.variable.type.name == \"kotlin.String\"\n or va.variable.type.name == \"kotlin.ByteArray\"\n or va.variable.type.name == \"kotlin.CharArray\"\n )\n \tand not va.variable.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t] \n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: \n \tva.variable.name matches \"(?i)(.*token$|.*pin$)\"\n \tand not va.variable.name matches \"(?i)token|pin\"\n \tand not va.sourceLocation.None\n \tand not va.variable.sourceLocation.None\n \tand va.sourceLocation.startLine != va.variable.sourceLocation.startLine\n \tand va in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === va.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand rhs.constantValue is [None:]\n \t]\n \tand va.variable is [Variable v:]*\n and (\n va.variable.type.name == \"java.lang.String\"\n or va.variable.type.name == \"java.lang.StringBuffer\"\n or va.variable.type.name == \"byte\"\n or va.variable.type.name == \"char\"\n or va.variable.type.name == \"kotlin.String\"\n or va.variable.type.name == \"kotlin.ByteArray\"\n or va.variable.type.name == \"kotlin.CharArray\"\n )\n and not va.variable.annotations contains [Annotation: \n type == T\"com.fortify.annotations.FortifyNotPassword\"\n or type == T\"com.fortify.annotations.FortifyPassword\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: \n \tfa.field.name matches \"(?i)token|pin\"\n \tand not fa.field.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n \tand fa in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === fa.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand not rhs.constantValue is [None:]\n \t\tand not rhs.constantValue == \"\"\n \t]\n \tand fa.field is [Field f:]*\n and (\n fa.field.type.name == \"java.lang.String\"\n or fa.field.type.name == \"java.lang.StringBuffer\"\n or fa.field.type.name == \"byte\"\n or fa.field.type.name == \"char\"\n or fa.field.type.name == \"kotlin.String\"\n or fa.field.type.name == \"kotlin.ByteArray\"\n or fa.field.type.name == \"kotlin.CharArray\"\n )\n \tand not fa.field.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: \n \tfa.field.name matches \"(?i)(.*token$|.*pin$)\"\n \tand not fa.field.name matches \"(?i)token|pin\"\n \tand fa in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === fa.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand not rhs.constantValue is [None:]\n \t\tand not rhs.constantValue == \"\"\n \t]\n \tand fa.field is [Field f:]*\n and (\n fa.field.type.name == \"java.lang.String\"\n or fa.field.type.name == \"java.lang.StringBuffer\"\n or fa.field.type.name == \"byte\"\n or fa.field.type.name == \"char\"\n or fa.field.type.name == \"kotlin.String\"\n or fa.field.type.name == \"kotlin.ByteArray\"\n or fa.field.type.name == \"kotlin.CharArray\"\n ) and not fa.field.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t\tor type == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: \n \tva.variable.name matches \"(?i)token|pin\"\n \tand not va.variable.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyPassword\"\n \t]\n \tand va in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === va.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand not rhs.constantValue is [None:]\n \t\tand not rhs.constantValue == \"\"\n \t]\n \tand va.variable is [Variable v:]*\n and ( \n va.variable.type.name == \"java.lang.String\"\n or va.variable.type.name == \"java.lang.StringBuffer\"\n or va.variable.type.name == \"byte\"\n or va.variable.type.name == \"char\"\n or va.variable.type.name == \"kotlin.String\"\n or va.variable.type.name == \"kotlin.ByteArray\"\n or va.variable.type.name == \"kotlin.CharArray\"\n ) and not va.variable.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t] \n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: \n \tva.variable.name matches \"(?i)(.*token$|.*pin$)\"\n \tand not va.variable.name matches \"(?i)token|pin\"\n \tand va in [AssignmentStatement: \n \t\tlhs.location is [Location l: \n \t\t\tl.transitiveBase === va.transitiveBase\n \t\t]\n \t\tand not rhs.constantValue.None\n \t\tand not rhs.constantValue is [None:]\n \t\tand not rhs.constantValue == \"\"\n \t]\n \tand va.variable is [Variable v:]*\n \tand (va.variable.type.name == \"java.lang.String\"\n \tor va.variable.type.name == \"java.lang.StringBuffer\"\n \tor va.variable.type.name == \"byte\"\n or va.variable.type.name == \"char\"\n or va.variable.type.name == \"kotlin.String\"\n or va.variable.type.name == \"kotlin.ByteArray\"\n or va.variable.type.name == \"kotlin.CharArray\")\n \tand not va.variable.annotations contains [Annotation: \n \t\ttype == T\"com.fortify.annotations.FortifyNotPassword\"\n \t\tor type == T\"com.fortify.annotations.FortifyPassword\"\n \t] \n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: \n call.function is [Function f: \n f.enclosingClass.supers contains [Class c: c.name == \"java.lang.String\" or c.name == \"kotlin.String\"] \n and (f.name == \"contentEquals\" or f.name matches \"(compareTo|equals)(IgnoreCase)?\")\n ] and ( \n ( \n call.instance is [VariableAccess val: \n val.variable.name matches \"(?i)(.*token$|.*pin$)\"\n and not val.variable.name matches \"(?i)token|pin\"\n and not val.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"\n ]\n ] \n and not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [VariableAccess var: \n var.variable.name matches \"(?i)(.*token$|.*pin$)\"\n and not var.variable.name matches \"(?i)token|pin\"\n and var.variable.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not var.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"\n ]\n ] \n and not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ) or ( \n call.instance is [FieldAccess fal: \n fal.field.name matches \"(?i)(.*token$|.*pin$)\"\n and not fal.field.name matches \"(?i)token|pin\"\n and not fal.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"\n ]\n ] \n and not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or ( \n call.arguments[0] is [FieldAccess far: \n far.field.name matches \"(?i)(.*token$|.*pin$)\" \n and not far.field.name matches \"(?i)token|pin\" \n and far.field.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not far.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"\n ] \n ]\n and not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n )\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: \n call.function is [Function f: \n f.enclosingClass.supers contains [Class c: c.name == \"java.lang.String\" or c.name == \"kotlin.String\"] \n and (f.name == \"contentEquals\" or f.name matches \"(compareTo|equals)(IgnoreCase)?\")\n ] \n and (\n (\n call.instance is [VariableAccess val:\n val.variable.name matches \"(?i)token|pin\"\n and not val.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"]\n and not val.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"]\n ] \n and not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or ( \n call.arguments[0] is [VariableAccess var:\n var.variable.name matches \"(?i)token|pin\" \n and not var.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"]\n and var.variable.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not var.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"]\n ] \n and not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ) or ( \n call.instance is [FieldAccess fal:\n fal.field.name matches \"(?i)token|pin\" \n and not fal.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"]\n and not fal.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"]\n ] \n and not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or ( \n call.arguments[0] is [FieldAccess far:\n far.field.name matches \"(?i)token|pin\"\n and not far.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"] \n and far.field.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not far.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"]\n ] \n and not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n )\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Erroneous Zero Value", - "predicate": "\n VariableAccess va:\n (va.variable is [Variable v: annotations contains\n [Annotation a: type == T\"com.fortify.annotations.FortifyNonZero\"]]) and\n (va in [AssignmentStatement:\n (lhs is va) and not\n (rhs.partialConstantValues contains [Number: == 0])])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Erroneous Zero Value", - "predicate": "\n FieldAccess fa:\n (fa.field is [Field f: annotations contains\n [Annotation a: type == T\"com.fortify.annotations.FortifyNonZero\"]]) and\n (fa in [AssignmentStatement:\n (lhs is fa) and not\n (rhs.partialConstantValues contains [Number: == 0])])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Erroneous Negative Value", - "predicate": "\n VariableAccess va:\n (va.variable is [Variable v: annotations contains\n [Annotation a: type == T\"com.fortify.annotations.FortifyNonNegative\"]]) and\n (va in [AssignmentStatement:\n (lhs is va) and not\n (rhs.partialConstantValues contains [Number: < 0])])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Erroneous Negative Value", - "predicate": "\n FieldAccess fa:\n (fa.field is [Field f: annotations contains\n [Annotation a: type == T\"com.fortify.annotations.FortifyNonNegative\"]]) and\n (fa in [AssignmentStatement:\n (lhs is fa) and not\n (rhs.partialConstantValues contains [Number: < 0])])\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Field", - "vuln_subcategory": None, - "predicate": "\n FieldAccess fa: field is [Field f: annotations contains\n [Annotation a:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement: key==\"value\" and value is [String s: s matches \"(?i)high\"]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Field", - "vuln_subcategory": None, - "predicate": "\n FieldAccess fa: field is [Field f: annotations contains\n [Annotation a:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement: key==\"value\" and value is [String s: s matches \"(?i)hot|critical\"]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Field", - "vuln_subcategory": None, - "predicate": "\n FieldAccess fa: field is [Field f: annotations contains\n [Annotation a:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n (\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)medium\"]\n ]\n or \n elements.length == 0\n )\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Field", - "vuln_subcategory": None, - "predicate": "\n FieldAccess fa: field is [Field f: annotations contains\n [Annotation a:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement: key==\"value\" and value is [String s: s matches \"(?i)info|low\"]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Method", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.function is\n [Function f: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement : key == \"value\" and value is [String s: s matches \"(?i)high\"]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Method", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.function is\n [Function f: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement : key == \"value\" and value is [String s: s matches \"(?i)hot|critical\"]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Method", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.function is\n [Function f: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n (\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)medium\"]\n ]\n or \n elements.length == 0\n )\n ]\n ]\n \n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Method", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.function is\n [Function f: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement : key == \"value\" and value is [String s: s matches \"(?i)info|low\"]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Function f:\n (parameters contains [Variable v: type is\n [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)info|low\"]]]]]])\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Function f:\n (returnType is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)info|low\"]]]]])\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Field f: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)info|low\"]]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Variable v: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)info|low\"]]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Function f:\n parameters contains [Variable v: type is\n [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n (\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)medium\"]\n ]\n or \n elements.length == 0\n )\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Function f:\n returnType is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n (\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)medium\"]\n ]\n or \n elements.length == 0\n )\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Field f: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n (\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)medium\"]\n ]\n or \n elements.length == 0\n )\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Variable v: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n (\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)medium\"]\n ]\n or \n elements.length == 0\n )\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Function f:\n (parameters contains [Variable v: type is\n [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)high\"]]]]]])\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Function f:\n (parameters contains [Variable v: type is\n [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)hot|critical\"]]]]]])\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Function f:\n (returnType is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)high\"]]]]])\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Function f:\n (returnType is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)hot|critical\"]]]]])\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Field f: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)high\"]]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Field f: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)hot|critical\"]]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Variable v: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)high\"]]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Dangerous Type", - "vuln_subcategory": None, - "predicate": "\n Variable v: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation:\n type == T\"com.fortify.annotations.FortifyDangerous\" and\n elements contains [AnnotationElement :\n key == \"value\" and\n value is [String s: s matches \"(?i)hot|critical\"]]]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement:\n lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*] and\n enclosingClass.supers contains\n [Class: annotations contains [Annotation: type == T\"com.google.inject.Singleton\"]] and\n not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*\" or\n /* EXCEPTION: enclosing function takes ServletConfig as one of its parameters */\n (parameterTypes.length > 0 and parameterTypes contains [name == \"javax.servlet.ServletConfig\"]) or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and\n (callers.length == 0 or callers contains [constructor]) and\n not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"])]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Immutable Classes", - "vuln_subcategory": "Field Mutation", - "predicate": "\n FunctionCall call:\n (call.instance.location is [FieldAccess fa:\n fa.field.enclosingClass.annotations contains\n [Annotation: type == T\"net.jcip.annotations.Immutable\"] and\n fa.field.type.definition.supers contains\n [Class: name is \"java.util.Collections\"]]) and\n (call.function.name matches \"add.*\" or\n call.function.name matches \"remove.*\" or\n call.function.name matches \"retain.*\" or\n call.function.name matches \"set.*\" or\n call.function.name matches \"put.*\" or\n call.function.name == \"clear\" or\n call.function.name == \"poll\" or\n call.function.name == \"offer\") and\n not (call.enclosingFunction.constructor or\n call.enclosingFunction.destructor or\n call.enclosingFunction.name == \"init^\")\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Immutable Classes", - "vuln_subcategory": "Public Mutable Fields", - "predicate": "\n Field f:\n f.enclosingClass.annotations contains\n [Annotation: type == T\"net.jcip.annotations.Immutable\"] and\n f.type.definition.supers contains\n [Class: name is \"java.util.Collection\"] and\n f.public\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Immutable Classes", - "vuln_subcategory": "Non-final Fields", - "predicate": "\n Field f:\n f.enclosingClass.annotations contains\n [Annotation: type == T\"net.jcip.annotations.Immutable\"] and\n not f.final\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Obsolete", - "vuln_subcategory": None, - "predicate": "\n FieldAccess fa: field is [Field f: annotations contains\n [Annotation a: type == T\"java.lang.Deprecated\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Obsolete", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.function is\n [Function f: annotations contains\n [Annotation : type == T\"java.lang.Deprecated\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Obsolete", - "vuln_subcategory": None, - "predicate": "\n Function f:\n (returnType is [Type t1: definition is\n [Class c1: annotations contains\n [Annotation: type == T\"java.lang.Deprecated\"]]]) or\n (parameters contains [Variable v: type is\n [Type t2: definition is\n [Class c2: annotations contains\n [Annotation: type == T\"java.lang.Deprecated\"]]]])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Obsolete", - "vuln_subcategory": None, - "predicate": "\n Field f: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation: type == T\"java.lang.Deprecated\"]]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Obsolete", - "vuln_subcategory": None, - "predicate": "\n Variable v: type is [Type t: definition is\n [Class c: annotations contains\n [Annotation: type == T\"java.lang.Deprecated\"]]]\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"PUT_REGEX_HERE\" and fal.field.type.name == \"char\"] and\n call.arguments[0].constantValue is [None:]\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"PUT_REGEX_HERE\" and far.field.type.name == \"char\"] and\n call.arguments[1].constantValue is [None:]\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"PUT_REGEX_HERE\" and val.variable.type.name == \"char\"] and\n call.arguments[0].constantValue is [None:]\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"PUT_REGEX_HERE\" and var.variable.type.name == \"char\"] and\n call.arguments[1].constantValue is [None:]\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"PUT_REGEX_HERE\" and fal.field.type.name == \"char\"] and\n call.arguments[0].constantValue is [None:]\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"PUT_REGEX_HERE\" and far.field.type.name == \"char\"] and\n call.arguments[1].constantValue is [None:]\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"PUT_REGEX_HERE\" and val.variable.type.name == \"char\"] and\n call.arguments[0].constantValue is [None:]\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"PUT_REGEX_HERE\" and var.variable.type.name == \"char\"] and\n call.arguments[1].constantValue is [None:]\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"(?i)pass(wd|word)\" and fal.field.type.name == \"char\"] and\n call.arguments[0].constantValue is [None:]\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"(?i)pass(wd|word)\" and far.field.type.name == \"char\"] and\n call.arguments[1].constantValue is [None:]\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"(?i)pass(wd|word)\" and val.variable.type.name == \"char\"] and\n call.arguments[0].constantValue is [None:]\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"(?i)pass(wd|word)\" and var.variable.type.name == \"char\"] and\n call.arguments[1].constantValue is [None:]\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"PUT_REGEX_HERE\" and fal.field.type.name == \"char\"] and\n call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"PUT_REGEX_HERE\" and far.field.type.name == \"char\"] and\n call.arguments[1].constantValue == \"\"\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"PUT_REGEX_HERE\" and val.variable.type.name == \"char\"] and\n call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"PUT_REGEX_HERE\" and var.variable.type.name == \"char\"] and\n call.arguments[1].constantValue == \"\"\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"PUT_REGEX_HERE\" and fal.field.type.name == \"char\"] and\n call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"PUT_REGEX_HERE\" and far.field.type.name == \"char\"] and\n call.arguments[1].constantValue == \"\"\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"PUT_REGEX_HERE\" and val.variable.type.name == \"char\"] and\n call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"PUT_REGEX_HERE\" and var.variable.type.name == \"char\"] and\n call.arguments[1].constantValue == \"\"\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"(?i)pass(wd|word)\" and fal.field.type.name == \"char\"] and\n call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"(?i)pass(wd|word)\" and far.field.type.name == \"char\"] and\n call.arguments[1].constantValue == \"\"\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"(?i)pass(wd|word)\" and val.variable.type.name == \"char\"] and\n call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"(?i)pass(wd|word)\" and var.variable.type.name == \"char\"] and\n call.arguments[1].constantValue == \"\"\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n or ( rhs.constantValue == 0 and lhs.location is [ArrayAccess aa: aa.index.constantValue == 0 ])\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n or ( rhs.constantValue == 0 and lhs.location is [ArrayAccess aa: aa.index.constantValue == 0 ])\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n or ( rhs.constantValue == 0 and lhs.location is [ArrayAccess aa: aa.index.constantValue == 0 ])\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n or ( rhs.constantValue == 0 and lhs.location is [ArrayAccess aa: aa.index.constantValue == 0 ])\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n or ( rhs.constantValue == 0 and lhs.location is [ArrayAccess aa: aa.index.constantValue == 0 ])\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n or ( rhs.constantValue == 0 and lhs.location is [ArrayAccess aa: aa.index.constantValue == 0 ])\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"PUT_REGEX_HERE\" and fal.field.type.name == \"char\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"PUT_REGEX_HERE\" and far.field.type.name == \"char\"] and\n not call.arguments[1].constantValue.None and\n not call.arguments[1].constantValue is [None:] and\n not call.arguments[1].constantValue == \"\"\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"PUT_REGEX_HERE\" and val.variable.type.name == \"char\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"PUT_REGEX_HERE\" and var.variable.type.name == \"char\"] and\n not call.arguments[1].constantValue.None and\n not call.arguments[1].constantValue is [None:] and\n not call.arguments[1].constantValue == \"\"\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"PUT_REGEX_HERE\" and fal.field.type.name == \"char\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"PUT_REGEX_HERE\" and far.field.type.name == \"char\"] and\n not call.arguments[1].constantValue.None and\n not call.arguments[1].constantValue is [None:] and\n not call.arguments[1].constantValue == \"\"\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"PUT_REGEX_HERE\" and val.variable.type.name == \"char\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"PUT_REGEX_HERE\" and var.variable.type.name == \"char\"] and\n not call.arguments[1].constantValue.None and\n not call.arguments[1].constantValue is [None:] and\n not call.arguments[1].constantValue == \"\"\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"(?i)pass(wd|word)\" and fal.field.type.name == \"char\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"(?i)pass(wd|word)\" and far.field.type.name == \"char\"] and\n not call.arguments[1].constantValue.None and\n not call.arguments[1].constantValue is [None:] and\n not call.arguments[1].constantValue == \"\"\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"(?i)pass(wd|word)\" and val.variable.type.name == \"char\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"(?i)pass(wd|word)\" and var.variable.type.name == \"char\"] and\n not call.arguments[1].constantValue.None and\n not call.arguments[1].constantValue is [None:] and\n not call.arguments[1].constantValue == \"\"\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is [ArrayAccess aa1: aa1.base is\n [VariableAccess val: val.variable.name matches \"PUT_REGEX_HERE\"]\n and aa1.type is T\"char*\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue == 0\n ) or (\n operation.rhs.location is [ArrayAccess aa2: aa2.base is\n [VariableAccess var: var.variable.name matches \"PUT_REGEX_HERE\"]\n and aa2.type == T\"char\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue == 0\n ) or (\n operation.lhs.location is [ArrayAccess aa3: aa3.base is\n [FieldAccess fal: fal.field.name matches \"PUT_REGEX_HERE\"]\n and aa3.type == T\"char\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue == 0\n ) or (\n operation.rhs.location is [ArrayAccess aa4: aa4.base is\n [FieldAccess far: far.field.name matches \"PUT_REGEX_HERE\"]\n and aa4.type == T\"char\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue == 0\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is [ArrayAccess aa1: aa1.base is\n [VariableAccess val: val.variable.name matches \"PUT_REGEX_HERE\"]\n and aa1.type is T\"char*\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue == 0\n ) or (\n operation.rhs.location is [ArrayAccess aa2: aa2.base is\n [VariableAccess var: var.variable.name matches \"PUT_REGEX_HERE\"]\n and aa2.type == T\"char\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue == 0\n ) or (\n operation.lhs.location is [ArrayAccess aa3: aa3.base is\n [FieldAccess fal: fal.field.name matches \"PUT_REGEX_HERE\"]\n and aa3.type == T\"char\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue == 0\n ) or (\n operation.rhs.location is [ArrayAccess aa4: aa4.base is\n [FieldAccess far: far.field.name matches \"PUT_REGEX_HERE\"]\n and aa4.type == T\"char\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue == 0\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is [ArrayAccess aa1: aa1.base is\n [VariableAccess val: val.variable.name matches \"(?i)pass(wd|word)\"]\n and aa1.type is T\"char*\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue == 0\n ) or (\n operation.rhs.location is [ArrayAccess aa2: aa2.base is\n [VariableAccess var: var.variable.name matches \"(?i)pass(wd|word)\"]\n and aa2.type == T\"char\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue == 0\n ) or (\n operation.lhs.location is [ArrayAccess aa3: aa3.base is\n [FieldAccess fal: fal.field.name matches \"(?i)pass(wd|word)\"]\n and aa3.type == T\"char\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue == 0\n ) or (\n operation.rhs.location is [ArrayAccess aa4: aa4.base is\n [FieldAccess far: far.field.name matches \"(?i)pass(wd|word)\"]\n and aa4.type == T\"char\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue == 0\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \"(?i).*pass(wd|word|phrase).*\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"(?i).*pass(wd|word).*\" and not fal.field.name matches \"(?i)pass(wd|word)\" and fal.field.type.name == \"char\"] and\n call.arguments[0].constantValue is [None:]\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"(?i).*pass(wd|word).*\" and not far.field.name matches \"(?i)pass(wd|word)\" and far.field.type.name == \"char\"] and\n call.arguments[1].constantValue is [None:]\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"(?i).*pass(wd|word).*\" and not val.variable.name matches \"(?i)pass(wd|word)\" and val.variable.type.name == \"char\"] and\n call.arguments[0].constantValue is [None:]\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"(?i).*pass(wd|word).*\" and not var.variable.name matches \"(?i)pass(wd|word)\" and var.variable.type.name == \"char\"] and\n call.arguments[1].constantValue is [None:]\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"(?i).*pass(wd|word).*\" and not fal.field.name matches \"(?i)pass(wd|word)\" and fal.field.type.name == \"char\"] and\n call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"(?i).*pass(wd|word).*\" and not far.field.name matches \"(?i)pass(wd|word)\" and far.field.type.name == \"char\"] and\n call.arguments[1].constantValue == \"\"\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"(?i).*pass(wd|word).*\" and not val.variable.name matches \"(?i)pass(wd|word)\" and val.variable.type.name == \"char\"] and\n call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"(?i).*pass(wd|word).*\" and not var.variable.name matches \"(?i)pass(wd|word)\" and var.variable.type.name == \"char\"] and\n call.arguments[1].constantValue == \"\"\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n or ( rhs.constantValue == 0 and lhs.location is [ArrayAccess aa: aa.index.constantValue == 0 ])\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n or ( rhs.constantValue == 0 and lhs.location is [ArrayAccess aa: aa.index.constantValue == 0 ])\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name matches \"(_)?(str|wcs|mbs|lstr)(n|i|ni|case)?cmp(_l|i)?\"] and\n ((call.arguments[1] is [FieldAccess fal: fal.field.name matches \"(?i).*pass(wd|word).*\" and not fal.field.name matches \"(?i)pass(wd|word)\" and fal.field.type.name == \"char\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [FieldAccess far: far.field.name matches \"(?i).*pass(wd|word).*\" and not far.field.name matches \"(?i)pass(wd|word)\" and far.field.type.name == \"char\"] and\n not call.arguments[1].constantValue.None and\n not call.arguments[1].constantValue is [None:] and\n not call.arguments[1].constantValue == \"\"\n ) or (\n call.arguments[1] is [VariableAccess val: val.variable.name matches \"(?i).*pass(wd|word).*\" and not val.variable.name matches \"(?i)pass(wd|word)\" and val.variable.type.name == \"char\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n ) or (\n call.arguments[0] is [VariableAccess var: var.variable.name matches \"(?i).*pass(wd|word).*\" and not var.variable.name matches \"(?i)pass(wd|word)\" and var.variable.type.name == \"char\"] and\n not call.arguments[1].constantValue.None and\n not call.arguments[1].constantValue is [None:] and\n not call.arguments[1].constantValue == \"\"\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is [ArrayAccess aa1: aa1.base is\n [VariableAccess val: val.variable.name matches\n \"(?i).*pass(wd|word).*\"\n and not val.variable.name matches \"(?i)pass(wd|word)\"]\n and aa1.type == T\"char\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue == 0\n ) or (\n operation.rhs.location is [ArrayAccess aa2: aa2.base is\n [VariableAccess var: var.variable.name matches\n \"(?i).*pass(wd|word).*\"\n and not var.variable.name matches \"(?i)pass(wd|word)\"]\n and aa2.type == T\"char\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue == 0\n ) or (\n operation.lhs.location is [ArrayAccess aa3: aa3.base is\n [FieldAccess fal: fal.field.name matches\n \"(?i).*pass(wd|word).*\"\n and not fal.field.name matches \"(?i)pass(wd|word)\"]\n and aa3.type == T\"char\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue == 0\n ) or (\n operation.rhs.location is [ArrayAccess aa4: aa4.base is\n [FieldAccess far: far.field.name matches\n \"(?i).*pass(wd|word).*\"\n and not far.field.name matches \"(?i)pass(wd|word)\"]\n and aa4.type == T\"char\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue == 0\n ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and fa.field is [Field f:]*\n and fa.field.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue == 0\n ] and va.variable is [Variable v:]*\n and va.variable.type.name == \"char\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Out-of-Bounds Read", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.name == \"memchr\" and not fc.arguments[2].constantValue.None\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.name == \"memchr\" and\n ( ( fc.arguments[0] is [ArrayAccess ac0: base is [VariableAccess va0:\n fc.arguments[2] is [FunctionCall fc0: fc0.name == \"strlen\" and fc0.arguments[0] is [ArrayAccess: base is va0]]]] ) or\n ( fc.arguments[0] is [VariableAccess va1: variable is [Variable var1:\n fc.arguments[2] is [FunctionCall fc1: fc1.name == \"strlen\" and fc1.arguments[0] is [VariableAccess va2: variable is [Variable var2: var2 === var1]]]]] ) or\n ( fc.arguments[0] is [FieldAccess fa1: field is [Field fi1:\n fc.arguments[2] is [FunctionCall fc2: fc2.name == \"strlen\" and fc2.arguments[0] is [FieldAccess fa2: field is [Field fi2: fi2 === fi1]]]]] ))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Arithmetic Operation on Boolean", - "predicate": "\n Operation: op matches \"[+-/*%]\" and (\n (lhs is [VariableAccess: variable.type.name matches \"bool.*\"] and\n rhs is [VariableAccess: variable.type.name matches \"bool.*\"])\n or\n (lhs is [BooleanLiteral: ] and rhs is [BooleanLiteral: ])\n or\n (lhs is [VariableAccess: variable.type.name matches \"bool.*\"] and rhs is [BooleanLiteral: ])\n or\n (lhs is [BooleanLiteral: ] and rhs is [VariableAccess: variable.type.name matches \"bool.*\"])\n )\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Value Never Read", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: (not isIncrDecr) and (lhs.location is [Location l: l.transitiveBase === va.transitiveBase])]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and variable is\n [Variable var: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and not sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and not const]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Value Never Read", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: (not isIncrDecr) and (lhs.location is va)]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and variable is\n [Variable var: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and not sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and not const]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Redundant Initialization", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: lhs.location is va and rhs.constantValue.None]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and variable is\n [Variable: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Value Never Read", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: lhs.location is va]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and variable is\n [Variable: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and not sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Type Mismatch", - "vuln_subcategory": "Negative to Unsigned", - "predicate": "\n AssignmentStatement: lhs is [Location: type.name matches \"unsigned.*\"]*\n and rhs is [Expression: \n type.name matches \"char|short|int|long\"\n and constantValue is [Number n: n < 0]\n ]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Type Mismatch", - "vuln_subcategory": "Signed to Unsigned", - "predicate": "\n AssignmentStatement: lhs is [Location: type.name matches \"unsigned.*\"]*\n and rhs is [Location l: type.name matches \"char|short|int|long\"\n /* is not a constant value */\n and constantValue.None\n /* not some sort of length, which are usually false positives */\n and not l is [FieldAccess: field.name matches \".*len(gth)?|.*size\" ]\n and not l is [VariableAccess: variable.name matches \".*len(gth)?|.*size\"]\n ]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Type Mismatch", - "vuln_subcategory": "Signed to Unsigned", - "predicate": "\n AssignmentStatement: lhs is [Location: type.name matches \"unsigned.*\"]*\n and rhs is [Location l: type.name matches \"char|short|int|long\"\n /* is not a constant value */\n and constantValue.None\n /* not some sort of length, which are usually false positives */\n and not l.name matches \".*len(gth)?|.*size\"\n /* not a binary value from a synthetic if-else block */\n and not (\n l.constantValues.length == 2\n and l.constantValues contains [Number: == 0]\n and l.constantValues contains [Number: == 1]\n )\n ]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Type Mismatch", - "vuln_subcategory": "Signed to Unsigned", - "predicate": "\n ReturnStatement rs:\n rs.enclosingFunction is [Function: ]* and rs.enclosingFunction.returnType is\n [name matches \"unsigned.*\" or indirectionLevel > 0]\n /* Needed because literals are always signed. */\n and not rs.expression.constantValue is [Number: >= 0]\n and rs.expression.type is [\n indirectionLevel == 0 and\n name is [ == \"char\" or == \"short\" or == \"int\" or == \"long\"]]\n /* Don't duplicate results caught by the \"Negative return value\" rule. */\n and not rs.expression.partialConstantValues contains [Number: < 0]\n and not rs.enclosingFunction contains [IfStatement:\n expression is [Operation o:\n rs.expression is [VariableAccess: variable is [Variable v: \n (\n o.lhs.location is [VariableAccess: \n variable is v\n ]\n and o.op matches \">(=)?\"\n and (\n o.rhs.type.unsigned\n or o.rhs.constantValue is [Number: >= 0]\n )\n )\n or (\n o.op matches \"<(=)?\"\n and o.rhs.location is [VariableAccess:\n variable is v\n ]\n )\n ]]\n or rs.expression is [FieldAccess: field is [Field f: \n (\n o.lhs.location is [FieldAccess: \n field is f\n ]\n and o.op matches \">(=)?\"\n and (\n o.rhs.type.unsigned\n or o.rhs.constantValue is [Number: >= 0]\n )\n )\n or (\n o.op matches \"<(=)?\"\n and o.rhs.location is [FieldAccess: \n field is f\n ]\n )\n ]]\n ]\n ]\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Redundant Initialization", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and rhs.constantValue.None]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and variable is\n [Variable var: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and not const]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Redundant Initialization", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: lhs.location is va and rhs.constantValue.None]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and variable is\n [Variable var: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and not const]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Variable Never Used", - "predicate": "\n Variable v: not enclosingFunction.None and uses.length == 0\n\t\tand not isTemp and not const and not sourceLocation.None and not sourceLocation.isMacroExpansion\n and not (v in v.enclosingFunction.parameters)\n\t\tand is [Variable:]\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Function Not Invoked", - "predicate": "\n\t\tOperation: (op matches \"[!=><]=\" or op matches \"[<>]\") and (\n\t\t\t(lhs is [FunctionPointer: ] and (not rhs.constantValue.None))\n\t\t\tor\n\t\t\t((not lhs.constantValue.None) and rhs is [FunctionPointer: ])\n\t\t)\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Variable Never Used", - "predicate": "\n Variable v: not enclosingFunction.None and uses.length == 0\n\t\tand not isTemp and not sourceLocation.None and not sourceLocation.isMacroExpansion\n and not (v in v.enclosingFunction.parameters)\n\t\tand is [Variable:]\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Type Mismatch", - "vuln_subcategory": "Negative to Unsigned", - "predicate": "\n ReturnStatement:\n enclosingFunction is [Function: ]* and enclosingFunction.returnType is\n [name matches \"unsigned.*\" or indirectionLevel > 0]\n and expression.partialConstantValues contains [Number: < 0]\n /* If they've explictly casted the value, then don't report. */\n and not expression.type is\n [name matches \"unsigned.*\" or indirectionLevel > 0]\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Memory Leak", - "vuln_subcategory": "Reallocation", - "predicate": "\n FunctionCall call: (call.function is [name == \"realloc\" or\n name == \"_realloc_dbg\" or\n name == \"g_try_realloc\" or\n name == \"CoTaskMemRealloc\" or\n name == \"GlobalReAlloc\" or\n name == \"LocalReAlloc\" or\n name == \"HeapReAlloc\"]* and\n call in [AssignmentStatement: rhs === call and lhs == call.arguments[0] and\n lhs.location is [VariableAccess: variable is [Variable:]*]])\n or\n (call.function is [name == \"g_try_renew\"]* and\n call in [AssignmentStatement: rhs === call and lhs == call.arguments[1] and\n lhs.location is [VariableAccess: variable is [Variable:]*]])\n or\n (call.function is [name == \"realloc\" or\n name == \"_realloc_dbg\" or\n name == \"g_try_realloc\" or\n name == \"g_try_new\" or\n name == \"CoTaskMemRealloc\" or\n name == \"GlobalReAlloc\" or\n name == \"LocalReAlloc\" or\n name == \"HeapReAlloc\"]* and\n not call in [AssignmentStatement:])\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Memory Leak", - "vuln_subcategory": "Reallocation", - "predicate": "\n FunctionCall call: (call.function is [name == \"realloc\" or\n name == \"_realloc_dbg\" or\n name == \"g_try_realloc\" or\n name == \"CoTaskMemRealloc\" or\n name == \"GlobalReAlloc\" or\n name == \"LocalReAlloc\" or\n name == \"HeapReAlloc\"]* and\n call in [AssignmentStatement: rhs is call and lhs == call.arguments[0] and\n lhs.location is [VariableAccess: variable is [Variable:]*]])\n or\n (call.function is [name == \"g_try_renew\"]* and\n call in [AssignmentStatement: rhs is call and lhs == call.arguments[1] and\n lhs.location is [VariableAccess: variable is [Variable:]*]])\n or\n (call.function is [name == \"realloc\" or\n name == \"_realloc_dbg\" or\n name == \"g_try_realloc\" or\n name == \"g_try_new\" or\n name == \"CoTaskMemRealloc\" or\n name == \"GlobalReAlloc\" or\n name == \"LocalReAlloc\" or\n name == \"HeapReAlloc\"]* and\n not call in [AssignmentStatement:])\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Environment", - "vuln_category": "Insecure Compiler Optimization", - "vuln_subcategory": "Pointer Arithmetic", - "predicate": "\nOperation op1:\n(op1.op == \">=\" or op1.op == \">\" or op1.op == \"<=\" or op1.op == \"<\" )\nand\n(\n op1.lhs.type.pointerDepth > 0\n and\n op1.rhs.type.pointerDepth > 0\n and\n (\n op1.lhs is\n [\n Operation op2: op2.lhs is [VariableAccess lhsVa: op1.rhs is [VariableAccess rhsVa: lhsVa.variable.name == rhsVa.variable.name]]\n or\n op2.lhs is [Dereference: expression is [VariableAccess dLhsVa: op1.rhs is [VariableAccess: dLhsVa.variable.name == variable.name]]]\n ]\n or\n op1.rhs is [Operation op3: op3.lhs is [Dereference: expression is [VariableAccess dRhsVa: op1.lhs is [VariableAccess: variable.name == dRhsVa.variable.name]]]]\n )\n)\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Type Mismatch", - "vuln_subcategory": "Integer to Character", - "predicate": "\n AssignmentStatement ass: rhs is\n [FunctionCall f: f.function.name matches \"^(getchar|f?getc)$\"]\n and lhs.type.name matches \"^((unsigned|signed) )?char\"\n and lhs is [VariableAccess varacc:]\n and enclosingFunction contains\n [Operation: op matches \"[!=]=|[<>]=?\"\n and contains [VariableAccess varacc: ass.lhs is [VariableAccess: varacc.variable.name == variable.name]\n ]\n ]\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Undefined Behavior", - "vuln_subcategory": "File Pointer Dereference", - "predicate": "\n AssignmentStatement stmt: stmt.lhs is [VariableAccess va: va.type is [Type: name matches \"(?i)_*s*_*FILE\"]]* \n and\n /* Pointer deref is being translated as 'array access' for some reason, cover both potentials */\n (stmt.rhs is [ArrayAccess ac: ac.type is [Type: name matches \"(?i)_*s*_*FILE\"]]* or \n stmt.rhs is [Dereference d: d.type is [Type: name matches \"(?i)_*s*_*FILE\"]]*)\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": "XML Signature Secure Validation Disabled", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"setProperty\"\n and enclosingClass.supers contains [Class:\n name == \"java.util.Properties\"\n ]\n ]\n and arguments[0].constantValue == \"org.jcp.xml.dsig.secureValidation\"\n and arguments[1].constantValue != \"true\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"getBundle\" and\n fc.function.enclosingClass.name matches \"java\\.util\\.ResourceBundle\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"newUpdater\" and\n fc.function.enclosingClass.name matches \"java\\.util\\.concurrent\\.atomic\\.Atomic(Integer|Long|Reference)FieldUpdater\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"getBundle\" and\n fc.function.enclosingClass.name matches \"java\\.util\\.ResourceBundle\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n not enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"newUpdater\" and\n fc.function.enclosingClass.name matches \"java\\.util\\.concurrent\\.atomic\\.Atomic(Integer|Long|Reference)FieldUpdater\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n not enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "sun.misc.Unsafe", - "predicate": "\n FunctionCall: function.enclosingClass.name == \"sun.misc.Unsafe\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n (function.name == \"getInstance\")\n and fc.function.enclosingClass.supers contains [Class:\n name matches \"java\\.security\\.(AlgorithmParameters|KeyFactory)\"\n ] and arguments[0].constantValue matches \"(?i).*DSA.*\"\n and not arguments[0].constantValue matches \"(?i).*(ECDSA|EdDSA).*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n (function.name == \"init^\" or function.constructor)\n and fc.function.enclosingClass.supers contains [Class:\n name matches \"java\\.security\\.(AlgorithmParameters|KeyFactory)\"\n ] and arguments[2].constantValue matches \"(?i).*DSA.*\"\n and not arguments[2].constantValue matches \"(?i).*(ECDSA|EdDSA).*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n (function.name matches \"getInstance|init\\^\" or function.constructor)\n and fc.function.enclosingClass.supers contains [Class:\n name matches \"java\\.security\\.(KeyPairGenerator|Signature)\"\n ] and arguments[0].constantValue matches \"(?i).*DSA.*\"\n and not arguments[0].constantValue matches \"(?i).*(ECDSA|EdDSA).*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function: contains [FunctionCall: \n function.name == \"getInstance\"\n and function.enclosingClass.supers contains [Class: name == \"java.security.KeyPairGenerator\"]\n and arguments[0].constantValue matches \"(?i).*DSA.*\"\n and not arguments[0].constantValue matches \"(?i).*(ECDSA|EdDSA).*\"\n ] and contains [FunctionCall:\n function.name == \"initialize\"\n and arguments[0].constantValue is [Number: < 2048]\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe Deserialization", - "predicate": "\n Class c: \n not interface\n and directSupers contains [Class:\n interface\n and directSupers contains [Class: name == \"java.rmi.Remote\"]\n and functions contains [Function: \n parameterTypes.length > 0\n and parameterTypes contains [Type:\n not primitive\n ]\n ]\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n not fa.sourceLocation.None and\n not fa.field.sourceLocation.None and\n fa.sourceLocation.startLine != fa.field.sourceLocation.startLine and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]]\n and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: ((fa.field.name matches \"PUT_REGEX_HERE\") or\n (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n not fa.sourceLocation.None and\n not fa.field.sourceLocation.None and\n fa.sourceLocation.startLine != fa.field.sourceLocation.startLine and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]]\n and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: ((fa.field.name matches \"(?i)pass(wd|word)\") or\n (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n not fa.sourceLocation.None and\n not fa.field.sourceLocation.None and\n fa.sourceLocation.startLine != fa.field.sourceLocation.startLine and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]]\n and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n not va.sourceLocation.None and\n not va.variable.sourceLocation.None and\n va.sourceLocation.startLine != va.variable.sourceLocation.startLine and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]]\n and va.variable is [Variable v:]*\n and ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: ((va.variable.name matches \"PUT_REGEX_HERE\") or\n (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n not va.sourceLocation.None and\n not va.variable.sourceLocation.None and\n va.sourceLocation.startLine != va.variable.sourceLocation.startLine and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]]\n and va.variable is [Variable v:]*\n and ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: ((va.variable.name matches \"(?i)pass(wd|word)\") or\n (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n not va.sourceLocation.None and\n not va.variable.sourceLocation.None and\n va.sourceLocation.startLine != va.variable.sourceLocation.startLine and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]]\n and va.variable is [Variable v:]*\n and ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"]\n and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: ((fa.field.name matches \"PUT_REGEX_HERE\") or\n (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"]\n and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: ((fa.field.name matches \"(?i)pass(wd|word)\") or\n (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"]\n and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"]\n and va.variable is [Variable v:]*\n and ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: ((va.variable.name matches \"PUT_REGEX_HERE\") or\n (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"]\n and va.variable is [Variable v:]*\n and ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: ((va.variable.name matches \"(?i)pass(wd|word)\") or\n (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"]\n and va.variable is [Variable v:]*\n and ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: ((fa.field.name matches \"PUT_REGEX_HERE\") or\n (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: ((fa.field.name matches \"(?i)pass(wd|word)\") or\n (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n va.variable is [Variable v:]* and\n ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: ((va.variable.name matches \"PUT_REGEX_HERE\") or\n (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n va.variable is [Variable v:]* and\n ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: ((va.variable.name matches \"(?i)pass(wd|word)\") or\n (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n va.variable is [Variable v:]* and\n ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.enclosingClass.supers contains\n [Class c: c.name == \"java.lang.String\" or c.name == \"kotlin.String\"] and\n (f.name == \"contentEquals\" or f.name matches \"(compareTo|equals)(IgnoreCase)?\")] and\n ( ( call.instance is [VariableAccess val:\n val.variable.name matches \"PUT_REGEX_HERE\"\n and not (val.variable.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [VariableAccess var:\n var.variable.name matches \"PUT_REGEX_HERE\"\n and var.variable.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (var.variable.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ) or\n ( call.instance is [FieldAccess fal:\n fal.field.name matches \"PUT_REGEX_HERE\"\n and not (fal.field.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [FieldAccess far:\n far.field.name matches \"PUT_REGEX_HERE\" and\n far.field.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (far.field.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ))\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.enclosingClass.supers contains\n [Class c: c.name == \"java.lang.String\" or c.name == \"kotlin.String\"] and\n (f.name == \"contentEquals\" or f.name matches \"(compareTo|equals)(IgnoreCase)?\")] and\n ( ( call.instance is [VariableAccess val:\n ((val.variable.name matches \"PUT_REGEX_HERE\") or\n (val.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"]))\n and not (val.variable.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [VariableAccess var:\n ((var.variable.name matches \"PUT_REGEX_HERE\") or\n (var.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"]))\n and var.variable.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (var.variable.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ) or\n ( call.instance is [FieldAccess fal:\n ((fal.field.name matches \"PUT_REGEX_HERE\") or\n (fal.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"]))\n and not (fal.field.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [FieldAccess far:\n ((far.field.name matches \"PUT_REGEX_HERE\") or\n (far.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n far.field.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (far.field.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ))\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.enclosingClass.supers contains\n [Class c: c.name == \"java.lang.String\" or c.name == \"kotlin.String\"] and\n (f.name == \"contentEquals\" or f.name matches \"(compareTo|equals)(IgnoreCase)?\")] and\n ( ( call.instance is [VariableAccess val:\n ((val.variable.name matches \"(?i)pass(wd|word)\") or\n (val.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"]))\n and not (val.variable.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [VariableAccess var:\n ((var.variable.name matches \"(?i)pass(wd|word)\") or\n (var.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"]))\n and var.variable.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (var.variable.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ) or\n ( call.instance is [FieldAccess fal:\n ((fal.field.name matches \"(?i)pass(wd|word)\") or\n (fal.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"]))\n and not (fal.field.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [FieldAccess far:\n ((far.field.name matches \"(?i)pass(wd|word)\") or\n (far.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyPassword\"])) and\n far.field.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (far.field.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ))\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall: function is [Function: \n (\n name is \"put\" or \n name is \"putIfAbsent\" or \n name is \"merge\" or \n name is \"replace\" \n ) \n and\n enclosingClass.supers contains [Class: \n name == \"java.util.Map\"\n ]\n ] \n and arguments[0] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and (\n (arguments[1] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ])\n or\n (arguments[2] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ])\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall: function is [Function: \n (\n name is \"put\" or \n name is \"putIfAbsent\" or \n name is \"merge\" or \n name is \"replace\" \n ) \n and\n enclosingClass.supers contains [Class: \n name == \"java.util.Map\"\n ]\n ] \n and arguments[0] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and (\n (arguments[1] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ])\n or\n (arguments[2] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ])\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall: function is [Function: \n (\n name is \"put\" or \n name is \"putIfAbsent\" or \n name is \"merge\" or \n name is \"replace\" \n ) \n and\n enclosingClass.supers contains [Class: \n name == \"java.util.Map\"\n ]\n ] \n and arguments[0] is [Expression:\n constantValue matches \"(?i).*pass(wd|word|phrase).*\"\n ]\n and (\n (arguments[1] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ])\n or\n (arguments[2] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ])\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall: function is [Function: \n name is \"of\" and\n enclosingClass.supers contains [Class: \n name == \"java.util.Map\"\n ]\n ] \n and \n (\n (\n arguments[0] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[1] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[2] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[3] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[4] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[5] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[6] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[7] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[8] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[9] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall: function is [Function: \n name is \"of\" and\n enclosingClass.supers contains [Class: \n name == \"java.util.Map\"\n ]\n ] \n and \n (\n (\n arguments[0] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[1] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[2] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[3] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[4] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[5] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[6] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[7] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[8] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n and \n arguments[9] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall: function is [Function: \n name is \"of\" and\n enclosingClass.supers contains [Class: \n name == \"java.util.Map\"\n ]\n ]\n and \n (\n (\n arguments[0] is [Expression:\n constantValue matches \"(?i).*pass(wd|word|phrase).*\"\n ]\n and \n arguments[1] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[2] is [Expression:\n constantValue matches \"(?i).*pass(wd|word|phrase).*\"\n ]\n and \n arguments[3] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[4] is [Expression:\n constantValue matches \"(?i).*pass(wd|word|phrase).*\"\n ]\n and \n arguments[5] is [Expression: \n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[6] is [Expression:\n constantValue matches \"(?i).*pass(wd|word|phrase).*\"\n ]\n and \n arguments[7] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n or\n (\n arguments[8] is [Expression:\n constantValue matches \"(?i).*pass(wd|word|phrase).*\"\n ]\n and \n arguments[9] is [Expression:\n constantValue matches \".+\" and\n not constantValue.None and\n not constantValue is [None: ] and\n not constantValue == \"\"\n ]\n )\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \"(?i).*pass(wd|word|phrase).*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.function is [Function: \n name == \"setProperty\"\n and enclosingClass.supers contains [Class: \n name == \"java.util.Properties\"\n ]\n ]\n and arguments[0] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.function is [Function: \n name == \"setProperty\"\n and enclosingClass.supers contains [Class: \n name == \"java.util.Properties\"\n ]\n ]\n and arguments[0] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.function is [Function: \n name == \"setProperty\"\n and enclosingClass.supers contains [Class: \n name == \"java.util.Properties\"\n ]\n ]\n and arguments[0] is [Expression:\n constantValue matches \"(?i).*pass(wd|word|phrase).*\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n not fa.sourceLocation.None and\n not fa.field.sourceLocation.None and\n fa.sourceLocation.startLine != fa.field.sourceLocation.startLine and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]] and\n fa.field is [Field f:]* and\n (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\") and\n not (fa.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n not va.sourceLocation.None and\n not va.variable.sourceLocation.None and\n va.sourceLocation.startLine != va.variable.sourceLocation.startLine and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]] and\n va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: (fa.field.name matches \"(?i)pwd\") and\n not fa.sourceLocation.None and\n not fa.field.sourceLocation.None and\n fa.sourceLocation.startLine != fa.field.sourceLocation.startLine and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]]\n and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or \n fa.field.type.name == \"kotlin.ByteArray\" or \n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\" or type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n not fa.sourceLocation.None and\n not fa.field.sourceLocation.None and\n fa.sourceLocation.startLine != fa.field.sourceLocation.startLine and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]] and\n fa.field is [Field f:]* and\n (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or \n fa.field.type.name == \"kotlin.ByteArray\" or \n fa.field.type.name == \"kotlin.CharArray\") and\n not (fa.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: (va.variable.name matches \"(?i)pwd\") and\n not va.sourceLocation.None and\n not va.variable.sourceLocation.None and\n va.sourceLocation.startLine != va.variable.sourceLocation.startLine and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue is [None:]]\n and va.variable is [Variable v:]*\n and ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or \n va.variable.type.name == \"kotlin.ByteArray\" or \n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\" or type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"] and\n fa.field is [Field f:]* and\n (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\") and\n not (fa.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"] and\n va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: (fa.field.name matches \"(?i)pwd\")\n and fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"]\n and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or \n fa.field.type.name == \"kotlin.ByteArray\" or \n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\" or type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"] and\n fa.field is [Field f:]* and\n (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or \n fa.field.type.name == \"kotlin.ByteArray\" or \n fa.field.type.name == \"kotlin.CharArray\") and\n not (fa.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: (va.variable.name matches \"(?i)pwd\")\n and va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"]\n and va.variable is [Variable v:]*\n and ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or \n va.variable.type.name == \"kotlin.ByteArray\" or \n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\" or type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"\"] and\n va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or \n va.variable.type.name == \"kotlin.ByteArray\" or \n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\" ] and\n fa.field is [Field f:]* and\n (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\") and\n not (fa.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.enclosingClass.supers contains\n [Class c: c.name == \"java.lang.String\" or c.name == \"kotlin.String\"] and\n (f.name == \"contentEquals\" or f.name matches \"(compareTo|equals)(IgnoreCase)?\")] and\n ( ( call.instance is [VariableAccess val: val.variable.name matches \"(?i).*pass(wd|word).*\"\n and not val.variable.name matches \"(?i)pass(wd|word)\"\n and not (val.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [VariableAccess var: var.variable.name matches \"(?i).*pass(wd|word).*\"\n and not var.variable.name matches \"(?i)pass(wd|word)\"\n and var.variable.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (var.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ) or\n ( call.instance is [FieldAccess fal: fal.field.name matches \"(?i).*pass(wd|word).*\" and\n not fal.field.name matches \"(?i)pass(wd|word)\"\n and not (fal.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [FieldAccess far: far.field.name matches \"(?i).*pass(wd|word).*\" and\n not far.field.name matches \"(?i)pass(wd|word)\" and\n far.field.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (far.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ))\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: (fa.field.name matches \"(?i)pwd\")\n and fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or \n fa.field.type.name == \"kotlin.ByteArray\" or \n fa.field.type.name == \"kotlin.CharArray\")\n and not (fa.field.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\" or type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\" ] and\n fa.field is [Field f:]* and\n (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"byte\" or\n fa.field.type.name == \"char\" or\n fa.field.type.name == \"kotlin.String\" or \n fa.field.type.name == \"kotlin.ByteArray\" or \n fa.field.type.name == \"kotlin.CharArray\") and\n not (fa.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: (va.variable.name matches \"(?i)pwd\")\n and va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n va.variable is [Variable v:]* and\n ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or\n va.variable.type.name == \"kotlin.String\" or \n va.variable.type.name == \"kotlin.ByteArray\" or \n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\" or type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and\n va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"byte\" or\n va.variable.type.name == \"char\" or \n va.variable.type.name == \"kotlin.String\" or \n va.variable.type.name == \"kotlin.ByteArray\" or \n va.variable.type.name == \"kotlin.CharArray\")\n and not (va.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyNotPassword\" or\n type == T\"com.fortify.annotations.FortifyPassword\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.enclosingClass.supers contains\n [Class c: c.name == \"java.lang.String\" or c.name == \"kotlin.String\"] and\n (f.name == \"contentEquals\" or f.name matches \"(compareTo|equals)(IgnoreCase)?\")] and\n ( ( call.instance is [VariableAccess val: val.variable.name matches \"(?i).*pwd.*\"\n and not val.variable.name matches \"(?i)pwd\"\n and not (val.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [VariableAccess var: var.variable.name matches \"(?i).*pwd.*\"\n and not var.variable.name matches \"(?i)pwd\"\n and var.variable.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (var.variable.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ) or\n ( call.instance is [FieldAccess fal: fal.field.name matches \"(?i).*pwd.*\" and\n not fal.field.name matches \"(?i)pwd\"\n and not (fal.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [FieldAccess far: far.field.name matches \"(?i).*pwd.*\" and\n not far.field.name matches \"(?i)pwd\" and\n far.field.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (far.field.annotations contains [Annotation:\n type == T\"com.fortify.annotations.FortifyPassword\" or\n type == T\"com.fortify.annotations.FortifyNotPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ))\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.function is [Function f: f.enclosingClass.supers contains\n [Class c: c.name == \"java.lang.String\" or c.name == \"kotlin.String\"] and\n (f.name == \"contentEquals\" or f.name matches \"(compareTo|equals)(IgnoreCase)?\")] and\n ( ( call.instance is [VariableAccess val:\n (val.variable.name matches \"(?i)pwd\")\n and not (val.variable.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"\n or type == T\"com.fortify.annotations.FortifyPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [VariableAccess var:\n (var.variable.name matches \"(?i)pwd\")\n and var.variable.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (var.variable.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"\n or type == T\"com.fortify.annotations.FortifyPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ) or\n ( call.instance is [FieldAccess fal:\n (fal.field.name matches \"(?i)pwd\")\n and not (fal.field.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"\n or type == T\"com.fortify.annotations.FortifyPassword\"])] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None: ] and\n not call.arguments[0].constantValue == \"\"\n ) or\n ( call.arguments[0] is [FieldAccess far:\n (far.field.name matches \"(?i)pwd\")\n and far.field.type.definition.supers contains [Class: name == \"java.lang.CharSequence\" or name == \"kotlin.CharSequence\"]\n and not (far.field.annotations contains\n [Annotation: type == T\"com.fortify.annotations.FortifyNotPassword\"\n or type == T\"com.fortify.annotations.FortifyPassword\"])] and\n not call.instance.constantValue.None and\n not call.instance.constantValue is [None:] and\n not call.instance.constantValue == \"\"\n ))\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n and not fa.sourceLocation.None\n and not fa.field.sourceLocation.None\n and fa.sourceLocation.startLine != fa.field.sourceLocation.startLine\n and fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and rhs.constantValue is [None:]] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n and not fa.sourceLocation.None\n and not fa.field.sourceLocation.None\n and fa.sourceLocation.startLine != fa.field.sourceLocation.startLine\n and fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and rhs.constantValue is [None:]] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n and not fa.sourceLocation.None\n and not fa.field.sourceLocation.None\n and fa.sourceLocation.startLine != fa.field.sourceLocation.startLine\n and fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and rhs.constantValue is [None:]] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n and not va.sourceLocation.None\n and not va.variable.sourceLocation.None\n and va.sourceLocation.startLine != va.variable.sourceLocation.startLine\n and va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and rhs.constantValue is [None:]] and va.variable is [Variable v:]*\n and\n ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] is va and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n /* Exclude the case where key is passed to a func and then assigned to val*/\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)val(ue)?\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall redisFc: redisFc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n and not va.sourceLocation.None\n and not va.variable.sourceLocation.None\n and va.sourceLocation.startLine != va.variable.sourceLocation.startLine\n and va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and rhs.constantValue is [None:]] and va.variable is [Variable v:]*\n and\n ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] is va and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n /* Exclude the case where key is passed to a func and then assigned to val*/\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)val(ue)?\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall redisFc: redisFc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n and not va.sourceLocation.None\n and not va.variable.sourceLocation.None\n and va.sourceLocation.startLine != va.variable.sourceLocation.startLine\n and va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and rhs.constantValue is [None:]] and va.variable is [Variable v:]*\n and\n ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] is va and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n /* Exclude the case where key is passed to a func and then assigned to val*/\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)val(ue)?\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall redisFc: redisFc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and rhs.constantValue == \"\"] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and rhs.constantValue == \"\"] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and rhs.constantValue == \"\"] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and rhs.constantValue == \"\"] and va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] is va and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n /* Exclude the case where key is passed to a func and then assigned to val*/\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)val(ue)?\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall redisFc: redisFc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and rhs.constantValue == \"\"] and va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] is va and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n /* Exclude the case where key is passed to a func and then assigned to val*/\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)val(ue)?\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall redisFc: redisFc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and rhs.constantValue == \"\"] and va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] is va and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n /* Exclude the case where key is passed to a func and then assigned to val*/\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)val(ue)?\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall redisFc: redisFc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall: arguments[0] is va and\n possibleTargets contains [Function f: name matches \"put|contains(Key)?|get(OrDefault)|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]]\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)value\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall: arguments[0] is va and\n possibleTargets contains [Function f: name matches \"put|contains(Key)?|get(OrDefault)|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]]\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)value\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall: arguments[0] is va and\n possibleTargets contains [Function f: name matches \"put|contains(Key)?|get(OrDefault)|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]]\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)value\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n and not fa.sourceLocation.None\n and not fa.field.sourceLocation.None\n and fa.sourceLocation.startLine != fa.field.sourceLocation.startLine\n and fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and rhs.constantValue is [None:]] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n and not va.sourceLocation.None\n and not va.variable.sourceLocation.None\n and va.sourceLocation.startLine != va.variable.sourceLocation.startLine\n and va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and rhs.constantValue is [None:]] and va.variable is [Variable v:]*\n and\n ( va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] is va and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n /* Exclude the case where key is passed to a func and then assigned to val*/\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)val(ue)?\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall redisFc: redisFc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and rhs.constantValue == \"\"] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"]]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and rhs.constantValue == \"\"] and va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] is va and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n /* Exclude the case where key is passed to a func and then assigned to val*/\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)val(ue)?\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall redisFc: redisFc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is fa and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and fa.field is [Field f:]*\n and (fa.field.type.name == \"java.lang.String\" or\n fa.field.type.name == \"java.lang.StringBuffer\" or\n fa.field.type.name == \"kotlin.String\" or\n fa.field.type.name == \"kotlin.ByteArray\" or\n fa.field.type.name == \"kotlin.CharArray\" or\n fa.field.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not fa.enclosingClass contains[Function: contains [FunctionCall fc: fc.arguments[0] is fa and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is va and not rhs.constantValue.None and not rhs.constantValue is [None:] and not rhs.constantValue == \"\"] and va.variable is [Variable v:]*\n and (va.variable.type.name == \"java.lang.String\" or\n va.variable.type.name == \"java.lang.StringBuffer\" or\n va.variable.type.name == \"kotlin.String\" or\n va.variable.type.name == \"kotlin.ByteArray\" or\n va.variable.type.name == \"kotlin.CharArray\" or\n va.variable.type is [Type: name matches \"byte|char\" and arrayDimensions > 0]) and\n /* Exclude cases where 'key' is an arg to a Java Map/Collections function call */\n not va.enclosingFunction contains [FunctionCall fc: fc.arguments[0] is va and\n fc.possibleTargets contains [Function:name matches \"compute(IfPresent|IfAbsent)?|entry|equals|merge|of|put(ifAbsent)?|contains(Key)?|get(OrDefault)?|remove|replace|add|(last)?indexOf|set\" and\n enclosingClass.supers contains [Class:\n name matches \"java\\.util\\.(Map|Collection)\"\n ]\n ]\n ]\n /* Exclude the case where key is passed to a func and then assigned to val*/\n and not va.enclosingFunction contains [AssignmentStatement: lhs is [VariableAccess: variable.name matches \"(?i)val(ue)?\"]\n and rhs is [FunctionCall: arguments[0] is va]]\n /* Exclude cases where 'key' is returned by Map.Entry.getKey() */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function.name == \"getKey\" and\n function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n ]\n ]\n /* Exclude cases where 'key' is returned by kotlin.collections.component1(Map.Entry), which is used for destructuring Map entries */\n and not va.enclosingFunction contains [AssignmentStatement: lhs is va\n and rhs is [FunctionCall: function is [Function: \n name == \"component1\"\n and namespace.name == \"kotlin.collections\"\n and parameterTypes[0] is [Type: name == \"kotlin.collections.Map.Entry\"]\n ]\n ]\n ]\n /* Exclude cases where 'key' is compared to the return of Map.Entry.getKey() */\n and not va.enclosingFunction contains [FunctionCall equalsFc: function.name == \"equals\"\n and equalsFc.arguments contains va\n and equalsFc.enclosingFunction contains [AssignmentStatement getKeyAs: getKeyAs.rhs is [FunctionCall getKeyFc: getKeyFc.function.name == \"getKey\"\n and function.enclosingClass.supers contains [Class: \n name == \"java.util.Map.Entry\"\n or name == \"kotlin.collections.Map.Entry\"\n ]\n and equalsFc.instance is [VariableAccess va2: va2 == getKeyAs.lhs.location]\n ]\n ]\n ]\n /* Exclude cases where 'key' is used as an arg for a spring redis database operation */\n and not va.enclosingFunction contains [FunctionCall redisFc: redisFc.arguments[0] == va\n and function.enclosingClass.supers contains [Class: name matches \"org\\.springframework\\.data\\.redis\\.core\\.(\\w)+Operations\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"invoke\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.reflect\\.Method\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"newInstance\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.reflect\\.Constructor\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"(get|set).*\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.reflect\\.Field\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"get(Package|Packages)\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.Package\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"get(SystemClassLoader|Parent|ContextClassLoader)\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.(ClassLoader|Thread)\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"forName|newInstance|(get(Declared)?(Field|Method|Constructor|Classes)(s)?)\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.Class\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"invoke\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.reflect\\.Method\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n not enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"newInstance\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.reflect\\.Constructor\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n not enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"(get|set).*\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.reflect\\.Field\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n not enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"get(Package|Packages)\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.Package\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n not enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"get(SystemClassLoader|Parent|ContextClassLoader)\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.(ClassLoader|Thread)\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n not enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"forName|newInstance|(get(Declared)?(Field|Method|Constructor|Classes)(s)?)\" and\n fc.function.enclosingClass.name matches \"java\\.lang\\.Class\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n not enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Android Bad Practices", - "vuln_subcategory": "Use of Internal APIs", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"forName\"\n and enclosingClass.supers contains [Class:\n name == \"java.lang.Class\"\n ]\n ]\n and (\n /* Interal APIs */\n arguments[0].constantValue matches \".*\\.internal\\..*\"\n /* Hidden APIs */\n or arguments[0].constantValue is [String v:\n v == \"android.net.wifi.ActionListener\"\n or v == \"android.net.wifi.TxPacketCountListener\"\n or v == \"android.net.wifi.LocalOnlyHotspotSubscription\"\n or v == \"android.net.wifi.LocalOnlyHotspotObserver\"\n or v == \"android.net.wifi.WifiScanner\"\n or v == \"android.net.wifi.ActionListener\"\n or v == \"android.net.wifi.HiddenNetwork\"\n or v == \"android.net.wifi.PnoSettings\"\n or v == \"android.net.wifi.PnoNetwork\"\n or v == \"android.net.wifi.PnoScanListener\"\n or v == \"android.net.wifi.WifiChangeSettings\"\n or v == \"android.net.wifi.HotlistSettings\"\n or v == \"android.net.wifi.OperationResult\"\n or v == \"android.net.wifi.RssiPacketCountInfo\"\n or v == \"android.net.wifi.WifiWakeReasonAndCounts\"\n or v == \"android.net.wifi.RttManager\"\n or v == \"android.net.wifi.RttClient\"\n or v == \"android.net.wifi.WifiNetworkScoreCache\"\n or v == \"android.net.wifi.aware.WifiAwareNetworkSpecifier\"\n or v == \"android.net.wifi.aware.WifiAwareUtils\"\n or v == \"android.net.wifi.aware.TlvBufferUtils\"\n or v == \"android.net.wifi.aware.WifiAwareAgentNetworkSpecifier\"\n or v == \"android.net.wifi.aware.ConfigRequest\"\n or v == \"android.net.wifi.ParcelUtil\"\n or v == \"android.net.wifi.WifiSsid\"\n or v == \"android.net.wifi.WifiNetworkConnectionStatistics\"\n or v == \"android.net.wifi.BatchedScanResult\"\n or v == \"android.net.wifi.WifiLinkLayerStats\"\n or v == \"android.net.wifi.EAPConstants\"\n or v == \"android.net.wifi.SupplicantSaver\"\n or v == \"android.net.wifi.SupplicantLoader\"\n or v == \"android.net.wifi.PasspointManagementObjectDefinition\"\n or v == \"android.net.wifi.Visibility\"\n or v == \"android.net.wifi.NetworkSelectionStatus\"\n or v == \"android.net.wifi.RecentFailure\"\n or v == \"android.net.wifi.WifiConnectionStatistics\"\n or v == \"android.net.wifi.WifiActivityEnergyInfo\"\n or v == \"android.net.wifi.p2p.WifiP2pWfdInfo\"\n or v == \"android.net.wifi.p2p.PersistentGroupInfoListener\"\n or v == \"android.net.wifi.p2p.HandoverMessageListener\"\n or v == \"android.net.wifi.p2p.WifiP2pProvDiscEvent\"\n or v == \"android.net.wifi.p2p.WifiP2pGroupList\"\n or v == \"android.net.wifi.p2p.nsd.WifiP2pServiceResponse\"\n or v == \"android.net.wifi.p2p.nsd.WifiP2pDnsSdServiceResponse\"\n or v == \"android.net.wifi.p2p.nsd.WifiP2pUpnpServiceResponse\"\n or v == \"android.net.wifi.WifiChannel\"\n or v == \"android.net.wifi.hotspot2.omadm.XMLNode\"\n or v == \"android.net.wifi.hotspot2.omadm.XMLParser\"\n or v == \"android.net.wifi.hotspot2.OsuProvider\"\n or v == \"android.net.wifi.hotspot2.pps.UpdateParameter\"\n or v == \"android.net.wifi.hotspot2.pps.Policy\"\n or v == \"android.net.wifi.ScanSettings\"\n or v == \"android.net.wifi.WpsResult\"\n or v == \"android.net.wifi.InformationElement\"\n or v == \"android.net.wifi.AnqpInformationElement\"\n or v == \"android.drm.DrmOutputStream\"\n or v == \"junit.framework.ComparisonCompactor\"\n or v == \"com.google.vr.platform.DeviceInfo\"\n or v == \"com.google.vr.platform.Dvr\"\n or v == \"org.apache.http.conn.ssl.AndroidDistinguishedNameParser\"\n or v == \"android.metrics.LogMaker\"\n or v == \"android.metrics.MetricsReader\"\n or v == \"android.metrics.Event\"\n or v == \"android.metrics.LogReader\"\n or v == \"android.database.CursorWindowAllocationException\"\n or v == \"android.database.BulkCursorDescriptor\"\n or v == \"android.database.BulkCursorNative\"\n or v == \"android.database.sqlite.SQLiteDebug\"\n or v == \"android.database.sqlite.SQLiteStatementInfo\"\n or v == \"android.database.sqlite.SQLiteDirectCursorDriver\"\n or v == \"android.database.sqlite.SQLiteGlobal\"\n or v == \"android.database.sqlite.CustomFunction\"\n or v == \"android.database.sqlite.SQLiteDatabaseConfiguration\"\n or v == \"android.database.sqlite.SQLiteCustomFunction\"\n or v == \"android.database.sqlite.SQLiteSession\"\n or v == \"android.database.sqlite.DatabaseObjectNotClosedException\"\n or v == \"android.database.sqlite.SQLiteConnectionPool\"\n or v == \"android.database.sqlite.SQLiteConnection\"\n or v == \"android.database.CursorToBulkCursorAdaptor\"\n or v == \"android.database.IBulkCursor\"\n or v == \"android.database.BulkCursorToCursorAdaptor\"\n or v == \"android.transition.AnimationInfo\"\n or v == \"android.transition.ChangeText\"\n or v == \"android.transition.Rotate\"\n or v == \"android.transition.Crossfade\"\n or v == \"android.transition.TransitionUtils\"\n or v == \"android.transition.Recolor\"\n or v == \"android.webkit.JsDialogHelper\"\n or v == \"android.webkit.WebViewFactory\"\n or v == \"android.webkit.TokenBindingService\"\n or v == \"android.webkit.WebViewDelegate\"\n or v == \"android.webkit.WebViewProviderInfo\"\n or v == \"android.webkit.UrlInterceptRegistry\"\n or v == \"android.webkit.Plugin\"\n or v == \"android.webkit.DefaultClickHandler\"\n or v == \"android.webkit.WebViewUpdateService\"\n or v == \"android.webkit.UrlInterceptHandler\"\n or v == \"android.webkit.WebViewProvider\"\n or v == \"android.webkit.PrivateAccess\"\n or v == \"android.webkit.ResultReceiver\"\n or v == \"android.webkit.WebViewProviderResponse\"\n or v == \"android.webkit.WebViewZygote\"\n or v == \"android.webkit.WebViewFactoryProvider\"\n or v == \"android.webkit.PluginList\"\n or v == \"android.webkit.FindAddress\"\n or v == \"android.webkit.FindActionModeCallback\"\n or v == \"android.webkit.PluginData\"\n or v == \"android.webkit.UserPackage\"\n or v == \"android.webkit.LegacyErrorStrings\"\n or v == \"android.printservice.recommendation.RecommendationInfo\"\n or v == \"android.printservice.recommendation.RecommendationService\"\n or v == \"android.printservice.PrintServiceInfo\"\n or v == \"android.hardware.SerialPort\"\n or v == \"android.hardware.soundtrigger.SoundTrigger\"\n or v == \"android.hardware.soundtrigger.KeyphraseEnrollmentInfo\"\n or v == \"android.hardware.soundtrigger.SoundTriggerModule\"\n or v == \"android.hardware.soundtrigger.KeyphraseMetadata\"\n or v == \"android.hardware.radio.RadioManager\"\n or v == \"android.hardware.radio.RadioMetadata\"\n or v == \"android.hardware.radio.Clock\"\n or v == \"android.hardware.radio.ProgramSelector\"\n or v == \"android.hardware.radio.RadioTuner\"\n or v == \"android.hardware.fingerprint.EnrollmentCallback\"\n or v == \"android.hardware.fingerprint.RemovalCallback\"\n or v == \"android.hardware.fingerprint.EnumerateCallback\"\n or v == \"android.hardware.fingerprint.LockoutResetCallback\"\n or v == \"android.hardware.fingerprint.Fingerprint\"\n or v == \"android.hardware.SystemSensorManager\"\n or v == \"android.hardware.input.InputDeviceIdentifier\"\n or v == \"android.hardware.input.TouchCalibration\"\n or v == \"android.hardware.input.OnTabletModeChangedListener\"\n or v == \"android.hardware.input.KeyboardLayout\"\n or v == \"android.hardware.input.InputManagerInternal\"\n or v == \"android.hardware.CameraStatus\"\n or v == \"android.hardware.location.GeofenceHardwareRequestParcelable\"\n or v == \"android.hardware.location.NanoApp\"\n or v == \"android.hardware.location.GeofenceHardwareRequest\"\n or v == \"android.hardware.location.ActivityRecognitionEvent\"\n or v == \"android.hardware.location.GeofenceHardwareCallback\"\n or v == \"android.hardware.location.GeofenceHardwareService\"\n or v == \"android.hardware.location.ContextHubInfo\"\n or v == \"android.hardware.location.NanoAppFilter\"\n or v == \"android.hardware.location.NanoAppInstanceInfo\"\n or v == \"android.hardware.location.ActivityRecognitionHardware\"\n or v == \"android.hardware.location.GeofenceHardwareMonitorEvent\"\n or v == \"android.hardware.location.GeofenceHardware\"\n or v == \"android.hardware.location.GeofenceHardwareImpl\"\n or v == \"android.hardware.location.GeofenceHardwareMonitorCallback\"\n or v == \"android.hardware.location.ContextHubMessage\"\n or v == \"android.hardware.location.ActivityChangedEvent\"\n or v == \"android.hardware.location.ContextHubManager\"\n or v == \"android.hardware.location.ICallback\"\n or v == \"android.hardware.location.MemoryRegion\"\n or v == \"android.hardware.hdmi.HdmiClient\"\n or v == \"android.hardware.hdmi.HdmiControlManager\"\n or v == \"android.hardware.hdmi.HdmiTimerRecordSources\"\n or v == \"android.hardware.hdmi.TimeUnit\"\n or v == \"android.hardware.hdmi.Time\"\n or v == \"android.hardware.hdmi.Duration\"\n or v == \"android.hardware.hdmi.TimerInfo\"\n or v == \"android.hardware.hdmi.TimerRecordSource\"\n or v == \"android.hardware.hdmi.HdmiTvClient\"\n or v == \"android.hardware.hdmi.HdmiHotplugEvent\"\n or v == \"android.hardware.hdmi.HdmiRecordSources\"\n or v == \"android.hardware.hdmi.RecordSource\"\n or v == \"android.hardware.hdmi.OwnSource\"\n or v == \"android.hardware.hdmi.AribData\"\n or v == \"android.hardware.hdmi.AtscData\"\n or v == \"android.hardware.hdmi.DvbData\"\n or v == \"android.hardware.hdmi.DigitalChannelData\"\n or v == \"android.hardware.hdmi.DigitalServiceSource\"\n or v == \"android.hardware.hdmi.AnalogueServiceSource\"\n or v == \"android.hardware.hdmi.ExternalPlugData\"\n or v == \"android.hardware.hdmi.ExternalPhysicalAddress\"\n or v == \"android.hardware.hdmi.HdmiPlaybackClient\"\n or v == \"android.hardware.hdmi.HdmiDeviceInfo\"\n or v == \"android.hardware.hdmi.HdmiRecordListener\"\n or v == \"android.hardware.hdmi.TimerStatusData\"\n or v == \"android.hardware.hdmi.HdmiPortInfo\"\n or v == \"android.hardware.usb.UsbPortStatus\"\n or v == \"android.hardware.usb.UsbPort\"\n or v == \"android.hardware.display.DisplayManagerInternal\"\n or v == \"android.hardware.display.DisplayManagerGlobal\"\n or v == \"android.hardware.display.WifiDisplayStatus\"\n or v == \"android.hardware.display.WifiDisplaySessionInfo\"\n or v == \"android.hardware.display.DisplayViewport\"\n or v == \"android.hardware.display.WifiDisplay\"\n or v == \"android.hardware.SerialManager\"\n or v == \"android.hardware.CameraInfo\"\n or v == \"android.hardware.LegacySensorManager\"\n or v == \"android.hardware.camera2.impl.ICameraDeviceUserWrapper\"\n or v == \"android.hardware.camera2.impl.CaptureResultExtras\"\n or v == \"android.hardware.camera2.utils.LongParcelable\"\n or v == \"android.hardware.camera2.utils.UncheckedThrow\"\n or v == \"android.hardware.camera2.utils.SubmitInfo\"\n or v == \"android.hardware.camera2.params.StreamConfigurationDuration\"\n or v == \"android.hardware.camera2.params.ReprocessFormatsMap\"\n or v == \"android.hardware.camera2.params.HighSpeedVideoConfiguration\"\n or v == \"android.hardware.camera2.params.VendorTagDescriptorCache\"\n or v == \"android.hardware.camera2.params.VendorTagDescriptor\"\n or v == \"android.hardware.camera2.params.StreamConfiguration\"\n or v == \"android.net.NetworkStatsHistory\"\n or v == \"android.net.metrics.RaEvent\"\n or v == \"android.net.metrics.DefaultNetworkEvent\"\n or v == \"android.net.metrics.WakeupEvent\"\n or v == \"android.net.metrics.ConnectStats\"\n or v == \"android.net.metrics.IpConnectivityLog\"\n or v == \"android.net.metrics.DhcpClientEvent\"\n or v == \"android.net.metrics.DnsEvent\"\n or v == \"android.net.metrics.ValidationProbeEvent\"\n or v == \"android.net.metrics.NetworkMetrics\"\n or v == \"android.net.metrics.DhcpErrorEvent\"\n or v == \"android.net.metrics.IpManagerEvent\"\n or v == \"android.net.metrics.IpReachabilityEvent\"\n or v == \"android.net.metrics.WakeupStats\"\n or v == \"android.net.metrics.ApfProgramEvent\"\n or v == \"android.net.metrics.ApfStats\"\n or v == \"android.net.metrics.NetworkEvent\"\n or v == \"android.net.Status\"\n or v == \"android.net.PacketKeepaliveCallback\"\n or v == \"android.net.PacketKeepalive\"\n or v == \"android.net.OnStartTetheringCallback\"\n or v == \"android.net.Errors\"\n or v == \"android.net.TooManyRequestsException\"\n or v == \"android.net.DataUsageRequest\"\n or v == \"android.net.IpConfiguration\"\n or v == \"android.net.InterfaceConfiguration\"\n or v == \"android.net.SntpClient\"\n or v == \"android.net.IpSecTransformResponse\"\n or v == \"android.net.ScoredNetwork\"\n or v == \"android.net.NetworkKey\"\n or v == \"android.net.NetworkIdentity\"\n or v == \"android.net.NetworkPolicy\"\n or v == \"android.net.NetworkUtils\"\n or v == \"android.net.DhcpResults\"\n or v == \"android.net.StaticIpConfiguration\"\n or v == \"android.net.MatchAllNetworkSpecifier\"\n or v == \"android.net.NetworkPolicyManager\"\n or v == \"android.net.NetworkScoreManager\"\n or v == \"android.net.StringNetworkSpecifier\"\n or v == \"android.net.MobileLinkQualityInfo\"\n or v == \"android.net.LinkQualityInfo\"\n or v == \"android.net.NetworkConfig\"\n or v == \"android.net.NetworkStats\"\n or v == \"android.net.RssiCurve\"\n or v == \"android.net.PacProxySelector\"\n or v == \"android.net.EthernetManager\"\n or v == \"android.net.UidRange\"\n or v == \"android.net.IpSecSpiResponse\"\n or v == \"android.net.NetworkTemplate\"\n or v == \"android.net.NetworkState\"\n or v == \"android.net.WifiLinkQualityInfo\"\n or v == \"android.net.NetworkQuotaInfo\"\n or v == \"android.net.WifiKey\"\n or v == \"android.net.wimax.WimaxManagerConstants\"\n or v == \"android.net.NetworkMisc\"\n or v == \"android.net.ConnectivityMetricsEvent\"\n or v == \"android.net.ConnectivityThread\"\n or v == \"android.net.NetworkAgent\"\n or v == \"android.net.IpSecUdpEncapResponse\"\n or v == \"android.net.CompareResult\"\n or v == \"android.net.IpSecConfig\"\n or v == \"android.net.NetworkRecommendationProvider\"\n or v == \"android.net.NetworkScorerAppData\"\n or v == \"android.net.nsd.DnsSdTxtRecord\"\n or v == \"android.net.NetworkFactory\"\n or v == \"android.app.ActivityManagerNative\"\n or v == \"android.app.BackStackRecord\"\n or v == \"android.app.PackageInstallObserver\"\n or v == \"android.app.LoadedApk\"\n or v == \"android.app.StackId\"\n or v == \"android.app.TaskThumbnailInfo\"\n or v == \"android.app.TaskThumbnail\"\n or v == \"android.app.TaskSnapshot\"\n or v == \"android.app.StackInfo\"\n or v == \"android.app.OnUidImportanceListener\"\n or v == \"android.app.assist.AutofillOverlay\"\n or v == \"android.app.TranslucentConversionListener\"\n or v == \"android.app.ActivityManagerInternal\"\n or v == \"android.app.ApplicationPackageManager\"\n or v == \"android.app.MoveCallbackDelegate\"\n or v == \"android.app.WaitResult\"\n or v == \"android.app.UiAutomationConnection\"\n or v == \"android.app.timezone.RulesManager\"\n or v == \"android.app.timezone.RulesState\"\n or v == \"android.app.timezone.Callback\"\n or v == \"android.app.timezone.DistroFormatVersion\"\n or v == \"android.app.timezone.DistroRulesVersion\"\n or v == \"android.app.timezone.RulesUpdaterContract\"\n or v == \"android.app.VrManager\"\n or v == \"android.app.ActivityView\"\n or v == \"android.app.ActivityThread\"\n or v == \"android.app.ContentProviderHolder\"\n or v == \"android.app.BroadcastOptions\"\n or v == \"android.app.JobSchedulerImpl\"\n or v == \"android.app.ResultInfo\"\n or v == \"android.app.TvExtender\"\n or v == \"android.app.UserSwitchObserver\"\n or v == \"android.app.admin.PasswordMetrics\"\n or v == \"android.app.admin.PolicyInfo\"\n or v == \"android.app.admin.DevicePolicyManagerInternal\"\n or v == \"android.app.ResourcesManager\"\n or v == \"android.app.PackageOps\"\n or v == \"android.app.OpEntry\"\n or v == \"android.app.OnOpChangedInternalListener\"\n or v == \"android.app.QueuedWork\"\n or v == \"android.app.ServiceStartArgs\"\n or v == \"android.app.usage.TimeSparseArray\"\n or v == \"android.app.usage.UsageStatsManagerInternal\"\n or v == \"android.app.usage.CacheQuotaService\"\n or v == \"android.app.usage.CacheQuotaHint\"\n or v == \"android.app.TaskStackListener\"\n or v == \"android.app.AppGlobals\"\n or v == \"android.app.StatusBarManager\"\n or v == \"android.app.OnMarshaledListener\"\n or v == \"android.app.ApplicationThreadConstants\"\n or v == \"android.app.EphemeralResolverService\"\n or v == \"android.app.ParcelableCrashInfo\"\n or v == \"android.app.job.JobHandler\"\n or v == \"android.app.Vr2dDisplayProperties\"\n or v == \"android.app.ProfilerInfo\"\n or v == \"android.app.trust.TrustManager\"\n or v == \"android.app.SearchDialog\"\n or v == \"android.app.InstantAppResolverService\"\n or v == \"android.app.OnActivityPausedListener\"\n or v == \"android.app.ActionKeyInfo\"\n or v == \"android.app.backup.BackupHelperDispatcher\"\n or v == \"android.app.backup.BackupManagerMonitor\"\n or v == \"android.app.backup.RestoreDescription\"\n or v == \"android.app.backup.SelectBackupTransportCallback\"\n or v == \"android.app.backup.BackupProgress\"\n or v == \"android.app.backup.AbsoluteFileBackupHelper\"\n or v == \"android.app.backup.FullBackup\"\n or v == \"android.app.backup.RestoreSession\"\n or v == \"android.app.backup.RestoreSet\"\n or v == \"android.app.backup.BlobBackupHelper\"\n or v == \"android.app.backup.BackupObserver\"\n or v == \"android.app.backup.WallpaperBackupHelper\"\n or v == \"android.app.backup.BackupTransport\"\n or v == \"android.app.SynchronousUserSwitchObserver\"\n or v == \"android.app.RecoverableSecurityException\"\n or v == \"android.app.LocalDialog\"\n or v == \"android.app.ApplicationLoaders\"\n or v == \"android.app.PackageDeleteObserver\"\n or v == \"android.app.OnAnimationStartedListener\"\n or v == \"android.app.OnAnimationFinishedListener\"\n or v == \"android.app.VrStateCallback\"\n or v == \"android.widget.SuggestionsAdapter\"\n or v == \"android.widget.DropDownListView\"\n or v == \"android.widget.ActionMenuChildView\"\n or v == \"android.widget.AppSecurityPermissions\"\n or v == \"android.widget.MyPermissionGroupInfo\"\n or v == \"android.widget.MyPermissionInfo\"\n or v == \"android.widget.PermissionItemView\"\n or v == \"android.widget.RadialTimePickerView\"\n or v == \"android.widget.Editor\"\n or v == \"android.widget.RemoteViewsAdapter\"\n or v == \"android.widget.RemoteViewsListAdapter\"\n or v == \"android.widget.MenuItemHoverListener\"\n or v == \"android.widget.MenuPopupWindow\"\n or v == \"android.widget.MenuDropDownListView\"\n or v == \"android.widget.CustomEditText\"\n or v == \"android.widget.TextInputTimePickerView\"\n or v == \"android.widget.ScrollBarDrawable\"\n or v == \"android.widget.SearchAutoComplete\"\n or v == \"android.widget.ActivityChooserView\"\n or v == \"android.widget.ActionMenuPresenter\"\n or v == \"android.widget.DatePickerDelegate\"\n or v == \"android.widget.ValidationCallback\"\n or v == \"android.widget.OnClickHandler\"\n or v == \"android.widget.OnViewAppliedListener\"\n or v == \"android.widget.ForwardingListener\"\n or v == \"android.widget.DateTimeView\"\n or v == \"android.widget.DatePickerController\"\n or v == \"android.widget.TextViewMetrics\"\n or v == \"android.widget.Delayer\"\n or v == \"android.widget.ActivityChooserModel\"\n or v == \"android.widget.SpellChecker\"\n or v == \"android.util.MergedConfiguration\"\n or v == \"android.util.PackageUtils\"\n or v == \"android.util.Spline\"\n or v == \"android.util.LocalLog\"\n or v == \"android.util.apk.ApkSignatureSchemeV2Verifier\"\n or v == \"android.util.proto.ProtoParseException\"\n or v == \"android.util.proto.EncodedBuffer\"\n or v == \"android.util.SuperNotCalledException\"\n or v == \"android.util.BackupUtils\"\n or v == \"android.util.Singleton\"\n or v == \"android.util.jar.StrictJarFile\"\n or v == \"android.util.jar.ZipInflaterInputStream\"\n or v == \"android.util.jar.FDStream\"\n or v == \"android.util.jar.StrictJarManifest\"\n or v == \"android.util.Pools\"\n or v == \"android.util.PrefixPrinter\"\n or v == \"android.util.PathParser\"\n or v == \"android.util.LongArray\"\n or v == \"android.util.MathUtils\"\n or v == \"android.util.FastImmutableArraySet\"\n or v == \"android.util.IntArray\"\n or v == \"android.util.ExceptionUtils\"\n or v == \"android.util.MemoryIntArray\"\n or v == \"android.util.DayOfMonthCursor\"\n or v == \"android.util.TrustedTime\"\n or v == \"android.util.ByteStringUtils\"\n or v == \"android.util.TerribleFailure\"\n or v == \"android.util.TerribleFailureHandler\"\n or v == \"android.util.NtpTrustedTime\"\n or v == \"android.util.TimingsTraceLog\"\n or v == \"android.util.IconDrawableFactory\"\n or v == \"android.util.LongSparseLongArray\"\n or v == \"android.util.RecurrenceRule\"\n or v == \"android.util.Slog\"\n or v == \"android.util.LauncherIcons\"\n or v == \"android.util.LogWriter\"\n or v == \"android.util.MapCollections\"\n or v == \"android.util.TimedRemoteCaller\"\n or v == \"android.util.KeyValueListParser\"\n or v == \"android.security.net.config.ApplicationConfig\"\n or v == \"android.security.net.config.ConfigSource\"\n or v == \"android.security.net.config.UserCertificateSource\"\n or v == \"android.security.net.config.CertificatesEntryRef\"\n or v == \"android.security.net.config.SystemCertificateSource\"\n or v == \"android.security.net.config.NetworkSecurityConfig\"\n or v == \"android.security.net.config.Builder\"\n or v == \"android.security.net.config.TrustAnchor\"\n or v == \"android.security.net.config.NetworkSecurityTrustManager\"\n or v == \"android.security.net.config.XmlConfigSource\"\n or v == \"android.security.net.config.Pin\"\n or v == \"android.security.net.config.ResourceCertificateSource\"\n or v == \"android.security.net.config.RootTrustManager\"\n or v == \"android.security.net.config.ManifestConfigSource\"\n or v == \"android.security.net.config.DirectoryCertificateSource\"\n or v == \"android.security.net.config.CertificateSource\"\n or v == \"android.security.net.config.PinSet\"\n or v == \"android.security.net.config.ConfigNetworkSecurityPolicy\"\n or v == \"android.security.net.config.TrustedCertificateStoreAdapter\"\n or v == \"android.security.net.config.RootTrustManagerFactorySpi\"\n or v == \"android.security.net.config.NetworkSecurityConfigProvider\"\n or v == \"android.security.net.config.Domain\"\n or v == \"android.security.keymaster.KeyCharacteristics\"\n or v == \"android.security.keymaster.KeymasterArguments\"\n or v == \"android.security.keymaster.KeyAttestationApplicationId\"\n or v == \"android.security.keymaster.ExportResult\"\n or v == \"android.security.keymaster.KeymasterDefs\"\n or v == \"android.security.keymaster.KeymasterCertificateChain\"\n or v == \"android.security.keymaster.KeymasterDateArgument\"\n or v == \"android.security.keymaster.KeymasterBooleanArgument\"\n or v == \"android.security.keymaster.KeymasterArgument\"\n or v == \"android.security.keymaster.KeymasterBlob\"\n or v == \"android.security.keymaster.OperationResult\"\n or v == \"android.security.keymaster.KeymasterBlobArgument\"\n or v == \"android.security.keymaster.KeyAttestationPackageInfo\"\n or v == \"android.security.keymaster.KeymasterIntArgument\"\n or v == \"android.security.keymaster.KeymasterLongArgument\"\n or v == \"android.security.FrameworkNetworkSecurityPolicy\"\n or v == \"android.security.KeystoreArguments\"\n or v == \"android.inputmethodservice.CompactExtractEditLayout\"\n or v == \"android.inputmethodservice.SoftInputWindow\"\n or v == \"android.inputmethodservice.ExtractEditLayout\"\n or v == \"android.provider.Presence\"\n or v == \"android.provider.SearchIndexableData\"\n or v == \"android.provider.SearchIndexablesContract\"\n or v == \"android.provider.SearchIndexablesProvider\"\n or v == \"android.provider.SyncConstValue\"\n or v == \"android.provider.OneTimeUseBuilder\"\n or v == \"android.provider.BrowserContract\"\n or v == \"android.provider.BaseSyncColumns\"\n or v == \"android.provider.ChromeSyncColumns\"\n or v == \"android.provider.SyncColumns\"\n or v == \"android.provider.ImageColumns\"\n or v == \"android.provider.Accounts\"\n or v == \"android.provider.Searches\"\n or v == \"android.provider.SyncState\"\n or v == \"android.provider.Combined\"\n or v == \"android.provider.Settings\"\n or v == \"android.provider.SettingsStringUtil\"\n or v == \"android.provider.Impl\"\n or v == \"android.provider.SearchIndexableResource\"\n or v == \"android.provider.MetadataReader\"\n or v == \"android.provider.Authorization\"\n or v == \"android.provider.SyncStateColumns\"\n or v == \"android.provider.PhotoFiles\"\n or v == \"android.provider.PhotoFilesColumns\"\n or v == \"android.provider.MetadataSyncColumns\"\n or v == \"android.provider.MetadataSync\"\n or v == \"android.provider.MetadataSyncStateColumns\"\n or v == \"android.provider.MetadataSyncState\"\n or v == \"android.provider.Validator\"\n or v == \"android.provider.Bookmarks\"\n or v == \"android.provider.TimeZoneRulesDataContract\"\n or v == \"android.provider.ContactsInternal\"\n or v == \"android.provider.CalendarMetaDataColumns\"\n or v == \"android.provider.CalendarMetaData\"\n or v == \"android.provider.EventsRawTimesColumns\"\n or v == \"android.provider.EventsRawTimes\"\n or v == \"android.provider.SystemContract\"\n or v == \"android.animation.AnimationHandler\"\n or v == \"android.animation.AnimationFrameCallbackProvider\"\n or v == \"android.animation.Tuple\"\n or v == \"android.animation.RevealAnimator\"\n or v == \"android.animation.KeyframeSet\"\n or v == \"android.animation.PropertyValues\"\n or v == \"android.animation.Keyframes\"\n or v == \"android.animation.PathKeyframes\"\n or v == \"android.content.pm.MacAuthenticatedInputStream\"\n or v == \"android.content.pm.InstantAppInfo\"\n or v == \"android.content.pm.split.SplitAssetDependencyLoader\"\n or v == \"android.content.pm.split.SplitAssetLoader\"\n or v == \"android.content.pm.split.DefaultSplitAssetLoader\"\n or v == \"android.content.pm.split.SplitDependencyLoader\"\n or v == \"android.content.pm.KeySet\"\n or v == \"android.content.pm.StringParceledListSlice\"\n or v == \"android.content.pm.VerifierInfo\"\n or v == \"android.content.pm.InstantAppRequest\"\n or v == \"android.content.pm.PackageBackwardCompatibility\"\n or v == \"android.content.pm.PackageManagerInternal\"\n or v == \"android.content.pm.InstantAppResolveInfo\"\n or v == \"android.content.pm.InstantAppDigest\"\n or v == \"android.content.pm.BaseParceledListSlice\"\n or v == \"android.content.pm.IntentFilterVerificationInfo\"\n or v == \"android.content.pm.OnPermissionsChangedListener\"\n or v == \"android.content.pm.MoveCallback\"\n or v == \"android.content.pm.LegacyPackageInstallObserver\"\n or v == \"android.content.pm.LegacyPackageDeleteObserver\"\n or v == \"android.content.pm.DexModuleRegisterCallback\"\n or v == \"android.content.pm.AppsQueryHelper\"\n or v == \"android.content.pm.FallbackCategoryProvider\"\n or v == \"android.content.pm.LimitedLengthInputStream\"\n or v == \"android.content.pm.VerificationParams\"\n or v == \"android.content.pm.PackageInfoLite\"\n or v == \"android.content.pm.PackageUserState\"\n or v == \"android.content.pm.SessionCallbackDelegate\"\n or v == \"android.content.pm.AuxiliaryResolveInfo\"\n or v == \"android.content.pm.RegisteredServicesCache\"\n or v == \"android.content.pm.InstantAppIntentFilter\"\n or v == \"android.content.pm.UserInfo\"\n or v == \"android.content.pm.PackageCleanItem\"\n or v == \"android.content.pm.XmlSerializerAndParser\"\n or v == \"android.content.pm.ParceledListSlice\"\n or v == \"android.content.pm.VerifierDeviceIdentity\"\n or v == \"android.content.pm.EphemeralResolveInfo\"\n or v == \"android.content.pm.EphemeralDigest\"\n or v == \"android.content.pm.EphemeralIntentFilter\"\n or v == \"android.content.pm.SELinuxUtil\"\n or v == \"android.content.pm.PackageParserCacheHelper\"\n or v == \"android.content.pm.permission.RuntimePermissionPresenter\"\n or v == \"android.content.pm.permission.RuntimePermissionPresentationInfo\"\n or v == \"android.content.pm.RegisteredServicesCacheListener\"\n or v == \"android.content.pm.PackageParser\"\n or v == \"android.content.pm.NewPermissionInfo\"\n or v == \"android.content.pm.SplitPermissionInfo\"\n or v == \"android.content.pm.ParseComponentArgs\"\n or v == \"android.content.pm.ShortcutServiceInternal\"\n or v == \"android.content.res.ResourcesKey\"\n or v == \"android.content.res.GradientColor\"\n or v == \"android.content.res.ComplexColor\"\n or v == \"android.content.res.ConfigurationBoundResourceCache\"\n or v == \"android.content.res.StringBlock\"\n or v == \"android.content.res.ResourceId\"\n or v == \"android.content.res.ResourcesImpl\"\n or v == \"android.content.res.CompatResources\"\n or v == \"android.content.res.ConstantState\"\n or v == \"android.content.res.XmlBlock\"\n or v == \"android.content.res.FontResourcesParser\"\n or v == \"android.content.res.CompatibilityInfo\"\n or v == \"android.content.res.Translator\"\n or v == \"android.content.OpenResourceIdResult\"\n or v == \"android.content.Transport\"\n or v == \"android.content.ContentInsertHandler\"\n or v == \"android.content.DefaultDataHandler\"\n or v == \"android.content.SyncActivityTooManyDeletes\"\n or v == \"android.content.DatabaseHelper\"\n or v == \"android.content.om.OverlayInfo\"\n or v == \"android.content.SyncStatusInfo\"\n or v == \"android.content.UndoOwner\"\n or v == \"android.content.CursorEntityIterator\"\n or v == \"android.content.ContentProviderNative\"\n or v == \"android.content.IContentProvider\"\n or v == \"android.content.SyncAdaptersCache\"\n or v == \"android.content.UndoManager\"\n or v == \"android.content.UndoOperation\"\n or v == \"android.content.CommandOptionHandler\"\n or v == \"android.print.PrintServiceRecommendationsLoader\"\n or v == \"android.print.PrintJobStateChangeListener\"\n or v == \"android.print.PrintServicesChangeListener\"\n or v == \"android.print.PrintServiceRecommendationsChangeListener\"\n or v == \"android.print.PrintDocumentAdapterDelegate\"\n or v == \"android.print.PrintJobStateChangeListenerWrapper\"\n or v == \"android.print.PrintServicesChangeListenerWrapper\"\n or v == \"android.print.PrintServiceRecommendationsChangeListenerWrapper\"\n or v == \"android.print.PrintFileDocumentAdapter\"\n or v == \"android.print.PrintServicesLoader\"\n or v == \"android.print.PrinterDiscoverySession\"\n or v == \"android.speech.tts.TtsEngines\"\n or v == \"android.preference.SeekBarVolumizer\"\n or v == \"android.preference.SeekBarDialogPreference\"\n or v == \"android.preference.MultiCheckPreference\"\n or v == \"android.preference.OnPreferenceTreeClickListener\"\n or v == \"android.preference.SeekBarPreference\"\n or v == \"android.preference.VolumePreference\"\n or v == \"android.preference.GenericInflater\"\n or v == \"android.preference.PreferenceGroupAdapter\"\n or v == \"android.preference.PreferenceFrameLayout\"\n or v == \"android.permissionpresenterservice.RuntimePermissionPresenterService\"\n or v == \"android.accounts.ChooseAccountTypeActivity\"\n or v == \"android.accounts.GrantCredentialsPermissionActivity\"\n or v == \"android.accounts.ChooseTypeAndAccountActivity\"\n or v == \"android.accounts.AccountManagerInternal\"\n or v == \"android.accounts.AccountManagerResponse\"\n or v == \"android.accounts.AccountAndUser\"\n or v == \"android.accounts.CantAddAccountActivity\"\n or v == \"android.accounts.ChooseAccountActivity\"\n or v == \"android.appwidget.PendingHostUpdate\"\n or v == \"android.nfc.dta.NfcDta\"\n or v == \"android.nfc.BeamShareData\"\n or v == \"android.nfc.cardemulation.ApduServiceInfo\"\n or v == \"android.nfc.cardemulation.AidGroup\"\n or v == \"android.nfc.cardemulation.NfcFServiceInfo\"\n or v == \"android.nfc.NfcUnlockHandler\"\n or v == \"android.nfc.NfcActivityManager\"\n or v == \"android.nfc.TechListParcel\"\n or v == \"android.nfc.ApduList\"\n or v == \"android.nfc.ErrorCodes\"\n or v == \"android.nfc.TransceiveResult\"\n or v == \"android.bluetooth.BluetoothCodecStatus\"\n or v == \"android.bluetooth.SdpRecord\"\n or v == \"android.bluetooth.BluetoothActivityEnergyInfo\"\n or v == \"android.bluetooth.SdpOppOpsRecord\"\n or v == \"android.bluetooth.SdpSapsRecord\"\n or v == \"android.bluetooth.BluetoothUuid\"\n or v == \"android.bluetooth.BluetoothA2dpSink\"\n or v == \"android.bluetooth.BluetoothHeadsetClientCall\"\n or v == \"android.bluetooth.BluetoothHeadsetClient\"\n or v == \"android.bluetooth.BluetoothAvrcpController\"\n or v == \"android.bluetooth.BluetoothPbapClient\"\n or v == \"android.bluetooth.BluetoothMapClient\"\n or v == \"android.bluetooth.UidTraffic\"\n or v == \"android.bluetooth.le.PeriodicAdvertisingManager\"\n or v == \"android.bluetooth.le.PeriodicAdvertisingReport\"\n or v == \"android.bluetooth.le.TruncatedFilter\"\n or v == \"android.bluetooth.le.BluetoothLeUtils\"\n or v == \"android.bluetooth.le.PeriodicAdvertisingCallback\"\n or v == \"android.bluetooth.le.ResultStorageDescriptor\"\n or v == \"android.bluetooth.BluetoothStateChangeCallback\"\n or v == \"android.bluetooth.StateChangeCallbackWrapper\"\n or v == \"android.bluetooth.BluetoothPan\"\n or v == \"android.bluetooth.BluetoothGattIncludedService\"\n or v == \"android.bluetooth.BluetoothAvrcp\"\n or v == \"android.bluetooth.BluetoothAvrcpPlayerSettings\"\n or v == \"android.bluetooth.BluetoothSap\"\n or v == \"android.bluetooth.BluetoothMasInstance\"\n or v == \"android.bluetooth.BluetoothDevicePicker\"\n or v == \"android.bluetooth.BluetoothHidHost\"\n or v == \"android.bluetooth.BluetoothCodecConfig\"\n or v == \"android.bluetooth.SdpMasRecord\"\n or v == \"android.bluetooth.BluetoothPbap\"\n or v == \"android.bluetooth.BluetoothAudioConfig\"\n or v == \"android.bluetooth.BluetoothMap\"\n or v == \"android.bluetooth.SdpPseRecord\"\n or v == \"android.bluetooth.SdpMnsRecord\"\n or v == \"android.bluetooth.OobData\"\n or v == \"android.view.InputFilter\"\n or v == \"android.view.HandlerActionQueue\"\n or v == \"android.view.WindowInfo\"\n or v == \"android.view.inputmethod.FinishedInputEventCallback\"\n or v == \"android.view.inputmethod.InputMethodSubtypeArray\"\n or v == \"android.view.inputmethod.InputMethodManagerInternal\"\n or v == \"android.view.inputmethod.SparseRectFArray\"\n or v == \"android.view.inputmethod.SparseRectFArrayBuilder\"\n or v == \"android.view.inputmethod.InputConnectionInspector\"\n or v == \"android.view.WindowManagerInternal\"\n or v == \"android.view.SurfaceControl\"\n or v == \"android.view.ViewHierarchyEncoder\"\n or v == \"android.view.OnWindowDismissedCallback\"\n or v == \"android.view.OnWindowSwipeDismissedCallback\"\n or v == \"android.view.WindowControllerCallback\"\n or v == \"android.view.InputChannel\"\n or v == \"android.view.InputEventReceiver\"\n or v == \"android.view.OnWindowShownListener\"\n or v == \"android.view.InternalInsetsInfo\"\n or v == \"android.view.OnComputeInternalInsetsListener\"\n or v == \"android.view.OnEnterAnimationCompleteListener\"\n or v == \"android.view.WindowManagerGlobal\"\n or v == \"android.view.textclassifier.TextClassifierConstants\"\n or v == \"android.view.textclassifier.TextClassifierImpl\"\n or v == \"android.view.textclassifier.LinksInfo\"\n or v == \"android.view.textclassifier.EntityConfidence\"\n or v == \"android.view.InputEventSender\"\n or v == \"android.view.FrameInfo\"\n or v == \"android.view.ViewRootImpl\"\n or v == \"android.view.RenderNode\"\n or v == \"android.view.animation.TranslateYAnimation\"\n or v == \"android.view.animation.ClipRectAnimation\"\n or v == \"android.view.animation.TranslateXAnimation\"\n or v == \"android.view.autofill.AutofillPopupWindow\"\n or v == \"android.view.autofill.Helper\"\n or v == \"android.view.autofill.AutofillClient\"\n or v == \"android.view.autofill.ParcelableMap\"\n or v == \"android.view.autofill.AutofillManagerInternal\"\n or v == \"android.view.RecordingCanvas\"\n or v == \"android.view.ThreadedRenderer\"\n or v == \"android.view.DisplayEventReceiver\"\n or v == \"android.view.GhostView\"\n or v == \"android.view.NotificationHeaderView\"\n or v == \"android.view.RenderNodeAnimator\"\n or v == \"android.view.WindowManagerPolicy\"\n or v == \"android.view.FinishedInputEventCallback\"\n or v == \"android.view.WindowCallbackWrapper\"\n or v == \"android.view.FallbackAction\"\n or v == \"android.view.DisplayAdjustments\"\n or v == \"android.view.AppTransitionAnimationSpec\"\n or v == \"android.view.InputEventConsistencyVerifier\"\n or v == \"android.view.KeyboardShortcutsReceiver\"\n or v == \"android.view.FallbackEventHandler\"\n or v == \"android.view.ViewReplaceRunnable\"\n or v == \"android.view.WindowCallbacks\"\n or v == \"android.view.WindowManagerImpl\"\n or v == \"android.view.RenderNodeAnimatorSetHelper\"\n or v == \"android.view.MagnificationSpec\"\n or v == \"android.view.DisplayListCanvas\"\n or v == \"android.view.accessibility.AccessibilityServicesStateChangeListener\"\n or v == \"android.view.accessibility.HighTextContrastChangeListener\"\n or v == \"android.view.accessibility.AccessibilityInteractionClient\"\n or v == \"android.view.accessibility.AccessibilityCache\"\n or v == \"android.view.Estimator\"\n or v == \"android.view.HierarchyHandler\"\n or v == \"android.view.DisplayInfo\"\n or v == \"android.view.HardwareLayer\"\n or v == \"android.view.SurfaceSession\"\n or v == \"android.view.BatchedInputEventReceiver\"\n or v == \"android.view.FrameMetricsObserver\"\n or v == \"android.view.FocusFinderHelper\"\n or v == \"android.view.AccessibilityIterators\"\n or v == \"android.view.TextSegmentIterator\"\n or v == \"android.view.AbstractTextSegmentIterator\"\n or v == \"android.view.SubUiVisibilityListener\"\n or v == \"android.accessibilityservice.CapabilityInfo\"\n or v == \"android.accessibilityservice.TouchPoint\"\n or v == \"android.accessibilityservice.GestureStep\"\n or v == \"android.accessibilityservice.MotionEventGenerator\"\n or v == \"android.accessibilityservice.Callbacks\"\n or v == \"android.accessibilityservice.IAccessibilityServiceClientWrapper\"\n or v == \"android.os.MyReadMapCallback\"\n or v == \"android.os.SynchronousResultReceiver\"\n or v == \"android.os.BatteryProperty\"\n or v == \"android.os.NoImagePreloadHolder\"\n or v == \"android.os.IHwInterface\"\n or v == \"android.os.PerformanceCollector\"\n or v == \"android.os.SystemVibrator\"\n or v == \"android.os.IServiceManager\"\n or v == \"android.os.HidlSupport\"\n or v == \"android.os.ServiceSpecificException\"\n or v == \"android.os.UserEnvironment\"\n or v == \"android.os.AsyncResult\"\n or v == \"android.os.PowerSaveState\"\n or v == \"android.os.Broadcaster\"\n or v == \"android.os.FactoryTest\"\n or v == \"android.os.HwParcel\"\n or v == \"android.os.IHwBinder\"\n or v == \"android.os.ParcelableException\"\n or v == \"android.os.ShellCommand\"\n or v == \"android.os.ServiceManager\"\n or v == \"android.os.ServiceNotFoundException\"\n or v == \"android.os.ProcessStartResult\"\n or v == \"android.os.SELinux\"\n or v == \"android.os.ReadWriteHelper\"\n or v == \"android.os.NoneVibrator\"\n or v == \"android.os.VintfObject\"\n or v == \"android.os.BatteryProperties\"\n or v == \"android.os.HwBinder\"\n or v == \"android.os.HwRemoteBinder\"\n or v == \"android.os.GraphicsEnvironment\"\n or v == \"android.os.ShellCallback\"\n or v == \"android.os.IncidentManager\"\n or v == \"android.os.FileUtils\"\n or v == \"android.os.health.HealthStatsWriter\"\n or v == \"android.os.health.HealthKeys\"\n or v == \"android.os.health.Constants\"\n or v == \"android.os.health.HealthStatsParceler\"\n or v == \"android.os.ParcelableParcel\"\n or v == \"android.os.PowerManagerInternal\"\n or v == \"android.os.Temperature\"\n or v == \"android.os.BatteryStats\"\n or v == \"android.os.ZygoteProcess\"\n or v == \"android.os.ViolationListener\"\n or v == \"android.os.StrictModeViolation\"\n or v == \"android.os.StrictModeNetworkViolation\"\n or v == \"android.os.StrictModeDiskReadViolation\"\n or v == \"android.os.StrictModeDiskWriteViolation\"\n or v == \"android.os.StrictModeCustomViolation\"\n or v == \"android.os.StrictModeResourceMismatchViolation\"\n or v == \"android.os.StrictModeUnbufferedIOViolation\"\n or v == \"android.os.Span\"\n or v == \"android.os.ViolationInfo\"\n or v == \"android.os.storage.StorageManagerInternal\"\n or v == \"android.os.storage.StorageResultCode\"\n or v == \"android.os.storage.VolumeRecord\"\n or v == \"android.os.storage.DiskInfo\"\n or v == \"android.os.storage.VolumeInfo\"\n or v == \"android.os.storage.StorageEventListener\"\n or v == \"android.os.SystemProperties\"\n or v == \"android.os.RemoteCallback\"\n or v == \"android.os.Registrant\"\n or v == \"android.os.RevocableFileDescriptor\"\n or v == \"android.os.UEventObserver\"\n or v == \"android.os.ServiceManagerNative\"\n or v == \"android.os.UpdateEngine\"\n or v == \"android.os.BatteryManagerInternal\"\n or v == \"android.os.UpdateLock\"\n or v == \"android.os.OneShot\"\n or v == \"android.os.Waveform\"\n or v == \"android.os.Prebaked\"\n or v == \"android.os.EnforcingUser\"\n or v == \"android.os.PooledStringReader\"\n or v == \"android.os.CommonClock\"\n or v == \"android.os.IncidentReportArgs\"\n or v == \"android.os.RemoteMailException\"\n or v == \"android.os.CommonTimeConfig\"\n or v == \"android.os.RegistrantList\"\n or v == \"android.os.HwBlob\"\n or v == \"android.os.FileBridge\"\n or v == \"android.os.UserManagerInternal\"\n or v == \"android.os.SystemService\"\n or v == \"android.os.Seccomp\"\n or v == \"android.os.VintfRuntimeInfo\"\n or v == \"android.os.UpdateEngineCallback\"\n or v == \"android.os.TransactionTracker\"\n or v == \"android.os.ConfigUpdate\"\n or v == \"android.os.PooledStringWriter\"\n or v == \"android.text.FontConfig\"\n or v == \"android.text.TextLine\"\n or v == \"android.text.PackedIntVector\"\n or v == \"android.text.PositionIterator\"\n or v == \"android.text.style.AccessibilityClickableSpan\"\n or v == \"android.text.style.SuggestionRangeSpan\"\n or v == \"android.text.style.AccessibilityURLSpan\"\n or v == \"android.text.style.SpellCheckSpan\"\n or v == \"android.text.MeasuredText\"\n or v == \"android.text.AndroidBidi\"\n or v == \"android.text.SpanSet\"\n or v == \"android.text.format.BytesResult\"\n or v == \"android.text.CharSequenceCharacterIterator\"\n or v == \"android.text.Hyphenator\"\n or v == \"android.text.Emoji\"\n or v == \"android.text.GraphicsOperations\"\n or v == \"android.text.method.TransformationMethod2\"\n or v == \"android.text.method.WordIterator\"\n or v == \"android.text.method.AllCapsTransformationMethod\"\n or v == \"android.service.oemlock.OemLockManager\"\n or v == \"android.service.notification.SnoozeCriterion\"\n or v == \"android.service.notification.NotificationRankingUpdate\"\n or v == \"android.service.notification.Adjustment\"\n or v == \"android.service.notification.NotificationListenerWrapper\"\n or v == \"android.service.notification.NotificationAssistantService\"\n or v == \"android.service.notification.ZenModeConfig\"\n or v == \"android.service.gatekeeper.GateKeeperResponse\"\n or v == \"android.service.euicc.GetDownloadableSubscriptionMetadataResult\"\n or v == \"android.service.euicc.GetDefaultDownloadableSubscriptionListResult\"\n or v == \"android.service.euicc.EuiccProfileInfo\"\n or v == \"android.service.euicc.GetEuiccProfileInfoListResult\"\n or v == \"android.service.euicc.EuiccService\"\n or v == \"android.service.autofill.OptionalValidators\"\n or v == \"android.service.autofill.InternalValidator\"\n or v == \"android.service.autofill.RequiredValidators\"\n or v == \"android.service.autofill.AutofillServiceInfo\"\n or v == \"android.service.autofill.ValueFinder\"\n or v == \"android.service.autofill.InternalTransformation\"\n or v == \"android.service.voice.SoundTriggerListener\"\n or v == \"android.service.voice.VoiceInteractionServiceInfo\"\n or v == \"android.service.voice.VoiceInteractionManagerInternal\"\n or v == \"android.service.persistentdata.PersistentDataBlockManager\"\n or v == \"android.service.wallpaper.WallpaperSettingsActivity\"\n or v == \"android.service.trust.TrustAgentService\"\n or v == \"android.service.dreams.Sandman\"\n or v == \"android.service.dreams.DreamManagerInternal\"\n or v == \"android.service.carrier.ICarrierServiceWrapper\"\n or v == \"android.service.carrier.MatchType\"\n or v == \"android.service.resolver.ResolverRankerService\"\n or v == \"android.service.resolver.ResolverTarget\"\n or v == \"android.companion.BluetoothDeviceFilterUtils\"\n or v == \"com.android.server.AppWidgetBackupBridge\"\n or v == \"com.android.server.net.BaseNetworkObserver\"\n or v == \"com.android.server.net.NetlinkTracker\"\n or v == \"com.android.server.WidgetBackupProvider\"\n or v == \"com.android.server.LocalServices\"\n or v == \"android.security.KeyStoreException\"\n or v == \"android.security.keystore.AndroidKeyStoreBCWorkaroundProvider\"\n or v == \"android.security.keystore.AndroidKeyStoreHmacSpi\"\n or v == \"android.security.keystore.AndroidKeyStoreCipherSpiBase\"\n or v == \"android.security.keystore.AndroidKeyStorePublicKey\"\n or v == \"android.security.keystore.AndroidKeyStoreSecretKey\"\n or v == \"android.security.keystore.AndroidKeyStoreECPrivateKey\"\n or v == \"android.security.keystore.AndroidKeyStoreKeyGeneratorSpi\"\n or v == \"android.security.keystore.KeyStoreCryptoOperationChunkedStreamer\"\n or v == \"android.security.keystore.Purpose\"\n or v == \"android.security.keystore.KeyAlgorithm\"\n or v == \"android.security.keystore.BlockMode\"\n or v == \"android.security.keystore.EncryptionPadding\"\n or v == \"android.security.keystore.Digest\"\n or v == \"android.security.keystore.Origin\"\n or v == \"android.security.keystore.DeviceIdAttestationException\"\n or v == \"android.security.keystore.ArrayUtils\"\n or v == \"android.security.keystore.AndroidKeyStoreRSASignatureSpi\"\n or v == \"android.security.keystore.Utils\"\n or v == \"android.security.keystore.AndroidKeyStoreSignatureSpiBase\"\n or v == \"android.security.keystore.AndroidKeyStoreRSAPrivateKey\"\n or v == \"android.security.keystore.AndroidKeyStoreRSACipherSpi\"\n or v == \"android.security.keystore.AndroidKeyStoreECDSASignatureSpi\"\n or v == \"android.security.keystore.AndroidKeyStoreKeyFactorySpi\"\n or v == \"android.security.keystore.AndroidKeyStoreAuthenticatedAESCipherSpi\"\n or v == \"android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi\"\n or v == \"android.security.keystore.AndroidKeyStoreSpi\"\n or v == \"android.security.keystore.KeyStoreCryptoOperationUtils\"\n or v == \"android.security.keystore.AttestationUtils\"\n or v == \"android.security.keystore.KeyStoreCryptoOperation\"\n or v == \"android.security.keystore.KeymasterUtils\"\n or v == \"android.security.keystore.AndroidKeyStoreRSAPublicKey\"\n or v == \"android.security.keystore.KeyStoreConnectException\"\n or v == \"android.security.keystore.AndroidKeyStoreECPublicKey\"\n or v == \"android.security.keystore.AndroidKeyStoreKey\"\n or v == \"android.security.keystore.AndroidKeyStoreUnauthenticatedAESCipherSpi\"\n or v == \"android.security.keystore.AndroidKeyStorePrivateKey\"\n or v == \"android.security.keystore.KeyStoreCryptoOperationStreamer\"\n or v == \"android.security.keystore.AndroidKeyStoreProvider\"\n or v == \"android.security.keystore.AndroidKeyStoreSecretKeyFactorySpi\"\n or v == \"android.security.Credentials\"\n or v == \"android.security.KeyChainConnection\"\n or v == \"android.security.GateKeeper\"\n or v == \"android.security.SystemKeyStore\"\n or v == \"android.security.KeyStore\"\n or v == \"android.net.lowpan.Builder\"\n or v == \"android.net.lowpan.LowpanProperty\"\n or v == \"android.net.lowpan.LowpanProperties\"\n or v == \"android.net.lowpan.LowpanStandardProperty\"\n or v == \"android.location.GpsMeasurementsEvent\"\n or v == \"android.location.Listener\"\n or v == \"android.location.LocalListenerHelper\"\n or v == \"android.location.Country\"\n or v == \"android.location.GpsNavigationMessage\"\n or v == \"android.location.GpsClock\"\n or v == \"android.location.GeocoderParams\"\n or v == \"android.location.FusedBatchOptions\"\n or v == \"android.location.GpsNavigationMessageEvent\"\n or v == \"android.location.Listener\"\n or v == \"android.location.BatchedLocationCallback\"\n or v == \"android.location.CountryListener\"\n or v == \"android.location.CountryDetector\"\n or v == \"android.location.Geofence\"\n or v == \"android.location.BatchedLocationCallbackTransport\"\n or v == \"android.location.GnssMeasurementCallbackTransport\"\n or v == \"android.location.LocationRequest\"\n or v == \"android.location.GpsMeasurement\"\n or v == \"android.location.GnssNavigationMessageCallbackTransport\"\n or v == \"javax.obex.HeaderSet\"\n or v == \"javax.obex.BaseStream\"\n or v == \"javax.obex.ClientOperation\"\n or v == \"javax.obex.ServerSession\"\n or v == \"javax.obex.Operation\"\n or v == \"javax.obex.PrivateInputStream\"\n or v == \"javax.obex.PrivateOutputStream\"\n or v == \"javax.obex.ClientSession\"\n or v == \"javax.obex.SessionNotifier\"\n or v == \"javax.obex.ApplicationParameter\"\n or v == \"javax.obex.ServerOperation\"\n or v == \"javax.obex.Authenticator\"\n or v == \"javax.obex.ResponseCodes\"\n or v == \"javax.obex.ObexHelper\"\n or v == \"javax.obex.PasswordAuthentication\"\n or v == \"javax.obex.ObexTransport\"\n or v == \"javax.obex.ServerRequestHandler\"\n or v == \"javax.obex.ObexSession\"\n or v == \"android.net.util.PacketReaderTest\"\n or v == \"android.net.util.ConnectivityPacketSummaryTest\"\n or v == \"android.testing.LayoutInflaterBuilder\"\n or v == \"androidx.media.filterfw.GLToolbox\"\n or v == \"android.security.net.config.TestCertificateSource\"\n or v == \"android.security.net.config.TestConfigSource\"\n or v == \"com.android.uiautomator.core.Tracer\"\n or v == \"com.android.uiautomator.core.AccessibilityNodeInfoDumper\"\n or v == \"com.android.uiautomator.core.UiAutomatorBridge\"\n or v == \"com.android.uiautomator.testrunner.UiAutomatorTestCaseFilter\"\n or v == \"com.android.uiautomator.testrunner.TestCaseCollector\"\n or v == \"com.android.uiautomator.testrunner.UiAutomatorTestRunner\"\n or v == \"com.android.uiautomator.core.ShellUiAutomatorBridge\"\n or v == \"com.android.uiautomator.core.UiAutomationShellWrapper\"\n or v == \"com.android.uiautomator.core.InstrumentationUiAutomatorBridge\"\n or v == \"android.renderscript.ProgramRaster\"\n or v == \"android.renderscript.ProgramVertex\"\n or v == \"android.renderscript.Builder\"\n or v == \"android.renderscript.ProgramFragmentFixedFunction\"\n or v == \"android.renderscript.RenderScriptGL\"\n or v == \"android.renderscript.FileA3D\"\n or v == \"android.renderscript.ProgramVertexFixedFunction\"\n or v == \"android.renderscript.ProgramFragment\"\n or v == \"android.renderscript.Font\"\n or v == \"android.renderscript.RSTextureView\"\n or v == \"android.renderscript.RSSurfaceView\"\n or v == \"android.renderscript.Program\"\n or v == \"android.renderscript.ProgramStore\"\n or v == \"android.renderscript.Mesh\"\n or v == \"android.renderscript.RenderScriptCacheDir\"\n or v == \"android.telephony.ClientRequestStats\"\n or v == \"android.telephony.TelephonyHistogram\"\n or v == \"android.telephony.ModemActivityInfo\"\n or v == \"android.telephony.PreciseDisconnectCause\"\n or v == \"android.telephony.cdma.CdmaSmsCbProgramData\"\n or v == \"android.telephony.cdma.CdmaSmsCbProgramResults\"\n or v == \"android.telephony.PreciseCallState\"\n or v == \"android.telephony.SubscriptionPlan\"\n or v == \"android.telephony.VoLteServiceState\"\n or v == \"android.telephony.DisconnectCause\"\n or v == \"android.telephony.UiccAccessRule\"\n or v == \"android.telephony.euicc.EuiccManager\"\n or v == \"android.telephony.euicc.DownloadableSubscription\"\n or v == \"android.telephony.RadioAccessFamily\"\n or v == \"android.telephony.PcoData\"\n or v == \"android.telephony.Builder\"\n or v == \"android.telephony.WifiCallingChoices\"\n or v == \"android.telephony.ims.ImsService\"\n or v == \"android.telephony.ims.stub.ImsCallSessionListenerImplBase\"\n or v == \"android.telephony.ims.feature.ImsFeature\"\n or v == \"android.telephony.CdmaBands\"\n or v == \"android.telephony.UssdResponse\"\n or v == \"android.telephony.PreciseDataConnectionState\"\n or v == \"android.provider.CarrierColumns\"\n or v == \"android.provider.WordsTable\"\n or v == \"android.provider.CellBroadcasts\"\n or v == \"android.provider.CarrierIdentification\"\n or v == \"android.telephony.data.InterfaceAddress\"\n or v == \"android.telephony.data.DataCallResponse\"\n or v == \"android.telephony.data.DataProfile\"\n or v == \"android.telephony.Rlog\"\n or v == \"android.telephony.ImsiEncryptionInfo\"\n or v == \"android.telephony.mbms.InternalStreamingSessionCallback\"\n or v == \"android.telephony.mbms.MbmsTempFileProvider\"\n or v == \"android.telephony.mbms.OpaqueDataContainer\"\n or v == \"android.telephony.mbms.InternalDownloadSessionCallback\"\n or v == \"android.telephony.mbms.InternalStreamingServiceCallback\"\n or v == \"android.telephony.mbms.UriPathPair\"\n or v == \"android.telephony.mbms.InternalDownloadStateCallback\"\n or v == \"android.telephony.mbms.MbmsUtils\"\n or v == \"android.telephony.mbms.vendor.MbmsDownloadServiceBase\"\n or v == \"android.telephony.mbms.vendor.MbmsStreamingServiceBase\"\n or v == \"android.telephony.mbms.vendor.VendorUtils\"\n or v == \"android.telephony.DataConnectionRealTimeInfo\"\n or v == \"android.telephony.SmsCbLocation\"\n or v == \"android.telephony.SmsCbEtwsInfo\"\n or v == \"android.telephony.SmsCbMessage\"\n or v == \"android.telephony.SmsCbCmasInfo\"\n or v == \"com.android.ims.ImsStreamMediaProfile\"\n or v == \"com.android.ims.ImsReasonInfo\"\n or v == \"com.android.ims.ImsCallForwardInfo\"\n or v == \"com.android.ims.ImsExternalCallState\"\n or v == \"com.android.ims.ImsConfig\"\n or v == \"com.android.ims.ImsException\"\n or v == \"com.android.ims.ImsCallProfile\"\n or v == \"com.android.ims.ImsSuppServiceNotification\"\n or v == \"com.android.ims.ImsUtInterface\"\n or v == \"com.android.ims.ImsConferenceState\"\n or v == \"com.android.ims.ImsSsInfo\"\n or v == \"com.android.ims.ImsSsData\"\n or v == \"com.android.settingslib.NetworkPolicyEditor\"\n or v == \"com.android.sharedstoragebackup.ObbBackupService\"\n or v == \"com.android.providers.settings.SettingsProtoDumpUtil\"\n or v == \"com.android.statementservice.retriever.AndroidPackageInfoFetcher\"\n or v == \"com.android.statementservice.retriever.URLFetcher\"\n or v == \"com.android.statementservice.retriever.WebContent\"\n or v == \"com.android.backupconfirm.BackupRestoreConfirmation\"\n or v == \"com.android.proxyhandler.ProxyServer\"\n or v == \"com.android.proxyhandler.SocketConnect\"\n or v == \"com.android.proxyhandler.ProxyService\"\n or v == \"com.android.pacprocessor.PacNative\"\n or v == \"com.android.systemui.media.NotificationPlayer\"\n or v == \"junit.runner.TestRunListener\"\n or v == \"junit.runner.StandardTestSuiteLoader\"\n or v == \"android.test.LaunchPerformanceBase\"\n or v == \"android.test.NoExecTestResult\"\n or v == \"android.test.ClassPathPackageInfoSource\"\n or v == \"android.test.TestPrinter\"\n or v == \"android.test.suitebuilder.UnitTestSuiteBuilder\"\n or v == \"android.test.suitebuilder.TestGrouping\"\n or v == \"android.test.suitebuilder.TestPredicates\"\n or v == \"android.test.suitebuilder.SmokeTestSuiteBuilder\"\n or v == \"android.test.TestCaseUtil\"\n or v == \"android.test.mock.MockIContentProvider\"\n or v == \"android.telecom.TimedEvent\"\n or v == \"android.telecom.DefaultDialerManager\"\n or v == \"android.telecom.ParcelableRttCall\"\n or v == \"android.telecom.AudioState\"\n or v == \"android.telecom.Phone\"\n or v == \"android.telecom.ParcelableCallAnalytics\"\n or v == \"android.telecom.VideoEvent\"\n or v == \"android.telecom.TelecomAnalytics\"\n or v == \"android.telecom.CallbackRecord\"\n or v == \"android.telecom.Response\"\n or v == \"android.telecom.VideoCallImpl\"\n or v == \"android.telecom.ConnectionServiceAdapter\"\n or v == \"android.telecom.Builder\"\n or v == \"android.telecom.RemoteConnectionService\"\n or v == \"android.telecom.AuthenticatorService\"\n or v == \"android.telecom.Listener\"\n or v == \"android.telecom.ConferenceParticipant\"\n or v == \"android.telecom.ParcelableConnection\"\n or v == \"android.telecom.ParcelableCall\"\n or v == \"android.telecom.Log\"\n or v == \"android.telecom.Listener\"\n or v == \"android.telecom.RttTextStream\"\n or v == \"android.telecom.RemoteConnectionManager\"\n or v == \"android.telecom.ParcelableConference\"\n or v == \"android.telecom.Voicemail\"\n or v == \"android.telecom.ConnectionServiceAdapterServant\"\n or v == \"android.telecom.VideoCallbackServant\"\n or v == \"android.telecom.Listener\"\n or v == \"android.telecom.Logging.TimedEvent\"\n or v == \"android.telecom.Logging.Runnable\"\n or v == \"android.telecom.Logging.Session\"\n or v == \"android.telecom.InCallAdapter\"\n or v == \"android.graphics.GraphicBuffer\"\n or v == \"android.graphics.CanvasProperty\"\n or v == \"android.graphics.drawable.AnimatedRotateDrawable\"\n or v == \"android.graphics.drawable.VectorDrawableAnimatorRT\"\n or v == \"android.graphics.drawable.DrawableInflater\"\n or v == \"android.graphics.Insets\"\n or v == \"android.graphics.BaseCanvas\"\n or v == \"android.graphics.pdf.PdfEditor\"\n or v == \"android.graphics.Renderer\"\n or v == \"android.graphics.LeakyTypefaceStorage\"\n or v == \"android.graphics.TemporaryBuffer\"\n or v == \"android.graphics.InsetStruct\"\n or v == \"android.graphics.LargeBitmap\"\n or v == \"android.graphics.FontListParser\"\n or v == \"android.graphics.FontFamily\"\n or v == \"android.graphics.TableMaskFilter\"\n or v == \"android.net.util.NetworkConstants\"\n or v == \"android.net.util.Stopwatch\"\n or v == \"android.net.util.PrefixUtils\"\n or v == \"android.net.util.NetdService\"\n or v == \"android.net.util.IpUtils\"\n or v == \"android.net.util.VersionedBroadcastListener\"\n or v == \"android.net.util.SharedLog\"\n or v == \"android.net.util.ConnectivityPacketSummary\"\n or v == \"android.net.util.MultinetworkPolicyTracker\"\n or v == \"android.net.util.PacketReader\"\n or v == \"android.net.netlink.StructNlMsgHdr\"\n or v == \"android.net.netlink.StructNdMsg\"\n or v == \"android.net.netlink.StructNlMsgErr\"\n or v == \"android.net.netlink.NetlinkSocket\"\n or v == \"android.net.netlink.StructNlAttr\"\n or v == \"android.net.netlink.NetlinkMessage\"\n or v == \"android.net.netlink.ConntrackMessage\"\n or v == \"android.net.netlink.StructNfGenMsg\"\n or v == \"android.net.netlink.StructNdaCacheInfo\"\n or v == \"android.net.netlink.NetlinkConstants\"\n or v == \"android.net.netlink.NetlinkErrorMessage\"\n or v == \"android.net.netlink.RtNetlinkNeighborMessage\"\n or v == \"android.net.apf.ApfGenerator\"\n or v == \"android.net.apf.ApfCapabilities\"\n or v == \"android.net.apf.ApfFilter\"\n or v == \"android.net.dhcp.DhcpClient\"\n or v == \"android.net.dhcp.DhcpPacket\"\n or v == \"android.net.ip.IpReachabilityMonitor\"\n or v == \"android.net.ip.InterfaceController\"\n or v == \"android.net.ip.IpClient\"\n or v == \"android.net.ip.IpNeighborMonitor\"\n or v == \"android.net.ip.RouterAdvertisementDaemon\"\n or v == \"android.net.ip.ConnectivityPacketTracker\"\n or v == \"com.android.server.pm.PackageManagerServiceUtils\"\n or v == \"com.android.server.pm.BackgroundDexOptService\"\n or v == \"com.android.server.pm.InstructionSets\"\n or v == \"com.android.server.pm.EphemeralResolverConnection\"\n or v == \"com.android.server.pm.SELinuxMMAC\"\n or v == \"com.android.server.pm.OtaDexoptService\"\n or v == \"com.android.server.pm.InstantAppResolver\"\n or v == \"com.android.server.pm.PackageManagerException\"\n or v == \"com.android.server.vr.SettingsObserver\"\n or v == \"com.android.server.vr.VrManagerInternal\"\n or v == \"com.android.server.vr.EnabledComponentsObserver\"\n or v == \"com.android.server.vr.VrManagerService\"\n or v == \"com.android.server.vr.VrStateListener\"\n or v == \"com.android.server.webkit.SystemInterface\"\n or v == \"com.android.server.webkit.WebViewUpdateService\"\n or v == \"com.android.server.webkit.SystemImpl\"\n or v == \"com.android.server.webkit.WebViewUpdateServiceImpl\"\n or v == \"com.android.server.net.NetworkPolicyManagerInternal\"\n or v == \"com.android.server.net.NetworkIdentitySet\"\n or v == \"com.android.server.fingerprint.FingerprintService\"\n or v == \"com.android.server.am.BackupRecord\"\n or v == \"com.android.server.GraphicsStatsService\"\n or v == \"com.android.server.connectivity.Vpn\"\n or v == \"com.android.server.connectivity.IpConnectivityMetrics\"\n or v == \"com.android.server.connectivity.tethering.TetheringConfiguration\"\n or v == \"com.android.server.connectivity.tethering.OffloadHardwareInterface\"\n or v == \"com.android.server.connectivity.tethering.OffloadController\"\n or v == \"com.android.server.connectivity.tethering.TetherInterfaceStateMachine\"\n or v == \"com.android.server.connectivity.tethering.UpstreamNetworkMonitor\"\n or v == \"com.android.server.connectivity.tethering.SimChangeListener\"\n or v == \"com.android.server.connectivity.tethering.IPv6TetheringCoordinator\"\n or v == \"com.android.server.connectivity.tethering.TetheringDependencies\"\n or v == \"com.android.server.connectivity.tethering.IControlsTethering\"\n or v == \"com.android.server.connectivity.PacManager\"\n or v == \"com.android.server.connectivity.NetworkMonitor\"\n or v == \"com.android.server.connectivity.CaptivePortalProbeResult\"\n or v == \"com.android.server.connectivity.IpConnectivityEventBuilder\"\n or v == \"com.android.server.connectivity.NetworkDiagnostics\"\n or v == \"com.android.server.connectivity.Tethering\"\n or v == \"com.android.server.connectivity.PermissionMonitor\"\n or v == \"com.android.server.connectivity.KeepalivePacketData\"\n or v == \"com.android.server.connectivity.DefaultNetworkMetrics\"\n or v == \"com.android.server.connectivity.Nat464Xlat\"\n or v == \"com.android.server.security.KeyAttestationApplicationIdProviderService\"\n or v == \"com.android.server.input.InputWindowHandle\"\n or v == \"com.android.server.input.InputApplicationHandle\"\n or v == \"com.android.server.notification.NotificationManagerService\"\n or v == \"com.android.server.notification.NotificationUsageStats\"\n or v == \"com.android.server.notification.RateEstimator\"\n or v == \"com.android.server.notification.AlertRateLimiter\"\n or v == \"com.android.server.notification.NotificationRecord\"\n or v == \"com.android.server.notification.ValidateNotificationPeople\"\n or v == \"com.android.server.notification.RankingReconsideration\"\n or v == \"com.android.server.camera.CameraServiceProxy\"\n or v == \"com.android.server.location.PassiveProvider\"\n or v == \"com.android.server.location.ActivityRecognitionProxy\"\n or v == \"com.android.server.location.CountryDetectorBase\"\n or v == \"com.android.server.location.GnssLocationProvider\"\n or v == \"com.android.server.location.ContextHubService\"\n or v == \"com.android.server.location.FusedProxy\"\n or v == \"com.android.server.location.GeofenceProxy\"\n or v == \"com.android.server.location.GnssNavigationMessageProvider\"\n or v == \"com.android.server.location.LocationProviderInterface\"\n or v == \"com.android.server.location.GpsXtraDownloader\"\n or v == \"com.android.server.location.FusedLocationHardwareSecure\"\n or v == \"com.android.server.location.FlpHardwareProvider\"\n or v == \"com.android.server.location.GnssMeasurementsProvider\"\n or v == \"com.android.server.location.LocationBasedCountryDetector\"\n or v == \"com.android.server.location.ComprehensiveCountryDetector\"\n or v == \"com.android.server.location.MockProvider\"\n or v == \"com.android.server.wm.WindowManagerService\"\n or v == \"com.android.server.wm.animation.ClipRectLRAnimation\"\n or v == \"com.android.server.wm.ViewServer\"\n or v == \"com.android.server.SystemServiceManager\"\n or v == \"com.android.server.content.SyncStorageEngine\"\n or v == \"com.android.server.content.SyncManager\"\n or v == \"com.android.server.content.ActiveSyncContext\"\n or v == \"com.android.server.content.ContentService\"\n or v == \"com.android.server.content.ObserverCall\"\n or v == \"com.android.server.content.ObserverNode\"\n or v == \"com.android.server.content.SyncOperation\"\n or v == \"com.android.server.utils.ManagedApplicationService\"\n or v == \"com.android.server.utils.PriorityDump\"\n or v == \"com.android.server.utils.PriorityDumper\"\n or v == \"com.android.server.NetworkManagementService\"\n or v == \"com.android.server.tv.TvInputHardwareManager\"\n or v == \"com.android.server.IpSecService\"\n or v == \"com.android.server.ConnectivityService\"\n or v == \"com.android.server.audio.MediaFocusControl\"\n or v == \"com.android.server.audio.FocusRequester\"\n or v == \"com.android.server.audio.AudioService\"\n or v == \"com.android.server.telecom.TelecomLoaderService\"\n or v == \"com.android.server.NetworkScorerAppManager\"\n or v == \"com.android.server.CountryDetectorService\"\n or v == \"com.android.server.accounts.AccountManagerService\"\n or v == \"com.android.server.accounts.IAccountAuthenticatorCache\"\n or v == \"com.android.server.job.JobSchedulerService\"\n or v == \"com.android.server.job.JobSchedulerInternal\"\n or v == \"com.android.server.job.controllers.JobStatus\"\n or v == \"com.android.server.RescueParty\"\n or v == \"com.android.server.NsdService\"\n or v == \"com.android.server.os.SchedulingPolicyService\"\n or v == \"com.android.server.SystemServerInitThreadPool\"\n or v == \"com.android.server.NetworkScoreService\"\n or v == \"com.android.server.locksettings.LockSettingsService\"\n or v == \"com.android.server.dreams.DreamManagerService\"\n or v == \"com.android.server.IntentResolver\"\n or v == \"com.android.server.GestureLauncherService\"\n or v == \"com.android.server.SystemService\"\n or v == \"com.android.server.NetworkManagementInternal\"\n or v == \"com.android.server.policy.keyguard.KeyguardStateMonitor\"\n or v == \"com.android.server.CommonTimeManagementService\"\n or v == \"com.android.server.soundtrigger.SoundTriggerService\"\n or v == \"com.android.server.soundtrigger.SoundTriggerHelper\"\n or v == \"com.android.server.soundtrigger.SoundTriggerDbHelper\"\n or v == \"com.android.server.voiceinteraction.DatabaseHelper\"\n or v == \"com.android.server.usb.descriptors.UsbTerminalTypes\"\n or v == \"com.android.server.usb.descriptors.tree.UsbDescriptorsEndpointNode\"\n or v == \"com.android.server.usb.descriptors.tree.UsbDescriptorsACInterfaceNode\"\n or v == \"com.android.server.usb.descriptors.tree.UsbDescriptorsTreeNode\"\n or v == \"com.android.server.usb.descriptors.tree.UsbDescriptorsTree\"\n or v == \"com.android.server.usb.descriptors.tree.UsbDescriptorsInterfaceNode\"\n or v == \"com.android.server.usb.descriptors.tree.UsbDescriptorsDeviceNode\"\n or v == \"com.android.server.usb.descriptors.tree.UsbDescriptorsConfigNode\"\n or v == \"com.android.server.usb.descriptors.UsbACAudioStreamEndpoint\"\n or v == \"com.android.server.usb.descriptors.UsbBinaryParser\"\n or v == \"com.android.server.usb.descriptors.Usb10ASFormatI\"\n or v == \"com.android.server.usb.descriptors.UsbACAudioControlEndpoint\"\n or v == \"com.android.server.usb.descriptors.UsbConfigDescriptor\"\n or v == \"com.android.server.usb.descriptors.Usb20ACMixerUnit\"\n or v == \"com.android.server.usb.descriptors.UsbMSMidiInputJack\"\n or v == \"com.android.server.usb.descriptors.Usb20ACInputTerminal\"\n or v == \"com.android.server.usb.descriptors.UsbACInterface\"\n or v == \"com.android.server.usb.descriptors.Usb10ACOutputTerminal\"\n or v == \"com.android.server.usb.descriptors.UsbDeviceDescriptor\"\n or v == \"com.android.server.usb.descriptors.Usb10ACHeader\"\n or v == \"com.android.server.usb.descriptors.UsbInterfaceAssoc\"\n or v == \"com.android.server.usb.descriptors.UsbHIDDescriptor\"\n or v == \"com.android.server.usb.descriptors.UsbMSMidiOutputJack\"\n or v == \"com.android.server.usb.descriptors.Usb20ASFormatI\"\n or v == \"com.android.server.usb.descriptors.Usb10ASFormatII\"\n or v == \"com.android.server.usb.descriptors.UsbMSMidiHeader\"\n or v == \"com.android.server.usb.descriptors.Usb20ASFormatIII\"\n or v == \"com.android.server.usb.descriptors.UsbACFeatureUnit\"\n or v == \"com.android.server.usb.descriptors.UsbASFormat\"\n or v == \"com.android.server.usb.descriptors.UsbACEndpoint\"\n or v == \"com.android.server.usb.descriptors.UsbUnknown\"\n or v == \"com.android.server.usb.descriptors.Usb20ACHeader\"\n or v == \"com.android.server.usb.descriptors.UsbInterfaceDescriptor\"\n or v == \"com.android.server.usb.descriptors.UsbDescriptor\"\n or v == \"com.android.server.usb.descriptors.UsbACSelectorUnit\"\n or v == \"com.android.server.usb.descriptors.UsbACHeaderInterface\"\n or v == \"com.android.server.usb.descriptors.UsbEndpointDescriptor\"\n or v == \"com.android.server.usb.descriptors.report.TextReportCanvas\"\n or v == \"com.android.server.usb.descriptors.report.Reporting\"\n or v == \"com.android.server.usb.descriptors.report.ReportCanvas\"\n or v == \"com.android.server.usb.descriptors.report.UsbStrings\"\n or v == \"com.android.server.usb.descriptors.report.HTMLReportCanvas\"\n or v == \"com.android.server.usb.descriptors.Usb10ACInputTerminal\"\n or v == \"com.android.server.usb.descriptors.UsbDescriptorParser\"\n or v == \"com.android.server.usb.descriptors.Usb10ASGeneral\"\n or v == \"com.android.server.usb.descriptors.ByteStream\"\n or v == \"com.android.server.usb.descriptors.UsbACMidiEndpoint\"\n or v == \"com.android.server.usb.descriptors.Usb20ASFormatIIEx\"\n or v == \"com.android.server.usb.descriptors.Usb10ACMixerUnit\"\n or v == \"com.android.server.usb.descriptors.Usb20ASFormatII\"\n or v == \"com.android.server.usb.descriptors.Usb20ACOutputTerminal\"\n or v == \"com.android.server.usb.descriptors.UsbACTerminal\"\n or v == \"com.android.server.usb.descriptors.UsbACInterfaceUnparsed\"\n or v == \"com.android.server.accessibility.TouchExplorer\"\n or v == \"com.android.server.coverage.CoverageService\"\n or v == \"com.android.server.companion.CompanionDeviceManagerService\"\n or v == \"android.opengl.GLWallpaperService\"\n or v == \"android.mtp.MtpDatabase\"\n or v == \"android.mtp.MtpServer\"\n or v == \"android.mtp.MtpStorage\"\n or v == \"android.media.PlayerProxy\"\n or v == \"android.media.MediaScanner\"\n or v == \"android.media.MediaTimeProvider\"\n or v == \"android.media.OnMediaTimeListener\"\n or v == \"android.media.soundtrigger.SoundTriggerDetector\"\n or v == \"android.media.soundtrigger.RecognitionCallback\"\n or v == \"android.media.soundtrigger.SoundTriggerManager\"\n or v == \"android.media.audiofx.OnParameterChangeListener\"\n or v == \"android.media.audiofx.Settings\"\n or v == \"android.media.audiofx.OnServerDiedListener\"\n or v == \"android.media.audiofx.OnParameterChangeListener\"\n or v == \"android.media.MediaFile\"\n or v == \"android.media.PlayerDeathMonitor\"\n or v == \"android.media.RemoteDisplay\"\n or v == \"android.media.AudioPort\"\n or v == \"android.media.SRTRenderer\"\n or v == \"android.media.MiniThumbFile\"\n or v == \"android.media.midi.MidiDeviceServer\"\n or v == \"android.media.TtmlRenderer\"\n or v == \"android.media.TtmlUtils\"\n or v == \"android.media.TtmlCue\"\n or v == \"android.media.TtmlNode\"\n or v == \"android.media.TtmlParser\"\n or v == \"android.media.TtmlNodeListener\"\n or v == \"android.media.TtmlTrack\"\n or v == \"android.media.TtmlRenderingWidget\"\n or v == \"android.media.audiopolicy.AudioPolicyConfig\"\n or v == \"android.media.audiopolicy.AudioMixingRule\"\n or v == \"android.media.audiopolicy.AudioMix\"\n or v == \"android.media.audiopolicy.AudioPolicy\"\n or v == \"android.media.Callback\"\n or v == \"android.media.MediaHTTPConnection\"\n or v == \"android.media.DecoderCapabilities\"\n or v == \"android.media.OnSubtitleDataListener\"\n or v == \"android.media.TimeProvider\"\n or v == \"android.media.MediaHTTPService\"\n or v == \"android.media.AudioManagerInternal\"\n or v == \"android.media.MediaScannerClient\"\n or v == \"android.media.SubtitleTrack\"\n or v == \"android.media.CueList\"\n or v == \"android.media.Cue\"\n or v == \"android.media.Run\"\n or v == \"android.media.VolumePolicy\"\n or v == \"android.media.tv.ProgramColumns\"\n or v == \"android.media.tv.PreviewProgramColumns\"\n or v == \"android.media.tv.WatchedPrograms\"\n or v == \"android.media.tv.TvStreamConfig\"\n or v == \"android.media.tv.TvInputSettings\"\n or v == \"android.media.tv.ITvInputSessionWrapper\"\n or v == \"android.media.tv.DvbDeviceInfo\"\n or v == \"android.media.tv.TvInputHardwareInfo\"\n or v == \"android.media.tv.SessionCallback\"\n or v == \"android.media.tv.HardwareCallback\"\n or v == \"android.media.tv.Session\"\n or v == \"android.media.tv.FinishedInputEventCallback\"\n or v == \"android.media.tv.Hardware\"\n or v == \"android.media.tv.TvContentRatingSystemInfo\"\n or v == \"android.media.BufferingParams\"\n or v == \"android.media.Cea708CaptionRenderer\"\n or v == \"android.media.Cea708CaptionTrack\"\n or v == \"android.media.Cea708CCParser\"\n or v == \"android.media.Const\"\n or v == \"android.media.CaptionColor\"\n or v == \"android.media.CaptionEvent\"\n or v == \"android.media.CaptionPenAttr\"\n or v == \"android.media.CaptionPenColor\"\n or v == \"android.media.CaptionPenLocation\"\n or v == \"android.media.CaptionWindowAttr\"\n or v == \"android.media.CaptionWindow\"\n or v == \"android.media.Cea708CCWidget\"\n or v == \"android.media.ScaledLayout\"\n or v == \"android.media.ScaledLayoutParams\"\n or v == \"android.media.CCLayout\"\n or v == \"android.media.CCHandler\"\n or v == \"android.media.CCWindowLayout\"\n or v == \"android.media.CCView\"\n or v == \"android.media.EncoderCapabilities\"\n or v == \"android.media.AudioFocusInfo\"\n or v == \"android.media.AudioGainConfig\"\n or v == \"android.media.RemoteDisplayState\"\n or v == \"android.media.AudioGain\"\n or v == \"android.media.AmrInputStream\"\n or v == \"android.media.ExternalRingtonesCursorWrapper\"\n or v == \"android.media.WebVttRenderer\"\n or v == \"android.media.TextTrackCueSpan\"\n or v == \"android.media.UnstyledTextExtractor\"\n or v == \"android.media.Tokenizer\"\n or v == \"android.media.TextTrackRegion\"\n or v == \"android.media.TextTrackCue\"\n or v == \"android.media.WebVttParser\"\n or v == \"android.media.WebVttCueListener\"\n or v == \"android.media.WebVttTrack\"\n or v == \"android.media.WebVttRenderingWidget\"\n or v == \"android.media.SubtitleController\"\n or v == \"android.media.AudioSystem\"\n or v == \"android.media.Metadata\"\n or v == \"android.media.AudioRoutesInfo\"\n or v == \"android.media.PlayerBase\"\n or v == \"android.media.CharPos\"\n or v == \"android.media.Justification\"\n or v == \"android.media.Style\"\n or v == \"android.media.Font\"\n or v == \"android.media.Karaoke\"\n or v == \"android.media.HyperText\"\n or v == \"android.media.browse.MediaBrowserUtils\"\n or v == \"android.media.Builder\"\n or v == \"android.media.State\"\n or v == \"android.media.MediaInserter\"\n or v == \"android.media.ClosedCaptionRenderer\"\n or v == \"android.media.Cea608CaptionTrack\"\n or v == \"android.media.ClosedCaptionWidget\"\n or v == \"android.media.ClosedCaptionLayout\"\n or v == \"android.media.Cea608CCParser\"\n or v == \"android.media.MutableBackgroundColorSpan\"\n or v == \"android.media.Cea608CCWidget\"\n or v == \"android.media.MediaRouterClientState\"\n or v == \"android.media.ResampleInputStream\"\n or v == \"android.media.OnAudioPortUpdateListener\"\n or v == \"android.media.CertificateRequest\"\n or v == \"android.media.Certificate\"\n or v == \"android.media.AudioPatch\"\n or v == \"android.media.MediaImage\"\n or v == \"android.media.SubtitleData\"\n or v == \"android.media.projection.Callback\"\n or v == \"android.media.projection.CallbackDelegate\"\n or v == \"android.media.projection.MediaProjectionInfo\"\n or v == \"android.media.session.OnVolumeKeyLongPressListener\"\n or v == \"android.media.session.OnMediaKeyListener\"\n or v == \"android.media.session.Callback\"\n or v == \"android.media.session.MediaSessionLegacyHelper\"\n or v == \"android.media.session.ParcelableVolumeInfo\"\n or v == \"android.media.session.CallbackStub\"\n or v == \"android.media.effect.FilterEffect\"\n or v == \"android.media.effect.FilterGraphEffect\"\n or v == \"android.media.effect.SingleFilterEffect\"\n or v == \"android.media.effect.effects.BrightnessEffect\"\n or v == \"android.media.effect.effects.BitmapOverlayEffect\"\n or v == \"android.media.effect.effects.DuotoneEffect\"\n or v == \"android.media.effect.effects.SharpenEffect\"\n or v == \"android.media.effect.effects.ColorTemperatureEffect\"\n or v == \"android.media.effect.effects.LomoishEffect\"\n or v == \"android.media.effect.effects.SepiaEffect\"\n or v == \"android.media.effect.effects.FlipEffect\"\n or v == \"android.media.effect.effects.VignetteEffect\"\n or v == \"android.media.effect.effects.AutoFixEffect\"\n or v == \"android.media.effect.effects.RotateEffect\"\n or v == \"android.media.effect.effects.SaturateEffect\"\n or v == \"android.media.effect.effects.CrossProcessEffect\"\n or v == \"android.media.effect.effects.BackDropperEffect\"\n or v == \"android.media.effect.effects.TintEffect\"\n or v == \"android.media.effect.effects.PosterizeEffect\"\n or v == \"android.media.effect.effects.GrayscaleEffect\"\n or v == \"android.media.effect.effects.RedEyeEffect\"\n or v == \"android.media.effect.effects.DocumentaryEffect\"\n or v == \"android.media.effect.effects.IdentityEffect\"\n or v == \"android.media.effect.effects.FisheyeEffect\"\n or v == \"android.media.effect.effects.ContrastEffect\"\n or v == \"android.media.effect.effects.StraightenEffect\"\n or v == \"android.media.effect.effects.FillLightEffect\"\n or v == \"android.media.effect.effects.GrainEffect\"\n or v == \"android.media.effect.effects.BlackWhiteEffect\"\n or v == \"android.media.effect.effects.NegativeEffect\"\n or v == \"android.media.effect.SizeChangeEffect\"\n or v == \"android.filterpacks.ui.SurfaceTargetFilter\"\n or v == \"android.filterpacks.ui.SurfaceRenderFilter\"\n or v == \"android.filterpacks.videosrc.MediaSource\"\n or v == \"android.filterpacks.videosrc.CameraSource\"\n or v == \"android.filterpacks.videosrc.SurfaceTextureSource\"\n or v == \"android.filterpacks.videosrc.SurfaceTextureTarget\"\n or v == \"android.filterpacks.videosink.MediaEncoderFilter\"\n or v == \"android.filterpacks.videosink.MediaRecorderStopException\"\n or v == \"android.filterpacks.numeric.SinWaveFilter\"\n or v == \"android.filterpacks.imageproc.ContrastFilter\"\n or v == \"android.filterpacks.imageproc.StraightenFilter\"\n or v == \"android.filterpacks.imageproc.DrawRectFilter\"\n or v == \"android.filterpacks.imageproc.CropRectFilter\"\n or v == \"android.filterpacks.imageproc.ToGrayFilter\"\n or v == \"android.filterpacks.imageproc.AlphaBlendFilter\"\n or v == \"android.filterpacks.imageproc.CropFilter\"\n or v == \"android.filterpacks.imageproc.ImageCombineFilter\"\n or v == \"android.filterpacks.imageproc.RedEyeFilter\"\n or v == \"android.filterpacks.imageproc.ToRGBFilter\"\n or v == \"android.filterpacks.imageproc.SimpleImageFilter\"\n or v == \"android.filterpacks.imageproc.FisheyeFilter\"\n or v == \"android.filterpacks.imageproc.ResizeFilter\"\n or v == \"android.filterpacks.imageproc.FixedRotationFilter\"\n or v == \"android.filterpacks.imageproc.BlendFilter\"\n or v == \"android.filterpacks.imageproc.ToRGBAFilter\"\n or v == \"android.filterpacks.imageproc.DrawOverlayFilter\"\n or v == \"android.filterpacks.imageproc.BitmapSource\"\n or v == \"android.filterpacks.imageproc.ImageEncoder\"\n or v == \"android.filterpacks.imageproc.ToPackedGrayFilter\"\n or v == \"android.filterpacks.imageproc.RotateFilter\"\n or v == \"android.filterpacks.imageproc.BrightnessFilter\"\n or v == \"android.filterpacks.imageproc.BitmapOverlayFilter\"\n or v == \"android.filterpacks.imageproc.Invert\"\n or v == \"android.filterpacks.imageproc.FlipFilter\"\n or v == \"android.filterpacks.text.ToUpperCase\"\n or v == \"android.filterpacks.text.StringSource\"\n or v == \"android.filterpacks.text.StringLogger\"\n or v == \"android.filterpacks.performance.ThroughputFilter\"\n or v == \"android.filterpacks.performance.Throughput\"\n or v == \"android.filterpacks.base.CallbackFilter\"\n or v == \"android.filterpacks.base.NoneFilter\"\n or v == \"android.filterpacks.base.GLTextureSource\"\n or v == \"android.filterpacks.base.FrameBranch\"\n or v == \"android.filterpacks.base.RetargetFilter\"\n or v == \"android.filterpacks.base.GLTextureTarget\"\n or v == \"android.filterpacks.base.FrameFetch\"\n or v == \"android.filterpacks.base.ObjectSource\"\n or v == \"android.filterpacks.base.FrameSource\"\n or v == \"android.filterpacks.base.OutputStreamTarget\"\n or v == \"android.filterpacks.base.InputStreamSource\"\n or v == \"android.filterpacks.base.FrameStore\"\n or v == \"android.filterpacks.videoproc.BackDropperFilter\"\n or v == \"android.filterfw.core.FilterSurfaceView\"\n or v == \"android.filterfw.core.InputPort\"\n or v == \"android.filterfw.core.FieldPort\"\n or v == \"android.filterfw.core.StreamPort\"\n or v == \"android.filterfw.core.FilterContext\"\n or v == \"android.filterfw.core.GLFrame\"\n or v == \"android.filterfw.core.SimpleFrame\"\n or v == \"android.filterfw.core.FilterFactory\"\n or v == \"android.filterfw.core.VertexFrame\"\n or v == \"android.filterfw.core.GraphRunner\"\n or v == \"android.filterfw.core.ProgramPort\"\n or v == \"android.filterfw.core.ShaderProgram\"\n or v == \"android.filterfw.core.NativeAllocatorTag\"\n or v == \"android.filterfw.core.Frame\"\n or v == \"android.filterfw.core.Scheduler\"\n or v == \"android.filterfw.core.SimpleFrameManager\"\n or v == \"android.filterfw.core.KeyValueMap\"\n or v == \"android.filterfw.core.ProgramVariable\"\n or v == \"android.filterfw.core.FinalPort\"\n or v == \"android.filterfw.core.FilterGraph\"\n or v == \"android.filterfw.core.CachedFrameManager\"\n or v == \"android.filterfw.core.RandomScheduler\"\n or v == \"android.filterfw.core.FilterPort\"\n or v == \"android.filterfw.core.MutableFrameFormat\"\n or v == \"android.filterfw.core.FrameManager\"\n or v == \"android.filterfw.core.NativeFrame\"\n or v == \"android.filterfw.core.FilterFunction\"\n or v == \"android.filterfw.core.AsyncRunner\"\n or v == \"android.filterfw.core.ProtocolException\"\n or v == \"android.filterfw.core.FrameFormat\"\n or v == \"android.filterfw.core.NativeBuffer\"\n or v == \"android.filterfw.core.Program\"\n or v == \"android.filterfw.core.RoundRobinScheduler\"\n or v == \"android.filterfw.core.GLEnvironment\"\n or v == \"android.filterfw.core.StopWatch\"\n or v == \"android.filterfw.core.SerializedFrame\"\n or v == \"android.filterfw.core.OneShotScheduler\"\n or v == \"android.filterfw.core.NativeProgram\"\n or v == \"android.filterfw.core.SimpleScheduler\"\n or v == \"android.filterfw.core.Filter\"\n or v == \"android.filterfw.core.OutputPort\"\n or v == \"android.filterfw.core.SyncRunner\"\n or v == \"android.filterfw.io.GraphReader\"\n or v == \"android.filterfw.io.GraphIOException\"\n or v == \"android.filterfw.io.TextGraphReader\"\n or v == \"android.filterfw.io.PatternScanner\"\n or v == \"android.filterfw.GraphEnvironment\"\n or v == \"android.filterfw.MffEnvironment\"\n or v == \"android.filterfw.FilterFunctionEnvironment\"\n or v == \"android.filterfw.format.PrimitiveFormat\"\n or v == \"android.filterfw.format.ObjectFormat\"\n or v == \"android.filterfw.format.ImageFormat\"\n or v == \"android.filterfw.geometry.Quad\"\n or v == \"android.filterfw.geometry.Point\"\n or v == \"android.filterfw.geometry.Rectangle\"\n ]\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall:\n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class: name == \"java.net.PasswordAuthentication\"]\n ]\n and ( \n arguments[1] is [FunctionCall:\n function is [Function:\n name == \"toCharArray\"\n and enclosingClass.supers contains [Class: name == \"java.lang.String\"]\n ]\n and not instance.constantValue.None\n and instance.constantValue == \"\"\n ]\n or arguments[1] is [VariableAccess:\n variable is [Variable:\n uses contains [VariableAccess va:\n enclosingStatement is [AssignmentStatement:\n lhs is va\n and rhs is [FunctionCall:\n function is [Function:\n name == \"toCharArray\"\n and enclosingClass.supers contains [Class: name == \"java.lang.String\"]\n ]\n and not instance.constantValue.None\n and instance.constantValue == \"\"\n ]*\n ]\n ]\n ]\n ]\n or arguments[1] is [FieldAccess:\n field is [Field f:\n enclosingClass.functions contains [Function:\n contains [AssignmentStatement:\n lhs is [FieldAccess: field is f] \n and rhs is [FunctionCall:\n function is [Function:\n name == \"toCharArray\"\n and enclosingClass.supers contains [Class: name == \"java.lang.String\"]\n ]\n and not instance.constantValue.None\n and instance.constantValue == \"\"\n ]*\n ]\n ]\n ]\n ]\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall:\n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class: name == \"java.net.PasswordAuthentication\"]\n ]\n and ( \n arguments[1] is [FunctionCall:\n function is [Function:\n name == \"toCharArray\"\n and enclosingClass.supers contains [Class: name == \"java.lang.String\"]\n ]\n and not instance.constantValue.None\n and not instance.constantValue is [None:]\n and not instance.constantValue == \"\"\n ]\n or arguments[1] is [VariableAccess:\n variable is [Variable:\n uses contains [VariableAccess va:\n enclosingStatement is [AssignmentStatement:\n lhs is va\n and rhs is [FunctionCall:\n function is [Function:\n name == \"toCharArray\"\n and enclosingClass.supers contains [Class: name == \"java.lang.String\"]\n ]\n and not instance.constantValue.None\n and not instance.constantValue is [None:]\n and not instance.constantValue == \"\"\n ]*\n ]\n ]\n ]\n ]\n or arguments[1] is [FieldAccess:\n field is [Field f:\n enclosingClass.functions contains [Function:\n contains [AssignmentStatement:\n lhs is [FieldAccess: field is f] \n and rhs is [FunctionCall:\n function is [Function:\n name == \"toCharArray\"\n and enclosingClass.supers contains [Class: name == \"java.lang.String\"]\n ]\n and not instance.constantValue.None\n and not instance.constantValue is [None:]\n and not instance.constantValue == \"\"\n ]*\n ]\n ]\n ]\n ]\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n Function f:\n name == \"verify\"\n and enclosingClass is [Class c:\n directSupers contains [Class s:\n name == \"javax.net.ssl.HostnameVerifier\"\n ]\n ] and contains [ReturnStatement: \n expression.constantValue is [Boolean: is true]\n ] and not contains [ReturnStatement: \n expression.constantValue is [Boolean: is false]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall call: call.function.name matches \"setHostnameVerifier|setDefaultHostnameVerifier\" and\n call.function.enclosingClass.name matches \"org\\.apache\\.http\\.conn\\.ssl\\.SSLSocketFactory|javax\\.net\\.ssl\\.HttpsURLConnection\" and\n ( (call.arguments[0] is [ FieldAccess fa: fa.field.name matches \"ALLOW_ALL_HOSTNAME_VERIFIER\" and\n fa.field.type.name == \"org.apache.http.conn.ssl.X509HostnameVerifier\"]) or\n (call.arguments[0].type.definition is [ Class c: c.supers contains\n [Class super: super.type.name matches \"org\\.apache\\.http\\.conn\\.ssl\\.(AllowAll|Noop)HostnameVerifier\"]])\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Redundant Initialization", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and rhs.constantValue.None]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and variable is\n [Variable var: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and not final and uses.length > 1]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Redundant Initialization", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: lhs.location is va and rhs.constantValue.None]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and variable is\n [Variable var: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and not final and uses.length > 1]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Redundant Initialization", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: lhs.location is va and rhs.constantValue.None]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and variable is\n [Variable: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and uses.length > 1]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Value Never Read", - "predicate": "\n VariableAccess va:\n reads.length == 0\n and va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase]]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and not va.this\n and not va.variable.name == \"_\"\n and (\n variable is [Variable var:\n not static\n and not enclosingFunction.None\n and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and not sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp\n and not final\n ]*\n or variable is [Variable:\n not static\n and not enclosingFunction.None\n and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp\n and not final\n and uses.length == 1\n ]*\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Value Never Read", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: lhs.location is va]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and (variable is\n [Variable var: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and not sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and not final]* or variable is\n [Variable: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and not final and uses.length == 1]*)\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Value Never Read", - "predicate": "\n VariableAccess va: reads.length == 0\n and va in [AssignmentStatement: lhs.location is va]\n and not sourceLocation.None\n and not sourceLocation.isMacroExpansion\n and (variable is\n [Variable: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and not sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp]* or variable is\n [Variable: not static and not enclosingFunction.None\n and not type.indirectionLevel > 0 and not referenceTaken\n and not sourceLocation.None\n and not va.sourceLocation.None\n and sourceLocation.startLine == va.sourceLocation.startLine\n and not isTemp and uses.length == 1]*)\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Unsafe JNI", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: function is [Function:\n modifiers contains \"native\"\n /* uses of native on GWT applications are JSNI, not JNI */\n and not enclosingClass.supers contains [Class: name matches \"com\\.google\\.gwt\\..*\"]\n and not enclosingClass.functions contains [Function:\n parameters contains [Variable:\n type.definition.enclosingClass.supers contains [Class: name matches \"com\\.google\\.gwt\\..*\"]\n ]\n or contains [FunctionCall:\n function.enclosingClass.supers contains [Class: name matches \"com\\.google\\.gwt\\..*\"]\n ]\n ]\n /* function is in a user-defined class */\n /* note: cannot use isBodyAvailable on the native function itself as it returns false (since there isn't really a body available anyway) */\n and enclosingClass is [Class: \n /* note 2: this works on classes that ONLY specify native functions, due to the implicit default methods such as the constructor */\n functions contains [Function: isBodyAvailable]\n ]\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Unsafe JNI", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: function is [Function:\n modifiers contains \"native\"\n /* uses of native on GWT applications are JSNI, not JNI */\n and not enclosingClass.supers contains [Class: name matches \"com\\.google\\.gwt\\..*\"]\n and not enclosingClass.functions contains [Function:\n parameters contains [Variable:\n type.definition.enclosingClass.supers contains [Class: name matches \"com\\.google\\.gwt\\..*\"]\n ]\n or contains [FunctionCall:\n function.enclosingClass.supers contains [Class: name matches \"com\\.google\\.gwt\\..*\"]\n ]\n ]\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"(deregister|get)(Driver|Drivers|Connection)\" and\n fc.function.enclosingClass.name matches \"java\\.sql\\.DriverManager\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "SecurityManager Bypass", - "predicate": "\n FunctionCall fc: fc.function.name matches \"(deregister|get)(Driver|Drivers|Connection)\" and\n fc.function.enclosingClass.name matches \"java\\.sql\\.DriverManager\" and\n ( fc.enclosingFunction is [public or protected] or\n fc.enclosingFunction reachedBy [Function f: public] ) and\n not enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Restricted Method", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call:\n function is [Function:\n name == \"withTargetLayout\"\n and enclosingClass.supers contains [Class:\n name == \"java.lang.foreign.AddressLayout\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Restricted Method", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call:\n function is [Function:\n name == \"upcallStub\"\n and enclosingClass.supers contains [Class:\n name == \"java.lang.foreign.Linker\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Restricted Method", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call:\n function is [Function:\n name == \"libraryLookup\"\n and enclosingClass.supers contains [Class:\n name == \"java.lang.foreign.SymbolLookup\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Restricted Method", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call:\n function is [Function:\n name == \"reinterpret\"\n and enclosingClass.supers contains [Class:\n name == \"java.lang.foreign.MemorySegment\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Restricted Method", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call:\n function is [Function:\n name == \"downcallHandle\"\n and enclosingClass.supers contains [Class:\n name == \"java.lang.foreign.Linker\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded HMAC Key", - "predicate": "\n FunctionCall fc: function.name == \"init\" and\n fc.function.enclosingClass.supers contains [Class: name == \"javax.crypto.Mac\"] and\n fc.arguments[0] is [Expression e: not e.constantValue.None and\n not e.constantValue is [None:] and\n not e.constantValue == \"\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty HMAC Key", - "predicate": "\n FunctionCall fc: function.name == \"init\" and\n fc.function.enclosingClass.supers contains [Class: name == \"javax.crypto.Mac\"] and\n fc.arguments[0] is [Expression e: e.constantValue == \"\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc: (function.constructor or function.name == \"init^\") and\n fc.function.enclosingClass.supers contains [Class: name == \"javax.crypto.spec.SecretKeySpec\"] and\n fc.arguments[0] is [Expression e: not e.constantValue.None and\n not e.constantValue is [None:] and\n not e.constantValue == \"\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FunctionCall fc: (function.constructor or function.name == \"init^\") and\n fc.function.enclosingClass.supers contains [Class: name == \"javax.crypto.spec.SecretKeySpec\"] and\n fc.arguments[0] is [Expression e: e.constantValue is [None:]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc: (function.constructor or function.name == \"init^\") and\n fc.function.enclosingClass.supers contains [Class: name == \"javax.crypto.spec.SecretKeySpec\"] and\n fc.arguments[0] is [Expression e: e.constantValue == \"\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "JavaScript Hijacking", - "vuln_subcategory": "Vulnerable Framework", - "predicate": "\n Class: name == \"JS_HIJACKING_PLACEHOLDER\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Incorrect Serializable Method Signature", - "predicate": "\n Function: name == \"readObjectNoData\" /* don't count other variants that are called by something else manually, such as within another serializable method */\n and isBodyAvailable\n and callers.length == 0\n and enclosingClass.supers contains [Class:\n name == \"java.io.Serializable\"]\n and (\n parameterSlots.length > 0 /* should be no parameters */\n or (\n not private\n and not protected /* in case abstract class */\n )\n or static /* shouldn't be static */\n or not exceptionTypes contains [Type:\n definition.supers contains [Class:\n name == \"java.io.IOException\"]\n ]\n )\n and not enclosingClass.functions contains [Function f1:\n /* make sure not matching against overloaded variant\n and class also contains correct version */ f1.name == \"readObjectNoData\"\n and f1.isBodyAvailable\n and f1.parameterSlots.length == 0\n and (f1.private\n or f1.protected)\n and not f1.static\n and f1.exceptionTypes contains [Type:\n definition.supers contains [Class:\n name == \"java.io.ObjectStreamException\"]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Incorrect Serializable Method Signature", - "predicate": "\n Function: name == \"readObjectNoData\" /* don't count other variants that are called by something else manually, such as within another serializable method */\n and callers.length == 0\n and enclosingClass.supers contains [Class:\n name == \"java.io.Serializable\"]\n and (\n parameterSlots.length > 0 /* should be no parameters */\n or (\n not private\n and not protected /* in case abstract class */\n )\n or static /* shouldn't be static */\n or not exceptionTypes contains [Type:\n definition.supers contains [Class:\n name == \"java.io.IOException\"]\n ]\n )\n and not enclosingClass.functions contains [Function f1:\n /* make sure not matching against overloaded variant\n and class also contains correct version */ f1.name == \"readObjectNoData\"\n and f1.parameterSlots.length == 0\n and (f1.private\n or f1.protected)\n and not f1.static\n and f1.exceptionTypes contains [Type:\n definition.supers contains [Class:\n name == \"java.io.ObjectStreamException\"]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Incorrect Serializable Method Signature", - "predicate": "\n Function: name == \"readObject\"\n /* don't count other variants that are called by something else manually, such as within another serializable method */\n and isBodyAvailable\n and callers.length == 0\n and parameterTypes[0].definition.supers contains [Class:\n name == \"java.io.ObjectInputStream\"]\n and enclosingClass.supers contains [Class:\n name == \"java.io.Serializable\"]\n and ( parameterSlots.length > 1 /* should only be one parameter */\n or ( not private\n and not protected /* in case abstract class */ )\n or static /* shouldn't be static */\n or not (exceptionTypes contains [Type:\n definition.supers contains [Class:\n name == \"java.io.IOException\"]\n and definition.supers contains [Class:\n name == \"java.lang.ClassNotFoundException\"]\n ]) )\n and not enclosingClass.functions contains [Function f1:\n /* make sure not matching against overloaded variant\n and class also contains correct version */ f1.name == \"readObject\"\n and f1.isBodyAvailable\n and f1.parameterSlots.length == 1\n and f1.parameterTypes[0].definition.supers contains [Class:\n name == \"java.io.ObjectInputStream\"]\n and (f1.private\n or f1.protected)\n and not f1.static\n and f1.exceptionTypes contains [Type: definition.supers contains [Class:\n name == \"java.io.IOException\"]\n ]\n and f1.exceptionTypes contains [Type: definition.supers contains [Class:\n name == \"java.lang.ClassNotFoundException\"]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Incorrect Serializable Method Signature", - "predicate": "\n Function: name == \"readObject\"\n /* don't count other variants that are called by something else manually, such as within another serializable method */\n and callers.length == 0\n and parameterTypes[0].definition.supers contains [Class:\n name == \"java.io.ObjectInputStream\"]\n and enclosingClass.supers contains [Class:\n name == \"java.io.Serializable\"]\n and ( parameterSlots.length > 1 /* should only be one parameter */\n or ( not private\n and not protected /* in case abstract class */ )\n or static /* shouldn't be static */\n or not (exceptionTypes contains [Type:\n definition.supers contains [Class:\n name == \"java.io.IOException\"]\n and definition.supers contains [Class:\n name == \"java.lang.ClassNotFoundException\"]\n ]) )\n and not enclosingClass.functions contains [Function f1:\n /* make sure not matching against overloaded variant\n and class also contains correct version */ f1.name == \"readObject\"\n and f1.parameterSlots.length == 1\n and f1.parameterTypes[0].definition.supers contains [Class:\n name == \"java.io.ObjectInputStream\"]\n and (f1.private\n or f1.protected)\n and not f1.static\n and f1.exceptionTypes contains [Type: definition.supers contains [Class:\n name == \"java.io.IOException\"]\n ]\n and f1.exceptionTypes contains [Type: definition.supers contains [Class:\n name == \"java.lang.ClassNotFoundException\"]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Incorrect Serializable Method Signature", - "predicate": "\n Function: name == \"writeObject\" /* don't count other variants that are called by something else manually, such as within another serializable method */\n and isBodyAvailable\n and callers.length == 0\n and parameterTypes[0].definition.supers contains [Class:\n name == \"java.io.ObjectOutputStream\"]\n and enclosingClass.supers contains [Class:\n name == \"java.io.Serializable\"]\n and ( parameterSlots.length > 1 /* should only be one parameter */\n or ( not private\n and not protected /* in case abstract class */ )\n or static /* shouldn't be static */\n or not exceptionTypes contains [Type:\n definition.supers contains [Class:\n name == \"java.io.IOException\"]\n ] )\n and not enclosingClass.functions contains [Function f1:\n /* make sure not matching against overloaded variant\n and class also contains correct version */ f1.name == \"writeObject\"\n and f1.isBodyAvailable\n and f1.parameterSlots.length == 1\n and f1.parameterTypes[0].definition.supers contains [Class:\n name == \"java.io.ObjectOutputStream\"]\n and (f1.private\n or f1.protected)\n and not f1.static\n and f1.exceptionTypes[0].definition.supers contains [Class:\n name == \"java.io.IOException\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Incorrect Serializable Method Signature", - "predicate": "\n Function: name == \"writeObject\"\n /* don't count other variants that are called by something else manually, such as within another serializable method */\n and callers.length == 0\n and parameterTypes[0].definition.supers contains [Class:\n name == \"java.io.ObjectOutputStream\"]\n and enclosingClass.supers contains [Class:\n name == \"java.io.Serializable\"]\n and (\n parameterSlots.length > 1 /* should only be one parameter */\n or (\n not private and not protected /* in case abstract class */\n )\n or static /* shouldn't be static */\n or not exceptionTypes contains [Type: definition.supers contains [Class: name == \"java.io.IOException\"]]\n )\n and not enclosingClass.functions contains [Function f1:\n /* make sure not matching against overloaded variant and class also contains correct version */\n f1.name == \"writeObject\"\n and f1.parameterSlots.length == 1\n and f1.parameterTypes[0].definition.supers contains [Class:\n name == \"java.io.ObjectOutputStream\"]\n and (f1.private or f1.protected)\n and not f1.static\n and f1.exceptionTypes[0].definition.supers contains [Class: name == \"java.io.IOException\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Non-Synchronized Method Overrides Synchronized Method", - "predicate": "\n Function f: (not f.synchronized) and\n f.supers contains [Function fs: fs.synchronized]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Non-Synchronized Method Overrides Synchronized Method", - "predicate": "\n Function f: (not f.synchronized and not contains [SynchronizedBlock: ])\n and f.supers contains [Function fs: fs.synchronized or contains [SynchronizedBlock: ]]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n StringLiteral:\n constantValue matches \"(?i)CREATE .* IDENTIFIED BY ''.*\"\n and not constantValue matches \"(?i)CREATE .* IDENTIFIED BY PASSWORD.*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \"(?i)CREATE .* IDENTIFIED BY ([^']+|'.+') .*\"\n and not constantValue matches \"(?i)CREATE .* IDENTIFIED BY PASSWORD.*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Negative Content-Length", - "predicate": "\n\nFunctionCall call:\n call.function is [\n Function f:\n f.enclosingClass.supers contains [Class c: c.type.name == \"org.apache.http.message.BasicHeader\"]\n and (f.constructor or f.name == \"init^\")\n and call.arguments[0].constantValue == \"Content-Length\"\n and call.arguments[1].constantValue matches \"-\\d*\"\n ]\n\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Negative Content-Length", - "predicate": "\n\nFunctionCall call:\n call.function is [\n Function f:\n f.enclosingClass.supers contains [Class c: c.type.name == \"org.apache.http.HttpMessage\"]\n and f.name == \"setHeader\"\n and call.arguments[0].constantValue == \"Content-Length\"\n and call.arguments[1].constantValue matches \"-\\d*\"\n ]\n\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Negative Content-Length", - "predicate": "\n\nFunctionCall call:\n call.function is [\n Function f:\n f.enclosingClass is [Class c: c.type.name == \"java.net.URLConnection\"]\n and f.name == \"setRequestProperty\"\n and call.arguments[0].constantValue == \"Content-Length\"\n and call.arguments[1].constantValue matches \"-\\d*\"\n ]\n\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "readObject() Invokes Overridable Function", - "predicate": "\n FunctionCall fc: enclosingFunction is\n [Function reader: name == \"readObject\"\n and enclosingClass.supers contains [Class:\n name == \"java.io.Serializable\"]\n and callees contains [Function f: fc.function == f\n and isBodyAvailable\n and f.enclosingClass.supers contains [Class c: c == reader.enclosingClass]\n and name != \"readObject\"\n and not (\n name matches \"defaultReadObject|readFields\"\n and enclosingClass.supers contains [Class: name == \"java.io.ObjectInputStream\"]\n )\n and not private\n and not static\n and not final\n and not enclosingClass.final\n and not enclosingClass.abstract\n and not constructor]*\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Non-Static Inner Class Implements Serializable", - "predicate": "\n Class: not static\n /* not an enum */\n and not supers contains [Class: name == \"java.lang.Enum\"]\n and supers contains [Class: name == \"java.io.Serializable\"]\n and not enclosingClass.None\n /* inner class, not anonymous/local class or lambda */\n and not name matches \".*\\$[0-9].*|.*@lambda([0-9])+\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "clone() Invokes Overridable Function", - "predicate": "\n FunctionCall fc: enclosingFunction is\n [Function cloner: name == \"clone\"\n and public\n and enclosingClass.supers contains [Class: name == \"java.lang.Cloneable\"]\n and callees contains [Function f: fc.function == f\n and isBodyAvailable\n and f.enclosingClass.supers contains [Class c: c == cloner.enclosingClass]\n and name != \"clone\"\n and not private\n and not static\n and not final\n and not enclosingClass.final\n and not enclosingClass.abstract\n and not constructor]*\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Constructor Invokes Overridable Function", - "predicate": "\n FunctionCall fc:\n enclosingFunction is [Function init:\n (name == \"init^\" or constructor)\n and callees contains [Function f: fc.function == f\n and isBodyAvailable\n and f.enclosingClass.supers contains [Class c: c == init.enclosingClass]\n and not private\n and not static\n and not final\n and not enclosingClass.final\n and not enclosingClass.abstract\n and not constructor\n and not name == \"init^\"\n ]*\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Hidden Method", - "predicate": "\n Function f: static and not private\n and enclosingClass.supers contains\n [Class c: c.name != f.enclosingClass.name\n and c.functions contains\n [Function f2: f2.name == f.name\n and not f2.name matches \"clinit\\^|\"\n and static and not private\n and f2.parameterTypes === f.parameterTypes\n and f2.returnType == f.returnType\n ]*\n ]\n /* and not a main function */\n and not (f.name == \"main\"\n and f.parameterTypes.length == 1\n and f.parameterTypes[0] is\n [name == \"java.lang.String\" and arrayDimensions == 1])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Comparison with NaN", - "predicate": "\n Operation: (op == \"==\"\n or op == \"!=\")\n and ( rhs is [FieldAccess: field is [Field: name == \"NaN\" and static and enclosingClass.supers contains [Class: name matches \"java\\.lang\\.(Double|Float)\"]]]\n or lhs is [FieldAccess: field is [Field: name == \"NaN\" and static and enclosingClass.supers contains [Class: name matches \"java\\.lang\\.(Double|Float)\"]]]\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Comparison of Boxed Primitive Types", - "predicate": "\n Operation: (op == \"==\" or op == \"!=\")\n and rhs is [Expression: type.definition.supers contains [Class: name matches \"java\\.lang\\.(Double|Float|Integer|Long|Short|Character)\"]]\n and lhs is [Expression: type.definition.supers contains [Class: name matches \"java\\.lang\\.(Double|Float|Integer|Long|Short|Character)\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Invalid Call to Object.equals()", - "predicate": "\n FunctionCall fc: function is [Function: name == \"equals\" and enclosingClass.name == \"java.lang.Object\"]\n and fc.instance is [Expression: type.arrayDimensions > 0]*\n and fc.arguments[0] is [Expression: type.arrayDimensions > 0]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Race Condition", - "vuln_subcategory": "Class Initialization Cycle", - "predicate": "\n FieldAccess fa: field is [Field f: static and final\n and not f.sourceLocation.None\n and not fa.sourceLocation.None\n and f.sourceLocation.startLine == fa.sourceLocation.startLine\n and labels contains [String s: s == \"StaticFieldDependency\"]\n and fa.enclosingStatement is [AssignmentStatement: lhs is fa\n and rhs is\n [Expression: contains\n [FieldAccess: field is\n [Field f2: labels contains [String s2: s2 == \"DependentStaticField\"]]\n ]*\n ]\n ]\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Race Condition", - "vuln_subcategory": "Class Initialization Cycle", - "predicate": "\n FunctionCall fc: function is [Function: constructor and isBodyAvailable\n /* and isn't the default constructor (automatically generated by SCA) */\n and not sourceLocation.None\n and not enclosingClass.sourceLocation.None\n and sourceLocation.startLine != enclosingClass.sourceLocation.startLine\n /* calling constructor of own class */\n and enclosingClass == fc.enclosingClass\n /* constructor contains static FieldAccess initialized after original assignmentStatement */\n and contains\n [FieldAccess fa: field is\n [Field field: static\n and field.enclosingClass == fc.enclosingClass\n and not sourceLocation.None\n and not fc.sourceLocation.None\n and sourceLocation.startLine > fc.sourceLocation.startLine\n /* would like to say field was not initialize to constant value, but can't find a way to do this */\n and labels contains [String s: s == \"UninitializedStaticField\"]\n ]*\n and not enclosingStatement is [AssignmentStatement: lhs === fa]\n ]*\n ]*\n and enclosingFunction is [Function f: name == \"\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"PUT_REGEX_HERE\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"PUT_REGEX_HERE\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"PUT_REGEX_HERE\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"PUT_REGEX_HERE\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"(?i)pass(wd|word)\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"(?i)pass(wd|word)\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"PUT_REGEX_HERE\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"PUT_REGEX_HERE\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"PUT_REGEX_HERE\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"PUT_REGEX_HERE\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"(?i)pass(wd|word)\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"(?i)pass(wd|word)\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \"(?i).*pass(wd|word|phrase).*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \"(?i).*pass(wd|word|phrase).*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String: ]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"(?i)pwd\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"(?i)pwd\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"(?i)pwd\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"(?i)pwd\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"(?i).*pwd.*\" and\n not l.name matches \"(?i)pwd\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"(?i).*pwd.*\" and\n not l2.name matches \"(?i)pwd\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"(?i).*pwd.*\" and\n not l.name matches \"(?i)pwd\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"(?i).*pwd.*\" and\n not l2.name matches \"(?i)pwd\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"(?i).*pass(wd|word).*\" and\n not l.name matches \"(?i)pass(wd|word)\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"(?i).*pass(wd|word).*\" and\n not l2.name matches \"(?i)pass(wd|word)\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: operation.op matches \"[!=]=(=)?\" and\n (\n (\n operation.lhs.location is [Location l:\n l.name matches \"(?i).*pass(wd|word).*\" and\n not l.name matches \"(?i)pass(wd|word)\"\n ]* and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\" and\n not operation.rhs.constantValue is [Number: ]\n ) or\n (\n operation.rhs.location is [Location l2:\n l2.name matches \"(?i).*pass(wd|word).*\" and\n not l2.name matches \"(?i)pass(wd|word)\"\n ]* and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\" and\n not operation.lhs.constantValue is [Number: ]\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* Exclude the case where key is used as an index: \"obj.val = obj[key]\" */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* Exclude the case where key is used as an index: \"obj.val = obj[key]\" */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* Exclude the case where key is used as an index: \"obj.val = obj[key]\" */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* Exclude the case where key is used as an index: \"obj.val = obj[key]\" */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* Exclude the case where key is used as an index: \"obj.val = obj[key]\" */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* Exclude the case where key is used as an index: \"obj.val = obj[key]\" */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String:\n /* minimum length is 16 bytes (128 bits) */\n length >= 16\n ]\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String:\n /* minimum length is 16 bytes (128 bits) */\n length >= 16\n ]\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String:\n /* minimum length is 16 bytes (128 bits) */\n length >= 16\n ]\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String:\n /* minimum length is 16 bytes (128 bits) */\n length >= 16\n ]\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* exclude key word in props for React */\n and not fa.instance.location.name matches \"~t[0-9]*~react~props\"\n /* Exclude cases where \"key\" is used as an array index */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String:\n /* minimum length is 16 bytes (128 bits) */\n length >= 16\n ]\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* exclude key word in props for React */\n and not fa.instance.location.name matches \"~t[0-9]*~react~props\"\n /* Exclude cases where \"key\" is used as an array index */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String:\n /* minimum length is 16 bytes (128 bits) */\n length >= 16\n ]\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* exclude key word in props for React */\n and not fa.instance.location.name matches \"~t[0-9]*~react~props\"\n /* Exclude cases where \"key\" is used as an array index */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* Exclude the case where key is used as an index: \"obj.val = obj[key]\" */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* Exclude the case where key is used as an index: \"obj.val = obj[key]\" */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String:\n /* minimum length is 16 bytes (128 bits) */\n length >= 16\n ]\n ] and va.variable is [Variable v:]*\n /* Exclude the case where key is used as an index: \"val = obj[key]\" */\n and not va.enclosingFunction contains [ArrayAccess: index is va and\n va.variable.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n rhs.constantValue is [String:\n /* minimum length is 16 bytes (128 bits) */\n length >= 16\n ]\n ] and fa.field is [Field f:\n /* not a key/value or key/name or key/text pair as an object */\n not f.enclosingClass is [Class: fields contains [Field: name matches \"(?i)value|name|text\"]]\n ]*\n /* exclude instances where an attribute on the DOM. Common in React */\n and not fa.instance.possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n /* Exclude the case where key is used as an index: \"obj.val = obj[key]\" */\n and not fa.enclosingFunction contains [ArrayAccess: index is fa and\n fa.field.name == \"key\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall call: call.name == \"generateCRMFRequest\" and\n call.instance is [Location l: l.name == \"crypto\"] and\n call.arguments[5].constantValue is [Number: < 2048] and\n call.arguments[7].constantValue is [String: matches \"(?i)RSA.*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"generateCRMFRequest\"\n and (\n f.possibleHeapPaths contains [String str: str == \"crypto\"] or\n call.instance is [Location l: l.name == \"crypto\"]\n )\n ] and\n call.arguments[5].constantValue is [Number: < 2048] and\n call.arguments[7].constantValue is [String: matches \"(?i)RSA.*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"generateCRMFRequest\"\n and f.possibleHeapPaths contains [String str: str == \"crypto\"]] and\n call.arguments[5].constantValue is [Number: < 2048] and\n call.arguments[7].constantValue is [String: matches \"(?i)RSA.*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"generateCRMFRequest\"] and\n call.instance is [FieldAccess fa: fa.field.name == \"crypto\"] and\n call.arguments[5].constantValue is [Number: < 2048] and\n call.arguments[7].constantValue is [String: matches \"(?i)RSA.*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall call: call.name == \"generateCRMFRequest\" and\n call.instance is [FieldAccess fa: fa.field.name == \"crypto\"] and\n call.arguments[5].constantValue is [Number: < 2048] and\n call.arguments[7].constantValue is [String: matches \"(?i)RSA.*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Easy-to-Guess Database Name", - "predicate": "\n FunctionCall call: call.name == \"openDatabase\" and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Message Posting Policy", - "predicate": "\n FunctionCall call: call.name == \"postMessage\" and\n call.instance is [Expression l: ] and\n call.arguments[1].constantValue == \"*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name == \"executeSql\" and\n call.arguments[0] is [Expression arg: arg.constantValue.None]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Easy-to-Guess Database Name", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"openDatabase\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"executeSql\"] and\n call.arguments[0] is [Expression arg: arg.constantValue.None]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Message Posting Policy", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"postMessage\"] and\n call.instance is [Expression l: ] and\n call.arguments[1].partialConstantValues contains [String str: str == \"*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name == \"write\" and\n call.instance is [Location l: l.name matches \"(?i).*file.*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"write\"] and\n call.instance is [Location l: l.name matches \"(?i).*file.*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"write\"] and\n call.instance is [FieldAccess fa: fa.field.name matches \"(?i).*file.*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Message Posting Policy", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"postMessage\"] and\n call.instance is [Expression l: ] and\n call.arguments[1].partialConstantValues contains [String str: str == \"*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"executeSql\"] and\n call.arguments[0] is [Expression arg: arg.constantValue.None]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Easy-to-Guess Database Name", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"openDatabase\"] and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name == \"write\" and\n call.instance is [FieldAccess fa: fa.field.name matches \"(?i).*file.*\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Message Posting Policy", - "predicate": "\n FunctionCall call: call.name == \"postMessage\" and\n call.instance is [Expression l: ] and\n call.arguments[1].constantValue == \"*\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name == \"executeSql\" and\n call.arguments[0] is [Expression arg: arg.constantValue.None]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Easy-to-Guess Database Name", - "predicate": "\n FunctionCall call: call.name == \"openDatabase\" and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Easy-to-Guess Database Name", - "predicate": "\n FunctionCall call: call.name == \"openDatabase\" and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Easy-to-Guess Database Name", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"openDatabase\"] and\n (\n call.instance.possibleTypes contains [Type: name == \"Window\"] or\n /* or doesn't have an instance */\n not call in [Location: ]\n ) and\n not call.arguments[0].constantValue.None and\n not call.arguments[0].constantValue is [None:] and\n not call.arguments[0].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "JavaScript Hijacking", - "vuln_subcategory": "Vulnerable Framework", - "predicate": "\n Class: name == \"JS_HIJACKING_PLACEHOLDER\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name == \"use\"\n ]\n and instance.possibleTypes contains [Type: definition is\n [Class: name == \"Express\"\n and interface == true\n and filepath matches \"(.*[/\\\\])?express-serve-static-core[/\\\\]index\\.d\\.ts\"\n ]\n ]\n and fc.arguments contains [Expression inst1: inst1 is [FieldAccess: field.name matches \"(?i).*csrf.*\"]\n or inst1 is [VariableAccess: variable.name matches \"(?i).*csrf.*\"]\n ]\n\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: name == \"noSniff\"\n and possibleHeapPaths contains [String str: str matches \"helmet(\\.exports)?\"]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n AccessLocation al: al.accessName == \"secure\" and\n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == true]\n and al.accessInstance is [AccessLocation al2: accessName == \"defaults\"\n and al2.accessInstance is [Location: name == \"$cookiesProvider\"]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n AccessLocation al: al.accessName == \"secure\" and\n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == true]\n and al.accessInstance is [AccessLocation al2: accessName == \"defaults\"\n and al2.accessInstance is [Location: name == \"$cookiesProvider\"]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n FieldAccess fa: fa.field.name == \"secure\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == true]\n and fa.instance is [FieldAccess fa2: field.name == \"defaults\"\n and fa2.instance is [FieldAccess fa3: field.name == \"$cookiesProvider\"]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n AccessLocation: accessName matches \"xsrf(Header|Cookie)Name\"\n and accessInstance is [AccessLocation: accessName == \"defaults\"\n and accessInstance is [Location: name matches \"\\$http(Provider)?\"]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n AccessLocation: accessName matches \"xsrf(Header|Cookie)Name\"\n and accessInstance is [AccessLocation: accessName == \"defaults\"\n and accessInstance is [Location: name matches \"\\$http(Provider)?\"]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n FieldAccess: field.name matches \"xsrf(Header|Cookie)Name\"\n and instance is [FieldAccess: field.name == \"defaults\"\n and instance is [FieldAccess: field.name matches \"\\$http(Provider)?\"]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: name == \"noSniff\"\n and possibleHeapPaths contains [String str: str matches \"helmet(\\.exports)?\"]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: call.name == \"open\" and\n not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue is [None:]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name matches \"(?i).*(MD2|MD4|MD5).*|.*SHA((-)?1)?$\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name matches \"(?i).*(RC4|ARCFOUR).*|(.*_|.*with|.*encrypt.*|.*decrypt.*)?(DES|3DES|TripleDES|DESede)(_.*|.*encrypt.*|.*decrypt.*)?\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Negative Content-Length", - "predicate": "\n FunctionCall call:\n call.name == \"setRequestHeader\"\n and call.arguments[0].constantValue matches \"(?i)Content-Length\"\n and call.arguments[1].constantValue is [Value v:\n v is [String: matches \"^-\\d+\"]\n or v is [Number num: num < 0]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: call.name == \"open\" and\n not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call:\n call.name matches \"(?i)RC2.*\"\n or call.name matches \"(?i).*RC2\"\n or call.name matches \"(?i)RC2\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name == \"open\" and\n call.arguments[0].partialConstantValues contains\n [String : matches \"(?i)post|get\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.name == \"open\" and\n not call.arguments[4].constantValue.None and\n not call.arguments[4].constantValue is [None:] and\n not call.arguments[4].constantValue == \"\" and\n not call.arguments[4].constantValue matches \"(?i)true|false\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.|\\$)?window(\\..*)?\"]\n )\n )\n ]\n and not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (\n call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.|\\$)?window(\\..*)?\"]\n )\n )\n ]\n and call.arguments[0].partialConstantValues contains [String : matches \"(?i)post|get\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name matches \"(?i).*(MD2|MD4|MD5).*|.*SHA((-)?1)?$\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Negative Content-Length", - "predicate": "\n FunctionCall call:\n call.possibleTargets contains [Function f: f.name == \"setRequestHeader\"]\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n call.instance.possibleTypes.length == 0)\n and call.arguments[0].partialConstantValues contains [String s1: s1 matches \"(?i)Content-Length\"]\n and call.arguments[1].partialConstantValues contains [Value v:\n v is [String s2: s2 matches \"^-\\d+\"]\n or v is [Number num: num < 0]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f:\n f.name matches \"(?i).*RC2\"\n or f.name matches \"(?i)RC2.*\"\n or f.name matches \"(?i)RC2\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.|\\$)?window(\\..*)?\"]\n )\n )\n ]\n and not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue is [None:]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name matches \"(?i).*(RC4|ARCFOUR).*|(.*_|.*with|.*encrypt.*|.*decrypt.*)?(DES|3DES|TripleDES|DESede)(_.*|.*encrypt.*|.*decrypt.*)?\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.|\\$)?window(\\..*)?\"]\n )\n )\n ]\n and not call.arguments[4].constantValue.None and\n not call.arguments[4].constantValue is [None:] and\n not call.arguments[4].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f:\n f.name matches \"(?i).*RC2\"\n or f.name matches \"(?i)RC2.*\"\n or f.name matches \"(?i)RC2\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name matches \"(?i).*(RC4|ARCFOUR).*|(.*_|.*with|.*encrypt.*|.*decrypt.*)?(DES|3DES|TripleDES|DESede)(_.*|.*encrypt.*|.*decrypt.*)?\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name matches \"(?i).*(MD2|MD4|MD5).*|.*SHA((-)?1)?$\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Randomness", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name == \"random\" and\n call.instance is [Location l: l.name matches \"Math|_\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Randomness", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"random\"\n and (\n f.possibleHeapPaths contains [String str: str matches \"Math|_|underscore\"] or\n call.instance is [Location l: l.name matches \"Math|_\"]\n )\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Randomness", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"random\"\n and f.possibleHeapPaths contains [String str: str == \"Math\"]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Randomness", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"random\"] and\n call.instance is [FieldAccess fa: fa.field.name == \"Math\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (\n call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.|\\$)?window(\\..*)?\"]\n )\n )\n ]\n and call.arguments[0].partialConstantValues contains [String : matches \"(?i)post|get\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (\n call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.)?window(\\..*)?\"]\n )\n )\n ]\n and call.arguments[0].partialConstantValues contains [String : matches \"(?i)post|get\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.|\\$)?window(\\..*)?\"]\n )\n )\n ]\n and not call.arguments[4].constantValue.None and\n not call.arguments[4].constantValue is [None:] and\n not call.arguments[4].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.)?window(\\..*)?\"]\n )\n )\n ]\n and not call.arguments[4].constantValue.None and\n not call.arguments[4].constantValue is [None:] and\n not call.arguments[4].constantValue == \"\" and\n not call.arguments[4].constantValue matches \"(?i)true|false\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.|\\$)?window(\\..*)?\"]\n )\n )\n ]\n and not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.)?window(\\..*)?\"]\n )\n )\n ]\n and not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.|\\$)?window(\\..*)?\"]\n )\n )\n ]\n and not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue is [None:]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name == \"open\"\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n (\n call.instance.possibleTypes.length == 0\n and\n /* do not match against window.open */\n not f.possibleHeapPaths contains [String str: str matches \"(.*\\.)?window(\\..*)?\"]\n )\n )\n ]\n and not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue is [None:]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Negative Content-Length", - "predicate": "\n FunctionCall call:\n call.possibleTargets contains [Function f: f.name == \"setRequestHeader\"]\n and (call.instance.possibleTypes contains [Type: name matches \"XMLHttpRequest|ActiveXObject\"]\n or\n call.instance.possibleTypes.length == 0)\n and call.arguments[0].partialConstantValues contains [String s1: s1 matches \"(?i)Content-Length\"]\n and call.arguments[1].partialConstantValues contains [Value v:\n v is [String s2: s2 matches \"^-\\d+\"]\n or v is [Number num: num < 0]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call:\n call.name matches \"(?i)RC2.*\"\n or call.name matches \"(?i).*RC2\"\n or call.name matches \"(?i)RC2\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name matches \"(?i).*(RC4|ARCFOUR).*|(.*_|.*with|.*encrypt.*|.*decrypt.*)?(DES|3DES|TripleDES|DESede)(_.*|.*encrypt.*|.*decrypt.*)?\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name matches \"(?i).*(MD2|MD4|MD5).*|.*SHA((-)?1)?$\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Randomness", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name == \"random\" and\n call.instance is [FieldAccess fa: fa.field.name == \"Math\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement a: a.lhs.location is [AccessLocation al:\n al.accessName == \"method\"\n /* we don't want to be matching on html when DOMModeling is turned on */\n and not al.accessInstance is [Expression:\n type.name matches \"HTML[A-z]*Element.*|__DomElement\"\n or possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n ]\n ]\n and a.rhs.partialConstantValues contains [String: matches \"(?i)post|get\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement a: a.lhs.location is [AccessLocation al:\n al.accessName == \"method\"\n /* we don't want to be matching on html when DOMModeling is turned on */\n and not al.accessInstance is [Expression:\n type.name matches \"HTML[A-z]*Element.*|__DomElement\"\n or possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n ]\n ]\n and a.rhs.partialConstantValues contains [String: matches \"(?i)post|get\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement a: a.lhs.location is [FieldAccess fa: fa.field.name == \"method\"\n /* we don't want to be matching on html when DOMModeling is turned on */\n and not fa.instance is [FieldAccess fa2: type.name matches \"HTML[A-z]*Element.*|__DomElement\"]]\n and a.rhs.partialConstantValues contains [String: matches \"(?i)post|get\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name == \"open\" and\n call.arguments[0].partialConstantValues contains\n [String : matches \"(?i)post|get\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: call.name == \"open\" and\n not call.arguments[4].constantValue.None and\n not call.arguments[4].constantValue is [None:] and\n not call.arguments[4].constantValue == \"\" and\n not call.arguments[4].constantValue matches \"(?i)true|false\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: call.name == \"open\" and\n not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: call.name == \"open\" and\n not call.arguments[4].constantValue.None and\n call.arguments[4].constantValue is [None:]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Negative Content-Length", - "predicate": "\n FunctionCall call:\n call.name == \"setRequestHeader\"\n and call.arguments[0].constantValue matches \"(?i)Content-Length\"\n and call.arguments[1].constantValue is [Value v:\n v is [String: matches \"^-\\d+\"]\n or v is [Number num: num < 0]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement a:\n a.lhs.location is [AccessLocation al:\n al.accessName == \"method\"\n /* we don't want to be matching on html when DOMModeling is turned on */\n and not al.accessInstance is [Expression:\n possibleTypes contains [Type: name matches \"HTML[A-z]*Element.*|__DomElement\"]\n ]\n ]\n and a.rhs.partialConstantValues contains [String: matches \"(?i)post|get\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call:\n call.possibleTargets contains [Function f:\n f.name == \"open\"\n /* do not match against window.open */\n and not call.instance.possibleTypes contains [Type: name == \"Window\"]\n ]\n and call.arguments[0].partialConstantValues contains [String : matches \"(?i)post|get\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue is [None: ]]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue is [None: ]]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i)pass(wd|word)\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue is [None: ]]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue == \"\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue == \"\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i)pass(wd|word)\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue == \"\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"\\$(PUT_REGEX_HERE)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"\\$(PUT_REGEX_HERE)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(\\$)?(PUT_REGEX_HERE)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(\\$)?(PUT_REGEX_HERE)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"\\$(PUT_REGEX_HERE)\"]] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ))\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"\\$(PUT_REGEX_HERE)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"\\$(PUT_REGEX_HERE)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(\\$)?(PUT_REGEX_HERE)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(\\$)?(PUT_REGEX_HERE)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"\\$(PUT_REGEX_HERE)\"]] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ))\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"(?i)\\$pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"(?i)\\$pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(?i)(\\$)?pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(?i)(\\$)?pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i)\\$pass(wd|word)\"]] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ))\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i)pass(wd|word)\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \"(?i).*pass(wd|word|phrase).*\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?.*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)(\\$)?pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$.*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)\\$pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i).*pass(wd|word).*\" and\n not sl.constantValue matches \"(?i)pass(wd|word)\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue is [None: ]]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?.*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)(\\$)?pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$.*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)\\$pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i).*pass(wd|word).*\" and\n not sl.constantValue matches \"(?i)pass(wd|word)\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue == \"\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"(?i)\\$.*pass(wd|word).*\" and not val.variable.name matches \"(?i)\\$pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"(?i)\\$.*pass(wd|word).*\" and not var.variable.name matches \"(?i)\\$pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(?i)(\\$)?.*pass(wd|word).*\" and not fal.field.name matches \"(?i)(\\$)?pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(?i)(\\$)?.*pass(wd|word).*\" and not far.field.name matches \"(?i)(\\$)?pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i)\\$.*pass(wd|word).*\"]] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ))\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?.*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)(\\$)?pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$.*pass(wd|word).*\" and\n not va.variable.name matches \"(?i)\\$pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i).*pass(wd|word).*\" and\n not sl.constantValue matches \"(?i)pass(wd|word)\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[0].constantValue matches \"PUT_REGEX_HERE\"\n and arguments[1] is [Expression e:\n e.constantValue is [None:]\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[0].constantValue matches \"PUT_REGEX_HERE\"\n and arguments[1] is [Expression e:\n e.constantValue is [None:]\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[0].constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto|private|secret)?(_)?key|passphrase\"\n and arguments[1] is [Expression e:\n e.constantValue is [None:]\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?((enc(ryption|rypt)?|crypto)(_)?key)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$((enc(ryption|rypt)?|crypto)(_)?key)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue is [None: ]]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue is [None: ]]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue is [None: ]]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[0].constantValue matches \"PUT_REGEX_HERE\"\n and arguments[1] is [Expression e:\n e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[0].constantValue matches \"PUT_REGEX_HERE\"\n and arguments[1] is [Expression e:\n e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[0].constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto|private|secret)?(_)?key|passphrase\"\n and arguments[1] is [Expression e:\n e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?((enc(ryption|rypt)?|crypto)(_)?key)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$((enc(ryption|rypt)?|crypto)(_)?key)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue == \"\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue == \"\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue == \"\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(\\$)?(PUT_REGEX_HERE)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?((enc(ryption|rypt)?|crypto)(_)?key)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"\\$(PUT_REGEX_HERE)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$((enc(ryption|rypt)?|crypto)(_)?key)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\" and\n /* Exclude values used by CakePhp framework to describe SQL schemas */\n not rhs.constantValue matches \"primary|unique|index\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"PUT_REGEX_HERE\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\" and\n /* Exclude values used by CakePhp framework to describe SQL schemas */\n not rhs.constantValue matches \"primary|unique|index\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\" and\n /* Exclude values used by CakePhp framework to describe SQL schemas */\n not rhs.constantValue matches \"primary|unique|index\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"PUT_REGEX_HERE\"\n and arguments[2] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"PUT_REGEX_HERE\"\n and arguments[2] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto|private|secret)?(_)?key|passphrase\"\n and arguments[2] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto|private|secret).*key.*|.*passphrase.*\"\n and not fc.arguments[1].constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n and not fc.arguments[1].constantValue matches \"(?i).*public.*\"\n and fc.arguments[2] is [Expression e:\n e.constantValue is [None:]\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?(.*enc(?!e|o|y).*key.*)\" and\n not fa.field.name matches \"(?i)(\\$)?((enc(ryption|rypt)?|crypto)(_)?key)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$(.*enc(?!e|o|y).*key.*)\" and\n not va.variable.name matches \"(?i)\\$((enc(ryption|rypt)?|crypto)(_)?key)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue is [None: ]]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto|private|secret).*key.*|.*passphrase.*\"\n and not fc.arguments[1].constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n and not fc.arguments[1].constantValue matches \"(?i).*public.*\"\n and fc.arguments[2] is [Expression e:\n e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?(.*enc(?!e|o|y).*key.*)\" and\n not fa.field.name matches \"(?i)(\\$)?((enc(ryption|rypt)?|crypto)(_)?key)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$(.*enc(?!e|o|y).*key.*)\" and\n not va.variable.name matches \"(?i)\\$((enc(ryption|rypt)?|crypto)(_)?key)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue == \"\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)(\\$)?(.*enc(?!e|o|y).*key.*)\" and\n not fa.field.name matches \"(?i)(\\$)?((enc(ryption|rypt)?|crypto)(_)?key)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)\\$(.*enc(?!e|o|y).*key.*)\" and\n not va.variable.name matches \"(?i)\\$((enc(ryption|rypt)?|crypto)(_)?key)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc:\n name matches \"(?i)define\"\n and fc.arguments[1].constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto|private|secret).*key.*|.*passphrase.*\"\n and not fc.arguments[1].constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n and not fc.arguments[1].constantValue matches \"(?i).*public.*\"\n and fc.arguments[2] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue == \"blowfish_secret\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue is [None:]]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue == \"blowfish_secret\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n rhs.constantValue == \"\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl: sl.constantValue == \"blowfish_secret\"] and\n aa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === aa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\" and\n not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "PHP Misconfiguration", - "vuln_subcategory": "Poor open_basedir Configuration", - "predicate": "\n\t\t\tFunctionCall fc: fc.function.name == \"ini_set\"\n\t\t\t\tand\n\t\t\tfc.arguments[0].constantValue == \"open_basedir\"\n\t\t\t\tand\n\t\t\tfc.arguments[1].constantValue matches \"(.*(:|;))?\\.(\\/)?((:|;).*)?\"\n\t\t" - }, - { - "language": "php", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement as: lhs is\n [\n FieldAccess fa: fa.instance.type.definition.supers contains [Class c: c.name matches \"(?i)(Data|Dbo)Source\"] and fa.field.name matches \"(?i)fullDebug\"\n ]\n and\n not (rhs.constantValue matches \"(?i)^false$\" or rhs.constantValue == false)\n " - }, - { - "language": "php", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement as: lhs is\n [\n FieldAccess fa: fa.instance.type.definition.supers contains [Class c: c.name matches \"(?i)EmailComponent\"] and fa.field.name matches \"(?i)_debug\"\n ]\n and\n not (rhs.constantValue matches \"(?i)^true$\" or rhs.constantValue == true)\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Persistent Cookie", - "predicate": "\n AssignmentStatement as: lhs is\n [\n FieldAccess fa: fa.instance.type.definition.supers contains [Class c: c.name matches \"(?i)CookieComponent\"] and fa.field.name matches \"(?i)time\"\n ]\n and\n not (rhs.constantValue is [Number n: n == 0] or rhs.constantValue matches \"(?i)now\")\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n AssignmentStatement as: lhs is\n [\n FieldAccess fa: fa.instance.type.definition.supers contains [Class c: c.name matches \"(?i)CookieComponent\"] and fa.field.name matches \"(?i)secure\"\n ]\n and\n not (rhs.constantValue matches \"(?i)false\" or rhs.constantValue == false)\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement as: lhs is\n [\n FieldAccess fa: fa.instance.type.definition.supers contains [Class c: c.name matches \"(?i)Security\"] and fa.field.name matches \"(?i)hashType\"\n ]\n and (rhs.constantValue matches \"(?i)sha1|md5\" or rhs.constantValue == \"\" or rhs.constantValue is [None:])\n " - }, - { - "language": "php", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement as: lhs is\n [\n FieldAccess fa: fa.instance.type.definition.supers contains [Class c: c.name matches \"(?i)Configure\"] and fa.field.name matches \"(?i)debug\"\n ]\n and\n not (rhs.constantValue == \"0\" or rhs.constantValue == 0)\n " - }, - { - "language": "php", - "vuln_kingdom": "Time and State", - "vuln_category": "Session Fixation", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.function.name matches \"(?i)ini_set\"\n and\n fc.arguments[0].constantValue matches \"(?i)session.use_strict_mode\"\n and\n fc.arguments[1].constantValue matches \"(?i)off|0\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Permissive SameSite Attribute", - "predicate": "\n FunctionCall fc: fc.function.name matches \"(?i)ini_set\"\n and\n fc.arguments[0].constantValue matches \"(?i)session.cookie_samesite\"\n and\n fc.arguments[1].constantValue matches \"(?i)Lax\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Missing SameSite Attribute", - "predicate": "\n FunctionCall fc: fc.function.name matches \"(?i)ini_set\"\n and\n fc.arguments[0].constantValue matches \"(?i)session.cookie_samesite\"\n and\n (fc.arguments[1].constantValue matches \"(?i)None\" or\n fc.arguments[1].constantValue == \"\")\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "System Information Leak", - "vuln_subcategory": "PHP Errors", - "predicate": "\n FunctionCall fc: fc.function.name matches \"(?i)ini_set\"\n and\n fc.arguments[0].constantValue matches \"(?i)display_startup_errors\"\n and\n fc.arguments[1].constantValue matches \"(?i)on|1\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Session Cookies Disabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue matches \"session\\.use_(only_)?cookies\"\n and\n fc.arguments[1].constantValue matches \"(?i)off|0\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Session Cookies Disabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue matches \"session\\.use_(only_)?cookies\"\n and\n fc.arguments[1].constantValue matches \"(?i)off|0\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Session Cookie Path", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_path\"\n and\n fc.arguments[1].constantValue matches \"/\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Session Cookie Path", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_path\"\n and\n fc.arguments[1].constantValue matches \"/\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Session Cookie Domain", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_domain\"\n and\n fc.arguments[1].constantValue matches \"^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Session Cookie Domain", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_domain\"\n and\n fc.arguments[1].constantValue matches \"^(\\.?[a-z0-9\\-]+){2}$\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Session Cookie Domain", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_domain\"\n and\n fc.arguments[1].constantValue matches \"^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Session Cookie Domain", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_domain\"\n and\n fc.arguments[1].constantValue matches \"^(\\.?[a-z0-9\\-]+){2}$\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Persistent Session Cookie", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_lifetime\"\n and\n fc.arguments[1].constantValue matches \"\\d{2,}|[1-9]\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Persistent Session Cookie", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_lifetime\"\n and\n fc.arguments[1].constantValue matches \"\\d{2,}|[1-9]\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Session Cookie not Sent Over SSL", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_secure\"\n and\n fc.arguments[1].constantValue matches \"(?i)off|0\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Session Cookie not Sent Over SSL", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_secure\"\n and\n fc.arguments[1].constantValue matches \"(?i)off|0\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set on Session Cookie", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_httponly\"\n and\n fc.arguments[1].constantValue matches \"(?i)off|0\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set on Session Cookie", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.cookie_httponly\"\n and\n fc.arguments[1].constantValue matches \"(?i)off|0\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "PHP Misconfiguration", - "vuln_subcategory": "session_use_trans_sid Enabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"session.use_trans_sid\"\n and\n fc.arguments[1].constantValue matches \"(?i)on\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "PHP Misconfiguration", - "vuln_subcategory": "Missing safe_mode_exec_dir Entry", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"safe_mode_exec_dir\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "PHP Misconfiguration", - "vuln_subcategory": "safe_mode Disabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"safe_mode\"\n and\n fc.arguments[1].constantValue matches \"(?i)off\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "Race Condition", - "vuln_subcategory": "PHP Design Flaw", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"open_basedir\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "PHP Misconfiguration", - "vuln_subcategory": "file_uploads Enabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"file_uploads\"\n and\n fc.arguments[1].constantValue matches \"(?i)on\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "System Information Leak", - "vuln_subcategory": "PHP Version", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"expose_php\"\n and\n fc.arguments[1].constantValue matches \"(?i)on\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "System Information Leak", - "vuln_subcategory": "PHP Errors", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"display_errors\"\n and\n fc.arguments[1].constantValue matches \"(?i)on|1\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "PHP Misconfiguration", - "vuln_subcategory": "cgi.force_redirect Disabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"cgi.force_redirect\"\n and\n fc.arguments[1].constantValue matches \"(?i)off\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "PHP Misconfiguration", - "vuln_subcategory": "allow_url_include Enabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"allow_url_include\"\n and\n fc.arguments[1].constantValue matches \"(?i)on\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "PHP Misconfiguration", - "vuln_subcategory": "allow_url_fopen Enabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"allow_url_fopen\"\n and\n fc.arguments[1].constantValue matches \"(?i)on\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Environment", - "vuln_category": "PHP Misconfiguration", - "vuln_subcategory": "register_globals Enabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"ini_set\"\n and\n fc.arguments[0].constantValue == \"register_globals\"\n and\n fc.arguments[1].constantValue matches \"(?i)on\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement: lhs.location is [FieldAccess: field.name == \"debugging\" and instance.type.name == \"Smarty\"] and rhs.constantValue == true\n " - }, - { - "language": "php", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: function.name matches \"(?i)__set\"\n and arguments[0].constantValue == \"debugging\"\n and arguments[1].constantValue == true\n and instance.type.name == \"Smarty\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Possible Variable Overwrite", - "vuln_subcategory": "Global Scope", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name == \"extract\" ] and\n call.arguments[0] is [Expression inArg: ] and\n ( call.arguments.length == 1\n or\n (\n call.arguments[1] is\n [\n FieldAccess fa: fa.instance is\n [\n VariableAccess va:\n va.type.name == \"~PHPGlobalType\"\n and\n va.variable.name == \"~PHPGlobalObject\"\n ]\n and\n fa.field.name != \"EXTR_SKIP\"\n and\n fa.field.name != \"EXTR_PREFIX_SAME\"\n and\n fa.field.name != \"EXTR_PREFIX_ALL\"\n ]\n and\n call.arguments[0].constantValue.None\n )\n )\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Cipher", - "predicate": "\n ArrayAccess aa:\n aa.index is [StringLiteral sl: sl.constantValue matches \"(?i)ciphers\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l: l.transitiveBase === aa.transitiveBase]\n and (\n /* CBC Mode */\n rhs.constantValue matches \"(?i).*-CBC(3)?-.*\"\n /* Weak Hash Functions */\n or rhs.constantValue matches \"(?i).*-(SHA|MD5|GOST94|GOST89)\"\n /* Weak Ciphers */\n or rhs.constantValue matches \"(?i).*-(RC2|RC4|DES|3DES)-.*\"\n /* Anonymous or None algortihms */\n or rhs.constantValue matches \"(?i).*(ANON|None).*\"\n )\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: name matches \"(?i)mcrypt_(encrypt|decrypt|cbc|cfb|ecb|module_open|ofb|get_block_size|get_cipher_name|get_iv_size|get_key_size|module_get_algo_block_size|module_get_algo_key_size|module_get_supported_key_size|module_is_block_algorithm|module_self_test)\" and\n (\n arguments[0] is [FieldAccess fa: fa.field.name matches \"(?i)MCRYPT_RC2\"] or\n arguments[0].constantValue matches \"(?i)rc2\"\n )\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: name matches \"(?i)mcrypt_(encrypt|decrypt|cbc|cfb|ecb|module_open|ofb|get_block_size|get_cipher_name|get_iv_size|get_key_size|module_get_algo_block_size|module_get_algo_key_size|module_get_supported_key_size|module_is_block_algorithm|module_self_test)\" and\n (\n arguments[0] is [FieldAccess fa: fa.field.name matches \"(?i)MCRYPT_((3|TRIPLE)?DES(_COMPAT)?|ARCFOUR|RC4)\"] or\n arguments[0].constantValue == 1 or\n (arguments[0].constantValue matches \"(?i)des|desede|3des|tripledes|arcfour|rc4\")\n )\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": None, - "predicate": "\n ArrayAccess aa:\n aa.index is [StringLiteral sl: sl.constantValue matches \"(?i)private_key_type\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l: l.transitiveBase === aa.transitiveBase]\n and rhs is [FieldAccess: name matches \"(?i)OPENSSL_KEYTYPE_DSA\"]\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: name matches \"(?i)mhash_(get_block_size|get_hash_name|keygen_s2k)|mhash\" and\n (\n arguments[0] is [FieldAccess fa: fa.field.name matches \"(?i)MHASH_(MD2|MD4|MD5|SHA1)\"] or\n /* MHASH_MD4 */\n arguments[0].constantValue == 16 or\n arguments[0].constantValue == 273 or\n /* MHASH_MD5 */\n arguments[0].constantValue == 1 or\n arguments[0].constantValue == 289 or\n /* MHASH_MD2 */\n arguments[0].constantValue == 28 or\n arguments[0].constantValue == 257 or\n /* MHASH_SHA1 */\n arguments[0].constantValue == 2 or\n arguments[0].constantValue == 513\n )\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded PBE Password", - "predicate": "\n FunctionCall fc: name matches \"(?i)hash_pbkdf2\"\n and arguments[1] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Predictable Salt", - "predicate": "\n FunctionCall fc: name matches \"(?i)hash_pbkdf2\"\n and (arguments[1].constantValue === arguments[2].constantValue\n or arguments[1] is arguments[2])\n and not arguments[1].constantValue.None\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall fc: name matches \"(?i)hash_pbkdf2\"\n and arguments[4] is [Expression dklen:\n dklen.constantValue is [Number n:\n n < 128\n ]\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Return Inside Finally", - "predicate": "\n ReturnStatement: in [FinallyBlock:]\n " - }, - { - "language": "php", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Empty Catch Block", - "predicate": "\n CatchBlock: empty\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name matches \"(?i)stream_socket_enable_crypto\"\n ] \n and arguments[1] is [BooleanLiteral: value is true]\n and arguments[2] is [FieldAccess:\n name matches \"(?i)STREAM_CRYPTO_METHOD_(SSL.*|ANY|TLSv1_0|TLSv1_1)_(CLIENT|SERVER)\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name matches \"(?i)stream_context_set_option\"\n ] \n and arguments[1].constantValue is [String: matches \"(?i)ssl\"]\n and arguments[2].constantValue is [String: matches \"(?i)passphrase\"]\n and arguments[3].constantValue is [None: ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name matches \"(?i)stream_context_set_option\"\n ] \n and arguments[1].constantValue is [String: matches \"(?i)ssl\"]\n and arguments[2].constantValue is [String: matches \"(?i)passphrase\"]\n and arguments[3].constantValue == \"\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name matches \"(?i)stream_context_set_option\"\n ] \n and arguments[1].constantValue is [String: matches \"(?i)ssl\"]\n and arguments[2].constantValue is [String: matches \"(?i)passphrase\"]\n and not arguments[3].constantValue.None\n and not arguments[3].constantValue is [None: ]\n and not arguments[3].constantValue == \"\"\n and not arguments[3].constantValue matches \"(?i)true|false\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Cipher", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name matches \"(?i)stream_context_set_option\"\n ] \n and arguments[1].constantValue is [String: matches \"(?i)ssl\"]\n and arguments[2].constantValue is [String: matches \"(?i)ciphers\"]\n and (\n /* CBC Mode */\n arguments[3].constantValue matches \"(?i).*-CBC(3)?-.*\"\n /* Weak Hash Functions */\n or arguments[3].constantValue matches \"(?i).*-(SHA|MD5|GOST94|GOST89)\"\n /* Weak Ciphers */\n or arguments[3].constantValue matches \"(?i).*-(RC2|RC4|DES|3DES)-.*\"\n /* Anonymous or None algortihms */\n or arguments[3].constantValue matches \"(?i).*(ANON|None).*\"\n )\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Inadequate RSA Padding", - "predicate": "\n FunctionCall: name matches \"(?i)openssl_(private_decrypt|private_encrypt|public_decrypt|public_encrypt)\" and\n (\n arguments.length < 4 or\n (\n arguments[3] is [FieldAccess fa: not fa.field.name matches \"(?i).*OPENSSL_PKCS1_OAEP_PADDING\"] or\n arguments[3].constantValue != 4\n )\n )\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: name matches \"(?i)openssl_(sign|verify)\"\n and arguments[3].constantValue matches \"(?i)dsa.*\"\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: \n name matches \"(?i)openssl_(sign|verify)\"\n /* Do not report on SHA224 or higher */\n and not arguments[3].constantValue matches \"(?i).*SHA[2-9][0-9]{2}.*\"\n and (arguments[3] is [FieldAccess fa: \n fa.field.name matches \"(?i)OPENSSL_ALGO_(MD2|MD4|MD5|SHA1|RMD160)\"\n ] or arguments[3].constantValue matches \"(?i).*((ripemd|rmd)(160)?|MD2|MD4|MD5|SHA((-)?1)?).*\")\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Predictable Salt", - "predicate": "\n FunctionCall fc: name matches \"(?i)openssl_pbkdf2\"\n and (arguments[0].constantValue === arguments[1].constantValue\n or arguments[0] is arguments[1])\n and not arguments[0].constantValue.None\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall fc: name matches \"(?i)openssl_pbkdf2\"\n and arguments[3] is [Expression dklen:\n dklen.constantValue is [Number n:\n n < 128\n ]\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded PBE Password", - "predicate": "\n FunctionCall fc: name matches \"(?i)openssl_pbkdf2\"\n and arguments[0] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "php", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: name matches \"(?i)openssl_spki_new\"\n and arguments[2] is [Expression e:\n constantValue is [Number n:\n n > 1 and n < 8\n or n > 13 and n < 19\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n \n FunctionPointerCall fpc: fpc.name == \"enable_unsafe_deserialization\"\n and fpc.closureExpression is [FieldAccess fa: instance is [FieldAccess: instance is [FieldAccess: name == \"tensorflow.keras~module\"]]]\n \n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe TensorFlow Deserialization", - "predicate": "\n \n FunctionPointerCall fpc: fpc.name == \"load_model\"\n and fpc.closureExpression is [FieldAccess fa: instance is [FieldAccess: instance is [FieldAccess: name == \"tensorflow.keras~module\"]]]\n \n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n \n FunctionCall fc:\n function is [Function:\n name == \"__setitem__\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"key\" and expression.constantValue matches \"PUT_REGEX_HERE\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"value\"\n and not expression.constantValue.None\n and not expression.constantValue is [None:]\n and not expression.constantValue == \"\"\n and not expression.constantValue matches \"(?i)true|false\"\n ]\n \n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n \n FunctionCall fc:\n function is [Function:\n name == \"__setitem__\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"key\" and expression.constantValue matches \"PUT_REGEX_HERE\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"value\"\n and not expression.constantValue.None\n and not expression.constantValue is [None:]\n and not expression.constantValue == \"\"\n and not expression.constantValue matches \"(?i)true|false\"\n ]\n \n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"__setitem__\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"key\" and expression.constantValue matches \"(?i)password|client_secret\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"value\"\n and not expression.constantValue.None\n and not expression.constantValue is [None:]\n and not expression.constantValue == \"\"\n and not expression.constantValue matches \"(?i)true|false\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Unobfuscated Logging", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"__init__\"\n and enclosingClass.name matches \"oslo_config\\.cfg\\.(Str|Float|Bool|Int|List|Dict)?Opt\"\n ]\n and (\n namedParameters contains [NamedParameter p:\n name == \"secret\"\n /*if secret=False then the password, for example, will be printed in clear*/\n and p.expression is [VariableAccess va: variable.name == \"False\"]\n /*Check if \"secret\" is assigned a variable of \"False\" value, example: secret=sec, where sec=False*/\n or p.expression is [VariableAccess va0: va0 in [Statement sa: sa contains [AssignmentStatement:\n rhs is [VariableAccess va1: va1.variable.name == \"False\"]\n and lhs is [ VariableAccess va2: va2 is va0 ]\n ]]]\n ]\n /* Check if \"secret\" parameter is not in namedParameters as the default value is \"False\"*/\n or not namedParameters contains [NamedParameter p1: name == \"secret\" ]\n )\n and arguments[1] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Unobfuscated Logging", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"__init__\"\n and enclosingClass.name matches \"oslo_config\\.cfg\\.(Str|Float|Bool|Int|List|Dict)?Opt\"\n ]\n and (\n namedParameters contains [NamedParameter p:\n name == \"secret\"\n /*if secret=False then the password, for example, will be printed in clear*/\n and p.expression is [VariableAccess va: variable.name == \"False\"]\n /*Check if \"secret\" is assigned a variable of \"False\" value, example: secret=sec, where sec=False*/\n or p.expression is [VariableAccess va0: va0 in [Statement sa: sa contains [AssignmentStatement:\n rhs is [VariableAccess va1: va1.variable.name == \"False\"]\n and lhs is [ VariableAccess va2: va2 is va0 ]\n ]]]\n ]\n /* Check if \"secret\" parameter is not in namedParameters as the default value is \"False\"*/\n or not namedParameters contains [NamedParameter p1: name == \"secret\" ]\n )\n and arguments[1] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Unobfuscated Logging", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"__init__\"\n and enclosingClass.name matches \"oslo_config\\.cfg\\.(Str|Float|Bool|Int|List|Dict)?Opt\"\n ]\n and (\n namedParameters contains [NamedParameter p:\n name == \"secret\"\n /*if secret=False then the password, for example, will be printed in clear*/\n and p.expression is [VariableAccess va: variable.name == \"False\"]\n /*Check if \"secret\" is assigned a variable of \"False\" value, example: secret=sec, where sec=False*/\n or p.expression is [VariableAccess va0: va0 in [Statement sa: sa contains [AssignmentStatement:\n rhs is [VariableAccess va1: va1.variable.name == \"False\"]\n and lhs is [ VariableAccess va2: va2 is va0 ]\n ]]]\n ]\n /* Check if \"secret\" parameter is not in namedParameters as the default value is \"False\"*/\n or not namedParameters contains [NamedParameter p1: name == \"secret\" ]\n )\n and arguments[1] is [Expression:\n constantValue matches \"(?i).*pass(wd|word|phrase).*|.*token$\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and rhs.constantValue is [None:]\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and rhs.constantValue is [None:]\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and rhs.constantValue is [None:]\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and rhs.constantValue is [None:]\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and rhs.constantValue is [None:]\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and rhs.constantValue is [None:]\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and rhs.constantValue is [None: ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and rhs.constantValue is [None: ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i)pass(wd|word)\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and rhs.constantValue is [None: ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and rhs.constantValue == \"\"\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and rhs.constantValue == \"\"\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and rhs.constantValue == \"\"\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and rhs.constantValue == \"\"\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and rhs.constantValue == \"\"\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and rhs.constantValue == \"\"\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and rhs.constantValue == \"\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and rhs.constantValue == \"\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i)pass(wd|word)\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and rhs.constantValue == \"\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"PUT_REGEX_HERE\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"PUT_REGEX_HERE\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"PUT_REGEX_HERE\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"PUT_REGEX_HERE\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"]] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ))\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"PUT_REGEX_HERE\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"PUT_REGEX_HERE\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"PUT_REGEX_HERE\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"PUT_REGEX_HERE\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"]] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ))\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"(?i)pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"(?i)pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(?i)pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(?i)pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i)pass(wd|word)\"]] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ))\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i)pass(wd|word)\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \"(?i).*pass(wd|word|phrase).*\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\"\n and not fa.field.name matches \"(?i)pass(wd|word)\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and rhs.constantValue is [None:]\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\"\n and not va.variable.name matches \"(?i)pass(wd|word)\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and rhs.constantValue is [None:]\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i).*pass(wd|word).*\"\n and not sl.constantValue matches \"(?i)pass(wd|word)\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and rhs.constantValue is [None: ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\"\n and not fa.field.name matches \"(?i)pass(wd|word)\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and rhs.constantValue == \"\"\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\"\n and not va.variable.name matches \"(?i)pass(wd|word)\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and rhs.constantValue == \"\"\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i).*pass(wd|word).*\"\n and not sl.constantValue matches \"(?i)pass(wd|word)\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and rhs.constantValue == \"\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"(?i).*pass(wd|word).*\" and not val.variable.name matches \"(?i)pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"(?i).*pass(wd|word).*\" and not var.variable.name matches \"(?i)pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(?i).*pass(wd|word).*\" and not fal.field.name matches \"(?i)pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\" and\n not operation.rhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(?i).*pass(wd|word).*\" and not far.field.name matches \"(?i)pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ) or\n (operation.rhs.location is\n [ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i).*pass(wd|word).*\"]] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\" and\n not operation.lhs.constantValue matches \"(?i)true|false\"\n ))\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\"\n and not fa.field.name matches \"(?i)pass(wd|word)\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i).*pass(wd|word).*\"\n and not sl.constantValue matches \"(?i)pass(wd|word)\"]\n and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\"\n and not va.variable.name matches \"(?i)pass(wd|word)\"\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase]\n and not rhs.constantValue.None\n and not rhs.constantValue is [None:]\n and not rhs.constantValue == \"\"\n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Unobfuscated Logging", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"__init__\"\n and enclosingClass.name matches \"oslo_config\\.cfg\\.(Str|Float|Bool|Int|List|Dict)?Opt\"\n ]\n and (\n namedParameters contains [NamedParameter p:\n name == \"secret\"\n /*if secret=False then the password, for example, will be printed in clear*/\n and p.expression is [VariableAccess va: variable.name == \"False\"]\n /*Check if \"secret\" is assigned a variable of \"False\" value, example: secret=sec, where sec=False*/\n or p.expression is [VariableAccess va0: va0 in [Statement sa: sa contains [AssignmentStatement:\n rhs is [VariableAccess va1: va1.variable.name == \"False\"]\n and lhs is [ VariableAccess va2: va2 is va0 ]\n ]]]\n ]\n /* Check if \"secret\" parameter is not in namedParameters as the default value is \"False\"*/\n or not namedParameters contains [NamedParameter p1: name == \"secret\" ]\n )\n and arguments[1] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Unobfuscated Logging", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"__init__\"\n and enclosingClass.name matches \"oslo_config\\.cfg\\.(Str|Float|Bool|Int|List|Dict)?Opt\"\n ]\n and (\n namedParameters contains [NamedParameter p:\n name == \"secret\"\n /*if secret=False then the password, for example, will be printed in clear*/\n and p.expression is [VariableAccess va: variable.name == \"False\"]\n /*Check if \"secret\" is assigned a variable of \"False\" value, example: secret=sec, where sec=False*/\n or p.expression is [VariableAccess va0: va0 in [Statement sa: sa contains [AssignmentStatement:\n rhs is [VariableAccess va1: va1.variable.name == \"False\"]\n and lhs is [ VariableAccess va2: va2 is va0 ]\n ]]]\n ]\n /* Check if \"secret\" parameter is not in namedParameters as the default value is \"False\"*/\n or not namedParameters contains [NamedParameter p1: name == \"secret\" ]\n )\n and arguments[1] is [Expression:\n constantValue matches \"PUT_REGEX_HERE\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Unobfuscated Logging", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"__init__\"\n and enclosingClass.name matches \"oslo_config\\.cfg\\.(Str|Float|Bool|Int|List|Dict)?Opt\"\n ]\n and (\n namedParameters contains [NamedParameter p:\n name == \"secret\"\n /*if secret=False then the password, for example, will be printed in clear*/\n and p.expression is [VariableAccess va: variable.name == \"False\"]\n /*Check if \"secret\" is assigned a variable of \"False\" value, example: secret=sec, where sec=False*/\n or p.expression is [VariableAccess va0: va0 in [Statement sa: sa contains [AssignmentStatement:\n rhs is [VariableAccess va1: va1.variable.name == \"False\"]\n and lhs is [ VariableAccess va2: va2 is va0 ]\n ]]]\n ]\n /* Check if \"secret\" parameter is not in namedParameters as the default value is \"False\"*/\n or not namedParameters contains [NamedParameter p1: name == \"secret\" ]\n )\n and arguments[1] is [Expression:\n constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto|access|secret).*key.*\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n // prevent 1DE90697-BF28-4DDB-A786-30E5BABA15D2 dupes\n and not (\n variable.name == \"SECRET_KEY\"\n and variable.namespace.name matches \".*settings.*\"\n )\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n // prevent 1DE90697-BF28-4DDB-A786-30E5BABA15D2 dupes\n and not (\n variable.name == \"SECRET_KEY\"\n and variable.namespace.name matches \".*settings.*\"\n )\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and rhs.constantValue is [None: ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and rhs.constantValue is [None: ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and rhs.constantValue is [None: ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n // prevent 1DE90697-BF28-4DDB-A786-30E5BABA15D2 dupes\n and not (\n variable.name == \"SECRET_KEY\"\n and variable.namespace.name matches \".*settings.*\"\n )\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n // prevent 1DE90697-BF28-4DDB-A786-30E5BABA15D2 dupes\n and not (\n variable.name == \"SECRET_KEY\"\n and variable.namespace.name matches \".*settings.*\"\n )\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and rhs.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and rhs.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and rhs.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n // prevent 1DE90697-BF28-4DDB-A786-30E5BABA15D2 dupes\n and not (\n variable.name == \"SECRET_KEY\"\n and variable.namespace.name matches \".*settings.*\"\n )\n /* Exclude cases where the varAccess is in the func declaration */\n and not (enclosingFunction.parameters contains va.variable\n or va.enclosingFunction.sourceLocation.startLine == va.sourceLocation.startLine)\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\"\n // prevent 1DE90697-BF28-4DDB-A786-30E5BABA15D2 dupes\n and not (\n variable.name == \"SECRET_KEY\"\n and variable.namespace.name matches \".*settings.*\"\n )\n /* Exclude cases where the varAccess is in the func declaration */\n and not (enclosingFunction.parameters contains va.variable\n or va.enclosingFunction.sourceLocation.startLine == va.sourceLocation.startLine)\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where the varAccess is in the func declaration */\n and not (enclosingFunction.parameters contains va.variable\n or va.enclosingFunction.sourceLocation.startLine == va.sourceLocation.startLine)\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"PUT_REGEX_HERE\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\"\n and not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\"\n and not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\"\n and not sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and rhs.constantValue is [None:]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\"\n and not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\"\n and not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\"\n and not sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and rhs.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\"\n and not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n /* Exclude cases where key is used as the index to a dict */\n and not fa.enclosingClass contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains fa]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\"\n /* Exclude cases where the varAccess is in the func declaration */\n and not (enclosingFunction.parameters contains va.variable\n or va.enclosingFunction.sourceLocation.startLine == va.sourceLocation.startLine)\n /* Exclude cases where key is used as the index to a dict */\n and not enclosingFunction contains [FunctionCall: function.name == \"__getitem__\" and\n arguments contains va]\n and not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n and not va.enclosingFunction contains [FunctionCall fc: fc.name == \"__getitem__\"\n and fc.arguments contains [VariableAccess va2: va2 == va]]\n and va in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === va.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n ArrayAccess aa: aa.index is [StringLiteral sl:\n sl.constantValue matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\"\n and not sl.constantValue matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\"\n ] and aa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === aa.transitiveBase\n ] and not rhs.constantValue.None\n and not rhs.constantValue is [None: ]\n and not rhs.constantValue == \"\" \n and not rhs.constantValue matches \"(?i)true|false\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "Unobfuscated Logging", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"__init__\"\n and enclosingClass.name matches \"oslo_config\\.cfg\\.(Str|Float|Bool|Int|List|Dict)?Opt\"\n ]\n and (\n namedParameters contains [NamedParameter p:\n name == \"secret\"\n /*if secret=False then the password, for example, will be printed in clear*/\n and p.expression is [VariableAccess va: variable.name == \"False\"]\n /*Check if \"secret\" is assigned a variable of \"False\" value, example: secret=sec, where sec=False*/\n or p.expression is [VariableAccess va0: va0 in [Statement sa: sa contains [AssignmentStatement:\n rhs is [VariableAccess va1: va1.variable.name == \"False\"]\n and lhs is [ VariableAccess va2: va2 is va0 ]\n ]]]\n ]\n /* Check if \"secret\" parameter is not in namedParameters as the default value is \"False\"*/\n or not namedParameters contains [NamedParameter p1: name == \"secret\" ]\n )\n and arguments[1] is [Expression:\n constantValue matches \"(?i)^ssn.*|.*ssn$|.social.*security.*|.*creditcard.*|.*card(num|no).*|.*cvv.*|.*pin$\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "GraphQL Bad Practices", - "vuln_subcategory": "GraphiQL Enabled", - "predicate": "\n FunctionCall fc:\n fc.function is [Function:\n name == \"as_view\"\n and enclosingClass.supers contains [Class:\n name == \"flask.views.View\"\n ]\n ]\n and fc.environment is [FieldAccess:\n accessInstance is [FieldAccess:\n accessInstance is [VariableAccess:\n variable.type is [Type:\n name == \"flask_graphql.graphqlview.GraphQLView\"\n ]\n ]\n ]\n ]\n and fc.namedParameters contains [NamedParameter:\n name == \"graphiql\"\n and (\n expression is [VariableAccess: variable.name == \"True\"]*\n or expression is [BooleanLiteral: value is true]*\n )\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "GraphQL Bad Practices", - "vuln_subcategory": "Introspection Enabled", - "predicate": "\n FunctionCall fc:\n fc.function is [Function:\n name == \"as_view\"\n and enclosingClass.supers contains [Class:\n name == \"flask.views.View\"\n ]\n ]\n and fc.environment is [FieldAccess:\n accessInstance is [FieldAccess:\n accessInstance is [VariableAccess:\n variable.type is [Type:\n name == \"flask_graphql.graphqlview.GraphQLView\"\n ]\n ]\n ]\n ]\n and not fc.namedParameters contains [NamedParameter:\n name == \"middleware\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name matches \"execute(many)?\"\n and enclosingClass.supers contains [Class:\n name == \"django.db.backends.utils.CursorWrapper\"\n ]\n ]\n and fc.arguments[1] is [Expression: constantValue.None ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty PBE Password", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2\"\n and namespace.name == \"django.utils.crypto\"\n ] and arguments[0] is [Expression e:\n e.constantValue == \"\"\n or e.constantValue is [None :]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded PBE Password", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2\"\n and namespace.name == \"django.utils.crypto\"\n ] and arguments[0] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty PBE Password", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2_hmac\"\n and namespace.name == \"hashlib\"\n ] and arguments[1] is [Expression e:\n e.constantValue == \"\"\n or e.constantValue is [None :]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded PBE Password", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2_hmac\"\n and namespace.name == \"hashlib\"\n ] and arguments[1] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty PBE Password", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name matches \"PBKDF(1|2)|scrypt|bcrypt|HKDF\"\n and namespace.name == \"Crypto.Protocol.KDF\"\n ] and arguments[0] is [Expression e:\n e.constantValue == \"\"\n or e.constantValue is [None :]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded PBE Password", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name matches \"PBKDF(1|2)|scrypt|bcrypt|HKDF|SP800_108_Counter\"\n and namespace.name matches \"Crypto.Protocol.KDF\"\n ] and arguments[0] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Django Bad Practices", - "vuln_subcategory": "Overly Broad Host Header Verification", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function:\n name == \"__getitem__\"\n ]\n and arguments[0] is [FieldAccess fa:\n fa.field.name == \"META\"\n /* Commenting out until TI does a better job\n and fa.instance.possibleTypes contains [Type:\n definition.supers contains [Class:\n name matches \"django\\.http(\\.request)?\\.HttpRequest\"\n ]\n ] */\n ] and arguments[1].constantValue matches \"(?i)host\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Django Bad Practices", - "vuln_subcategory": "Attributes in Deny List", - "predicate": "\n AssignmentStatement:\n lhs is [FieldAccess fa: field.name == \"exclude\"\n and enclosingClass.name matches \".*\\.Meta\"\n ]*\n and rhs is [FunctionCall:\n possibleTargets contains [Function: name == \"~python~list\"]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Insecure PBE Iteration Count", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2\"\n and namespace.name == \"django.utils.crypto\"\n ]\n and arguments[2] is [Expression e:\n constantValue is [Number n: n > 999 and n < 100000 ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Insecure PBE Iteration Count", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2\"\n and namespace.name == \"django.utils.crypto\"\n ]\n and arguments[2] is [Expression e:\n constantValue is [Number n: n < 1000]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2\"\n and namespace.name == \"django.utils.crypto\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"dklen\"\n and expression.constantValue is [Number n:\n n < 128 and n != 0\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None PBE Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2\"\n and namespace.name == \"django.utils.crypto\"\n ]\n and not arguments[1].constantValue.None\n and arguments[1].constantValue is [None:]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty PBE Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2\"\n and namespace.name == \"django.utils.crypto\"\n ]\n and arguments[1].constantValue == \"\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded PBE Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"pbkdf2\"\n and namespace.name == \"django.utils.crypto\"\n ]\n and arguments[1] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"salted_hmac\"\n and namespace.name == \"django.utils.crypto\"\n ]\n and not arguments[0].constantValue.None\n and arguments[0].constantValue is [None:]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"salted_hmac\"\n and namespace.name == \"django.utils.crypto\"\n ]\n and arguments[0].constantValue == \"\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"salted_hmac\"\n and namespace.name == \"django.utils.crypto\"\n ]\n and arguments[0] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"EMAIL_HOST_PASSWORD\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [StringLiteral:]\n and rhs.constantValue == \"\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"EMAIL_HOST_PASSWORD\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [StringLiteral:]\n and rhs.constantValue != \"\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"EMAIL_HOST\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n ] and (not s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"EMAIL_USE_TLS\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [VariableAccess:\n variable.name == \"True\"\n ]*\n ] or s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"EMAIL_USE_TLS\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [VariableAccess:\n variable.name == \"False\"\n ]*\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Privacy Violation", - "vuln_subcategory": "BREACH", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [FunctionCall:\n possibleTargets contains [Function: name matches \"~python~(tuple|list)\"]\n and arguments contains [Expression:\n constantValue == \"django.middleware.csrf.CsrfViewMiddleware\"\n ]\n ]*\n ] and s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [FunctionCall:\n possibleTargets contains [Function: name matches \"~python~(tuple|list)\"]\n and arguments contains [Expression:\n constantValue == \"django.middleware.gzip.GZipMiddleware\"\n ]\n ]*\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"CACHE_BACKEND\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs.constantValue matches \".*memcached.*\"\n ] or s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"CACHES\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [FunctionCall:\n possibleTargets contains [Function: name == \"~python~dict\"]\n and arguments contains [FunctionCall:\n possibleTargets contains [Function: name == \"~python~dict\"]\n and arguments contains [Expression:\n constantValue matches \".*memcached.*\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"__setitem__\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"key\" and expression.constantValue == \"default\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"value\" and expression is [VariableAccess:\n variable is [Variable temp1:\n enclosingFunction contains [FunctionCall:\n function is [Function:\n name == \"__setitem__\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"key\" and expression.constantValue == \"BACKEND\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"value\" and expression.constantValue matches \".*memcached.*\"\n ]\n and namedParameters contains [NamedParameter self:\n name == \"self\"\n and expression is [VariableAccess:\n variable is [Variable temp2:\n temp2 is temp1\n ]*\n ]\n ]\n and instance is [Expression this:]\n ]\n ]*\n ]*\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"raw\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.db\\.models\\..*(Manager|Query|QuerySet)\"\n ]\n ]\n and arguments[1] is [Expression: constantValue.None ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"extra\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.db\\.models\\..*(Manager|Query|QuerySet)\"\n ]\n ]\n and arguments[1] is [Expression: constantValue.None ]\n " - }, - { - "language": "python", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n FieldAccess fa: fa.field.name == \"FILES\"\n and fa.instance.type.definition.supers contains [Class:\n name matches \"django\\.http(\\.request)?\\.HttpRequest\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "HTML5", - "vuln_subcategory": "Insecure Cross-Origin Opener Policy", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"SECURE_CROSS_ORIGIN_OPENER_POLICY\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [StringLiteral: image matches \"(same\\-origin\\-allow\\-popups)|(unsafe\\-none)\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function:\n name == \"make_password\"\n and namespace.name == \"django.contrib.auth.hashers\"\n ]\n and namedParameters contains [NamedParameter p:\n name == \"salt\"\n and expression is [Expression:\n not constantValue.None\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Lack of Key Derivation Function", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function:\n name == \"make_password\"\n and namespace.name == \"django.contrib.auth.hashers\"\n ]\n and namedParameters contains [NamedParameter p:\n name == \"hasher\"\n and expression.constantValue matches \"(unsalted_)?(crypt|sha1|md5)\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Lack of Key Derivation Function", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"PASSWORD_HASHERS\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [FunctionCall:\n possibleTargets contains [Function:\n name == \"~python~list\"\n ]\n and arguments[0] is [StringLiteral:\n image matches \"django\\.contrib\\.auth\\.hashers.(Unsalted)?(Crypt|MD5|SHA1)PasswordHasher\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Environment", - "vuln_category": "Insecure Deployment", - "vuln_subcategory": "Non Production Ready", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"INSTALLED_APPS\"\n and variable.namespace.name matches \".*settings.*\"\n ] and rhs is [FunctionCall:\n possibleTargets contains [Function: name == \"~python~tuple\"]\n and arguments contains [Expression:\n constantValue == \"django.contrib.staticfiles\"\n ]\n ]*\n ] and s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"DEBUG\"\n and variable.namespace.name matches \".*settings.*\"\n ] and rhs is [VariableAccess:\n variable.name == \"True\"\n ]*\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Environment", - "vuln_category": "Insecure Deployment", - "vuln_subcategory": "Non Production Ready", - "predicate": "\n FunctionCall: possibleTargets contains [Function:\n (name == \"url\" and namespace.name == \"django.conf.urls\")\n or name == \"~python~tuple\"\n ]\n and arguments contains [VariableAccess va:\n variable.name == \"serve\"\n and va.variable.namespace.name matches \".*urls.*\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Environment", - "vuln_category": "Insecure Deployment", - "vuln_subcategory": "Predictable Resource Name", - "predicate": "\n FunctionCall: possibleTargets contains [Function:\n (name == \"url\" and namespace.name == \"django.conf.urls\")\n or name == \"~python~tuple\"\n ]\n and arguments[0] is [StringLiteral: image matches \"(?i)^(.{2})?\\^admin\\/(.{1})?$\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n Statement s: s contains [AssignmentStatement as:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n ]*\n and not s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"SECURE_SSL_REDIRECT\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [VariableAccess:\n variable.name == \"True\"\n ]\n ]\n /* Only report on top level statement (whole file) */\n and not s in [Statement parentStatement: ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "HSTS Does Not Include Subdomains", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n ]*\n and s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"SECURE_HSTS_SECONDS\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs.constantValue is [Number n: n > 0]\n ]*\n and not s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"SECURE_HSTS_INCLUDE_SUBDOMAINS\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [VariableAccess:\n variable.name == \"True\"\n ]\n ]\n /* Only report on top level statement (whole file) */\n and not s in [Statement parentStatement: ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Insufficient HSTS Expiration Time", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n ]*\n and s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"SECURE_HSTS_SECONDS\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n /* 30 days */\n and rhs.constantValue is [Number n1: n1 < 2592000]\n and rhs.constantValue is [Number n2: n2 > 0]\n ]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "HSTS not Set", - "predicate": "\n Statement s: s contains [AssignmentStatement as:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n ]*\n and not s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"SECURE_HSTS_SECONDS\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs.constantValue is [Number n: n > 0]\n ]\n /* Only report on top level statement (whole file) */\n and not s in [Statement parentStatement: ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Environment", - "vuln_category": "HTML5", - "vuln_subcategory": "MIME Sniffing", - "predicate": "\n Statement s: s contains [AssignmentStatement as:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n ]*\n and s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"SECURE_CONTENT_TYPE_NOSNIFF\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [VariableAccess:\n variable.name == \"False\"\n ]\n ]\n /* Only report on top level statement (whole file) */\n and not s in [Statement parentStatement: ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Environment", - "vuln_category": "HTML5", - "vuln_subcategory": "MIME Sniffing", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"__setitem__\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and fc.arguments[1].constantValue matches \"(?i)(X-)?Content-Type-Options\"\n and fc.arguments[2].constantValue != \"nosniff\"\n and not arguments[0] is [FieldAccess fa: field.name == \"session\"]\n and not arguments[0] is [VariableAccess va: variable.name == \"session\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "HTML5", - "vuln_subcategory": "Cross-Site Scripting Protection", - "predicate": "\n Statement s: s contains [AssignmentStatement as:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n ]*\n and not s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"SECURE_BROWSER_XSS_FILTER\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [VariableAccess:\n variable.name == \"True\"\n ]\n ]\n /* Only report on top level statement (whole file) */\n and not s in [Statement parentStatement: ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "HTML5", - "vuln_subcategory": "Cross-Site Scripting Protection", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"__setitem__\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and fc.arguments[1].constantValue matches \"(?i)(X-)?XSS-PROTECTION\"\n and (fc.arguments[2].constantValue == \"0\" or fc.arguments[2].constantValue == 0)\n and not arguments[0] is [FieldAccess fa: field.name == \"session\"]\n and not arguments[0] is [VariableAccess va: variable.name == \"session\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Django Bad Practices", - "vuln_subcategory": "Pickle Serialized Sessions", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"SESSION_SERIALIZER\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [StringLiteral: image == \"django.contrib.sessions.serializers.PickleSerializer\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "HTML5", - "vuln_subcategory": "Cross-Site Scripting Protection", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"__setitem__\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and fc.arguments[1].constantValue matches \"(?i)(X-)?Content-Security-Policy|X-WebKit-CSP\"\n and fc.arguments[2].constantValue matches \"(?i).*reflected-xss\\s+allow.*\"\n and not arguments[0] is [FieldAccess fa: field.name == \"session\"]\n and not arguments[0] is [VariableAccess va: variable.name == \"session\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"__setitem__\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and fc.arguments[1].constantValue matches \"(?i)(X-)?Content-Security-Policy|X-WebKit-CSP\"\n and fc.arguments[2].constantValue matches \"(?i).*sandbox\\s+allow-\\*.*\"\n and not arguments[0] is [FieldAccess fa: field.name == \"session\"]\n and not arguments[0] is [VariableAccess va: variable.name == \"session\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Misconfigured Content Security Policy", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"__setitem__\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and fc.arguments[1].constantValue matches \"(?i)(X-)?Content-Security-Policy|X-WebKit-CSP\"\n and fc.arguments[2].constantValue matches \"(?i).*frame-src.*\"\n and not fc.arguments[2].constantValue matches \"(?i).*sandbox.*\"\n and not arguments[0] is [FieldAccess fa: field.name == \"session\"]\n and not arguments[0] is [VariableAccess va: variable.name == \"session\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Misconfigured Content Security Policy", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"__setitem__\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and fc.arguments[1].constantValue matches \"(?i)(X-)?Content-Security-Policy|X-WebKit-CSP\"\n and fc.arguments[2].constantValue matches \"(?i).*script-src.*\"\n and not fc.arguments[2].constantValue matches \"(?i).*nonce.*\"\n and not arguments[0] is [FieldAccess fa: field.name == \"session\"]\n and not arguments[0] is [VariableAccess va: variable.name == \"session\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Misconfigured Content Security Policy", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"__setitem__\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and fc.arguments[1].constantValue matches \"(?i)(X-)?Content-Security-Policy|X-WebKit-CSP\"\n and fc.arguments[2] is [Expression e:\n e.constantValue matches \"(?i).*unsafe-(eval|inline).*\"\n ]\n and not arguments[0] is [FieldAccess fa: field.name == \"session\"]\n and not arguments[0] is [VariableAccess va: variable.name == \"session\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"__setitem__\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and fc.arguments[1] is [Expression: constantValue matches \"(?i)(X-)?Content-Security-Policy|X-WebKit-CSP\"]\n and fc.arguments[2] is [Expression: constantValue matches \"(?i).*src\\s+\\*[\\s;$]*.*\"]\n and not arguments[0] is [FieldAccess fa: field.name == \"session\"]\n and not arguments[0] is [VariableAccess va: variable.name == \"session\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Misconfigured Content Security Policy", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [FunctionCall:\n possibleTargets contains [Function:\n name matches \"~python~(tuple|list)\"\n ]\n and arguments contains [Expression:\n constantValue == \"csp.middleware.CSPMiddleware\"\n ]\n ]\n ]*\n and s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"CSP_.*_SRC\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [FunctionCall: possibleTargets contains [Function:\n name matches \"~python~(tuple|list)\"\n ]\n and arguments contains [Expression:\n constantValue matches \"'unsafe-(eval|inline)'\"\n ]\n ]\n ]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [FunctionCall:\n possibleTargets contains [Function:\n name matches \"~python~(tuple|list)\"\n ]\n and arguments contains [Expression:\n constantValue == \"csp.middleware.CSPMiddleware\"\n ]\n ]\n ]*\n and s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"CSP_SANDBOX\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [FunctionCall: possibleTargets contains [Function:\n name matches \"~python~(tuple|list)\"\n ]\n and arguments contains [Expression:\n constantValue matches \"(?i)allow-\\*\"\n ]\n ]\n ]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n Statement s: s contains [\n AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [FunctionCall:\n possibleTargets contains [Function:\n name matches \"~python~(tuple|list)\"\n ]\n and arguments contains [Expression:\n constantValue == \"csp.middleware.CSPMiddleware\"\n ]\n ]\n ]*\n and s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"CSP_.*_SRC\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [FunctionCall:possibleTargets contains [Function:\n name matches \"~python~(tuple|list)\"\n ]\n and arguments contains [Expression:\n constantValue == \"*\"\n ]\n ]\n ]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"__setitem__\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and fc.arguments[1] is [Expression: constantValue matches \"(?i)Access-Control-Allow-Origin\"]\n and fc.arguments[2] is [Expression: constantValue == \"*\"]\n and not arguments[0] is [FieldAccess fa: field.name == \"session\"]\n and not arguments[0] is [VariableAccess va: variable.name == \"session\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"CORS_ORIGIN_ALLOW_ALL\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [VariableAccess:\n variable.name == \"True\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [FunctionCall:\n possibleTargets contains [Function: name matches \"~python~(tuple|list)\"]\n and not arguments contains [Expression e:\n e.constantValue == \"django.middleware.csrf.CsrfViewMiddleware\"\n ]\n ]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Django Bad Practices", - "vuln_subcategory": "Cookie Stored Sessions", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"SESSION_ENGINE\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [StringLiteral: image == \"django.contrib.sessions.backends.signed_cookies\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Frame Scripting", - "vuln_subcategory": None, - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and (\n rhs is [FunctionCall:\n possibleTargets contains [Function: name matches \"~python~(tuple|list)\"]\n and not arguments contains [Expression e:\n e.constantValue == \"django.middleware.clickjacking.XFrameOptionsMiddleware\"\n ]\n ]\n and not s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"SECURE_FRAME_DENY\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [VariableAccess:\n variable.name == \"True\"\n ]\n ]\n )]*\n /* Only report on top level statement (whole file) */\n and not s in [Statement parentStatement: ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Path", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name matches \"(CSRF|SESSION)_COOKIE_PATH\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [StringLiteral:\n image == \"/\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name matches \"(CSRF|SESSION)_COOKIE_DOMAIN\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [StringLiteral: image matches \"(?i)^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name matches \"(CSRF|SESSION)_COOKIE_DOMAIN\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [StringLiteral: image matches \"(?i)^\\.?([a-z0-9\\-]+)\\.([a-z0-9\\-]+)$\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Session Cookie not Sent Over SSL", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ] and rhs is [FunctionCall:\n possibleTargets contains [Function: name matches \"~python~(tuple|list)\"]\n and arguments contains [Expression e:\n e.constantValue == \"django.contrib.sessions.middleware.SessionMiddleware\"\n ]\n ]\n ]*\n and not s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"SESSION_COOKIE_SECURE\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n ]\n /* Only report on top level statement (whole file) */\n and not s in [Statement parentStatement: ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "CSRF Cookie not Sent Over SSL", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ] and rhs is [FunctionCall:\n possibleTargets contains [Function: name matches \"~python~(tuple|list)\"]\n and arguments contains [Expression e:\n e.constantValue == \"django.middleware.csrf.CsrfViewMiddleware\"\n ]\n ]\n ]*\n and not s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name == \"CSRF_COOKIE_SECURE\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n ]\n /* Only report on top level statement (whole file) */\n and not s in [Statement parentStatement: ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Session Cookie not Sent Over SSL", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"SESSION_COOKIE_SECURE\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [VariableAccess:\n variable.name == \"False\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "CSRF Cookie not Sent Over SSL", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"CSRF_COOKIE_SECURE\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [VariableAccess:\n variable.name == \"False\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set on CSRF Cookie", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ] and rhs is [FunctionCall:\n possibleTargets contains [Function: name matches \"~python~(tuple|list)\"]\n and arguments contains [Expression e:\n e.constantValue == \"django.middleware.csrf.CsrfViewMiddleware\"\n ]\n ]\n ]*\n and (\n s contains [AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"CSRF_COOKIE_HTTPONLY\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [VariableAccess:\n variable.name == \"False\"\n ]\n ]* or not s contains [AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"CSRF_COOKIE_HTTPONLY\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n ]\n )\n /* Only report on top level statement (whole file) */\n and not s in [Statement parentStatement: ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set on Session Cookie", - "predicate": "\n Statement s: s contains [AssignmentStatement:\n lhs is [VariableAccess:\n variable.name matches \"MIDDLEWARE(_CLASSES)?\"\n and variable.namespace.name matches \".*settings.*\"\n ] and rhs is [FunctionCall:\n possibleTargets contains [Function: name matches \"~python~(tuple|list)\"]\n and arguments contains [Expression e:\n e.constantValue == \"django.contrib.sessions.middleware.SessionMiddleware\"\n ]\n ]\n ]*\n and s contains [AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"SESSION_COOKIE_HTTPONLY\"\n and variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [VariableAccess:\n variable.name == \"False\"\n ]\n ]*\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Permissive SameSite Attribute", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name matches \"(SESSION|CSRF)_COOKIE_SAMESITE\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and\n (\n rhs is [StringLiteral: image matches \"Lax|None\"] or\n rhs is [VariableAccess: variable.name == \"False\"]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Django Bad Practices", - "vuln_subcategory": "Overly Broad Host Header Verification", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"ALLOWED_HOSTS\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [FunctionCall: possibleTargets contains [Function: name == \"~python~list\"]\n and arguments contains [StringLiteral: image == \"*\"]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n AssignmentStatement: lhs is [\n VariableAccess va: va.variable.name == \"SECRET_KEY_FALLBACKS\"\n and va.variable.namespace.name matches \".*settings.*\"\n ]\n and rhs is [FunctionCall:\n possibleTargets contains [Function:\n name == \"~python~list\"\n ]\n and arguments[0] is [Expression:\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name == \"SECRET_KEY\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [StringLiteral:]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": "External", - "predicate": "\n AssignmentStatement: lhs is [VariableAccess:\n variable.name matches \"(TEMPLATE_)?DEBUG(_PROPAGATE_EXCEPTIONS)?\"\n and variable.namespace.name matches \".*settings.*\"\n ]*\n and rhs is [VariableAccess:\n variable.name == \"True\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Cross-Site Scripting", - "vuln_subcategory": "Poor Validation", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"~django~firstof\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Cross-Site Scripting", - "vuln_subcategory": "Poor Validation", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name matches \"safe|safeseq|escape|force_escape\"\n and namespace.name == \"django.template.defaultfilters\"\n ]\n and arguments[0] is [Expression e:]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": "External", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"~django~debug\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall fc:\n fc.name matches \"create_(super)?user\"\n and fc.instance is [VariableAccess:\n possibleTypes contains [Type:\n definition.supers contains [Class:\n name == \"django.contrib.auth.models.UserManager\"\n ]\n ]\n ]\n and fc.namedParameters contains [NamedParameter np:\n np.name == \"password\"\n and expression is [Expression e:\n constantValue.None\n and constantValue is [None:]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc:\n fc.name matches \"create_(super)?user\"\n and fc.instance is [VariableAccess:\n possibleTypes contains [Type:\n definition.supers contains [Class:\n name == \"django.contrib.auth.models.UserManager\"\n ]\n ]\n ]\n and fc.namedParameters contains [NamedParameter np:\n np.name == \"password\"\n and expression is [Expression e:\n not constantValue.None\n and not constantValue is [None: ]\n and constantValue == \"\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc:\n fc.name matches \"create_(super)?user\"\n and fc.instance is [VariableAccess:\n possibleTypes contains [Type:\n definition.supers contains [Class:\n name == \"django.contrib.auth.models.UserManager\"\n ]\n ]\n ]\n and fc.namedParameters contains [NamedParameter np:\n np.name == \"password\"\n and expression is [Expression e:\n not constantValue.None\n and not constantValue is [None: ]\n and not constantValue == \"\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Path", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[6].constantValue == \"/\"\n or (not fc.namedParameters contains [NamedParameter:\n name == \"path\"\n ] and fc.arguments.length < 7)\n or fc.namedParameters contains [NamedParameter:\n name == \"path\"\n and expression.constantValue == \"/\"\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Path", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[5].constantValue == \"/\"\n or (not fc.namedParameters contains [NamedParameter:\n name == \"path\"\n ] and fc.arguments.length < 6)\n or fc.namedParameters contains [NamedParameter:\n name == \"path\"\n and expression.constantValue == \"/\"\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[7].constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"\n or fc.namedParameters contains [NamedParameter:\n name == \"domain\"\n and expression.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[7].constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.([a-z0-9\\-]+)$\"\n or fc.namedParameters contains [NamedParameter:\n name == \"domain\"\n and expression.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.([a-z0-9\\-]+)$\"\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[6].constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"\n or fc.namedParameters contains [NamedParameter:\n name == \"domain\"\n and expression.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[6].constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.([a-z0-9\\-]+)$\"\n or fc.namedParameters contains [NamedParameter:\n name == \"domain\"\n and expression.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.([a-z0-9\\-]+)$\"\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[8] is [VariableAccess: variable.name == \"False\"]\n /* or fc.arguments[8].constantValue is [None:] */\n or (not fc.namedParameters contains [NamedParameter:\n name == \"secure\"\n ] and fc.arguments.length < 9)\n or fc.namedParameters contains [NamedParameter:\n name == \"secure\"\n and (expression is [VariableAccess: variable.name == \"False\"]\n or expression.constantValue is [None:])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[7] is [VariableAccess: variable.name == \"False\"]\n or fc.arguments[7].constantValue is [None:]\n or (not fc.namedParameters contains [NamedParameter:\n name == \"secure\"\n ] and fc.arguments.length < 8)\n or fc.namedParameters contains [NamedParameter:\n name == \"secure\"\n and (expression is [VariableAccess: variable.name == \"False\"]\n or expression.constantValue is [None:])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Persistent Cookie", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[5] is [VariableAccess: variable.name == \"False\"]\n /* or fc.arguments[5].constantValue is [None:] */\n or (not fc.namedParameters contains [NamedParameter:\n name == \"expires\"\n ] and fc.arguments.length < 6)\n or fc.namedParameters contains [NamedParameter:\n name == \"expires\"\n and (expression is [VariableAccess: variable.name == \"False\"]\n or expression.constantValue is [None:])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Persistent Cookie", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[4] is [VariableAccess: variable.name == \"False\"]\n or fc.arguments[4].constantValue is [None:]\n or (not fc.namedParameters contains [NamedParameter:\n name == \"expires\"\n ] and fc.arguments.length < 5)\n or fc.namedParameters contains [NamedParameter:\n name == \"expires\"\n and (expression is [VariableAccess: variable.name == \"False\"]\n or expression.constantValue is [None:])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[9] is [VariableAccess: variable.name == \"False\"]\n or fc.namedParameters contains [NamedParameter:\n name == \"httponly\"\n and expression is [VariableAccess: variable.name == \"False\"]\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[8] is [VariableAccess: variable.name == \"False\"]\n or (not fc.namedParameters contains [NamedParameter:\n name == \"httponly\"\n ] and fc.arguments.length < 9)\n or fc.namedParameters contains [NamedParameter:\n name == \"httponly\"\n and expression is [VariableAccess: variable.name == \"False\"]\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"get_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.request)?\\.HttpRequest\"\n ]\n ]\n and (fc.arguments[2] is [Expression:\n not constantValue.None\n and (constantValue is [None:]\n or constantValue == \"\")\n ]\n or (not fc.namedParameters contains [NamedParameter:\n name == \"salt\"\n ] and fc.arguments.length < 3)\n or fc.namedParameters contains [NamedParameter:\n name == \"salt\"\n and expression is [Expression:\n not constantValue.None\n and (constantValue is [None:]\n or constantValue == \"\")\n ]\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"get_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.request)?\\.HttpRequest\"\n ]\n ]\n and (fc.arguments[2] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n or fc.namedParameters contains [NamedParameter:\n name == \"salt\"\n and expression is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[3] is [Expression:\n not constantValue.None\n and (constantValue == \"\"\n or constantValue is [None:])\n ]\n or not fc.namedParameters contains [NamedParameter:\n name == \"salt\"\n ]\n or fc.namedParameters contains [NamedParameter:\n name == \"salt\"\n and expression is [Expression:\n not constantValue.None\n and (constantValue == \"\"\n or constantValue is [None:])\n ]\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name == \"set_signed_cookie\"\n and enclosingClass.supers contains [Class:\n name matches \"django\\.http(\\.response)?\\.(Streaming)?HttpResponse(Base)?\"\n ]\n ]\n and (fc.arguments[3] is [Expression:\n not constantValue.None\n and not constantValue == \"\"\n and not constantValue is [None: ]\n ]\n or fc.namedParameters contains [NamedParameter:\n name == \"salt\"\n and expression is [Expression:\n not constantValue.None\n and not constantValue == \"\"\n and not constantValue is [None: ]\n ]\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Randomness", - "vuln_subcategory": "Weak Entropy Source", - "predicate": "\n FunctionCall fc: name matches \"(wh)?seed|__init__\"\n and function.enclosingClass.name matches \"random\\.(Random|WichmannHill)\"\n and ( arguments.length == 0\n or arguments[0] is [NoneLiteral:]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Randomness", - "vuln_subcategory": "Weak Entropy Source", - "predicate": "\n FunctionCall fc: name matches \"(wh)?seed\"\n and function.namespace.name == \"random\"\n and namedParameters contains [NamedParameter: name == \"a\"\n and expression is [NoneLiteral:]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Randomness", - "vuln_subcategory": "Weak Entropy Source", - "predicate": "\n FunctionCall fc: name matches \"(wh)?seed\"\n and function.namespace.name == \"random\"\n and ( arguments.length == 0\n or arguments[0] is [NoneLiteral:]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: name == \"update\"\n and function.enclosingClass.name == \"_hashlib.HASH\"\n and (arguments[1] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or arguments[1] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: name == \"update\"\n and function.enclosingClass.name == \"_hashlib.HASH\"\n and (arguments[1] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: name == \"update\"\n and function.enclosingClass.name == \"_hashlib.HASH\"\n and (arguments[1] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: name matches \"md5|sha1|sha224|sha256|sha384|sha512\"\n and function.namespace.name == \"hashlib\"\n and (arguments[0] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or arguments[0] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: name matches \"md5|sha1|sha224|sha256|sha384|sha512\"\n and function.namespace.name == \"hashlib\"\n and (arguments[0] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or arguments[0] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: name matches \"md5|sha1|sha224|sha256|sha384|sha512\"\n and function.namespace.name == \"hashlib\"\n and (arguments[0] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or arguments[0] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: name matches \"md5|sha1|sha224|sha256|sha384|sha512\"\n and function.namespace.name == \"hashlib\"\n and (arguments[0] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or arguments[0] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: name matches \"md5|sha1|sha224|sha256|sha384|sha512\"\n and function.namespace.name == \"hashlib\"\n and (arguments[0] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or arguments[0] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: name matches \"md5|sha1|sha224|sha256|sha384|sha512\"\n and function.namespace.name == \"hashlib\"\n and (arguments[0] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or arguments[0] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None PBE Salt", - "predicate": "\n FunctionCall fc: name == \"pbkdf2_hmac\"\n and function.namespace.name == \"hashlib\"\n and arguments[2] is [FieldAccess:\n not constantValue.None\n and constantValue is [None:]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty PBE Salt", - "predicate": "\n FunctionCall fc: name == \"pbkdf2_hmac\"\n and function.namespace.name == \"hashlib\"\n and arguments[2] is [FieldAccess:\n constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded PBE Salt", - "predicate": "\n FunctionCall fc: name == \"pbkdf2_hmac\"\n and function.namespace.name == \"hashlib\"\n and arguments[2] is [FieldAccess:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None PBE Salt", - "predicate": "\n FunctionCall fc: name == \"pbkdf2_hmac\"\n and function.namespace.name == \"hashlib\"\n and arguments[2] is [VariableAccess:\n not constantValue.None\n and constantValue is [None:]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty HMAC Key", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name == \"hmac\"\n and arguments[0] is [Expression e:\n not e.constantValue.None\n and e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded HMAC Key", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name == \"Crypto.Hash.HMAC\"\n and arguments[0] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None: ]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded HMAC Key", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name == \"hmac\"\n and arguments[0] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None: ]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty PBE Salt", - "predicate": "\n FunctionCall fc: name == \"pbkdf2_hmac\"\n and function.namespace.name == \"hashlib\"\n and arguments[2] is [VariableAccess:\n constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded PBE Salt", - "predicate": "\n FunctionCall fc: name == \"pbkdf2_hmac\"\n and function.namespace.name == \"hashlib\"\n and arguments[2] is [VariableAccess:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: name matches \"__init__|request\"\n and fc.function.enclosingClass.name == \"httplib2.Http\"\n and fc.namedParameters contains [NamedParameter p1:\n name == \"disable_ssl_certificate_validation\"\n and expression is [VariableAccess:\n variable.name == \"True\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: name == \"open\"\n and fc.function.enclosingClass.name == \"urllib2.OpenerDirector\"\n and fc.arguments[1].constantValue matches \"(?i)^https.*\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: name matches \"open|retrieve\"\n and fc.function.enclosingClass.name == \"urllib.URLopener\"\n and fc.arguments[1].constantValue matches \"(?i)^https.*\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: function.name == \"__init__\"\n and function.enclosingClass.name == \"imaplib.IMAP4\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: function.name == \"__init__\"\n and function.enclosingClass.name == \"poplib.POP3\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"connect\"\n and fc.function.namespace.name == \"psycopg2\"\n and fc.namedParameters contains [NamedParameter p:\n p.name == \"password\"\n and (p.expression is [VariableAccess va: va.variable.name == \"None\"]\n or p.expression.constantValue is [None: ])\n and not p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"connect\"\n and fc.function.namespace.name == \"psycopg2\"\n and fc.namedParameters contains [NamedParameter p:\n p.name == \"password\"\n and not p.expression.constantValue.None\n and not p.expression.constantValue is [None: ]\n and p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"connect\"\n and fc.function.namespace.name == \"psycopg2\"\n and fc.namedParameters contains [NamedParameter p:\n p.name == \"password\"\n and not p.expression.constantValue.None\n and not p.expression.constantValue is [None: ]\n and not p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"setopt\"\n and fc.function.enclosingClass.name matches \"pycurl\\.Curl(Share)?\"\n and (fc.arguments[1] is [VariableAccess va:\n va.variable.name matches \"SSL_(VERIFYPEER|VERIFYHOST)\"\n and va.variable.namespace.name == \"pycurl\"\n ] or\n fc.arguments[1] is [FieldAccess fa:\n fa.field.name matches \"SSL_(VERIFYPEER|VERIFYHOST)\"\n and fa.field.enclosingClass.name == \"pycurl.Curl\"\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"setopt\"\n and fc.function.enclosingClass.name matches \"pycurl\\.Curl(Share)?\"\n and (fc.arguments[1] is [VariableAccess va:\n va.variable.name == \"USERPWD\"\n and va.variable.namespace.name == \"pycurl\"\n ] or\n fc.arguments[1] is [FieldAccess fa:\n fa.field.name == \"USERPWD\"\n and fa.field.enclosingClass.name == \"pycurl.Curl\"\n ])\n and (fc.arguments[2] is [VariableAccess va2: va2.variable.name == \"None\"]\n or fc.arguments[2].constantValue is [None: ])\n and not fc.arguments[2].constantValue == \"\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"setopt\"\n and fc.function.enclosingClass.name matches \"pycurl\\.Curl(Share)?\"\n and (fc.arguments[1] is [VariableAccess va:\n va.variable.name == \"USERPWD\"\n and va.variable.namespace.name == \"pycurl\"\n ] or\n fc.arguments[1] is [FieldAccess fa:\n fa.field.name == \"USERPWD\"\n and fa.field.enclosingClass.name == \"pycurl.Curl\"\n ])\n and not fc.arguments[2].constantValue.None\n and not fc.arguments[2].constantValue is [None: ]\n and fc.arguments[2].constantValue == \"\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"setopt\"\n and fc.function.enclosingClass.name matches \"pycurl\\.Curl(Share)?\"\n and (fc.arguments[1] is [VariableAccess va:\n va.variable.name == \"USERPWD\"\n and va.variable.namespace.name == \"pycurl\"\n ] or\n fc.arguments[1] is [FieldAccess fa:\n fa.field.name == \"USERPWD\"\n and fa.field.enclosingClass.name == \"pycurl.Curl\"\n ])\n and not fc.arguments[2].constantValue.None\n and not fc.arguments[2].constantValue is [None: ]\n and not fc.arguments[2].constantValue == \"\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": "Internal", - "predicate": "\n FunctionCall fc: fc.function.name == \"enable\"\n and fc.function.namespace.name == \"cgitb\"\n and fc.namedParameters contains [NamedParameter: name == \"display\"\n and expression is [Expression e: e.constantValue == 0 ]]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": "External", - "predicate": "\n FunctionCall fc: fc.function.name == \"enable\"\n and fc.function.namespace.name == \"cgitb\"\n and (not fc.namedParameters contains [NamedParameter: name == \"display\"]\n or fc.namedParameters contains [NamedParameter: name == \"display\"\n and expression.constantValue != 0])\n " - }, - { - "language": "python", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n Field f: f.name == \"cgi\"\n and f.enclosingClass is [Class c: c.name matches \".*~module\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": "External", - "predicate": "\n FunctionCall fc: fc.function.name matches \"print_environ|print_directory|print_environ_usage\"\n and fc.function.namespace.name == \"cgi\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.function.name matches \"get|put|patch|post|delete|head|options|send\"\n and fc.function.enclosingClass.name == \"requests.sessions.Session\"\n and fc.namedParameters contains [NamedParameter p1:\n name == \"verify\"\n and expression is [VariableAccess:\n variable.name == \"False\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.function.name matches \"get|patch|put|post|delete|head|options|request\"\n and fc.function.namespace.name == \"requests.api\"\n and fc.namedParameters contains [NamedParameter p1:\n name == \"verify\"\n and expression is [VariableAccess:\n variable.name == \"False\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"__init__\"\n and fc.function.enclosingClass.name == \"httplib.HTTPSConnection\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"urlopen\"\n and fc.function.namespace.name == \"urllib2\"\n and fc.arguments[0].constantValue matches \"(?i)^https.*\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.function.name matches \"urlopen|urlretrieve\"\n and fc.function.namespace.name == \"urllib\"\n and fc.arguments[0].constantValue matches \"(?i)^https.*\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)\"\n and fc.function.namespace.name == \"Crypto.Protocol.KDF\"\n and namedParameters contains [NamedParameter:\n name == \"dkLen\"\n and expression.constantValue is [Number n: n == 0]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)\"\n and fc.function.namespace.name == \"Crypto.Protocol.KDF\"\n and namedParameters contains [NamedParameter:\n name == \"dkLen\"\n and expression.constantValue is [Number n:\n n < 128 and n > 0\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall fc: name == \"pbkdf2_hmac\"\n and function.namespace.name == \"hashlib\"\n and namedParameters contains [NamedParameter:\n name == \"dklen\"\n and expression.constantValue is [Number n:\n n < 16\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and arguments[5] is [Expression e:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] and arguments[1].constantValue != arguments[5].constantValue\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and arguments[4] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] and arguments[0].constantValue != arguments[4].constantValue\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and namedParameters contains [NamedParameter p:\n name == \"IV\"\n and expression is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and namedParameters contains [NamedParameter p:\n name == \"IV\"\n and expression is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and not namedParameters contains [NamedParameter p:\n name == \"IV\"\n ]\n and (arguments.length < 4\n or not arguments[3].constantValue.None\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Stream Cipher", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and arguments contains [VariableAccess va:\n variable.name == \"MODE_CTR\"\n and variable.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Stream Cipher", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and arguments contains [VariableAccess va:\n variable.name == \"MODE_CTR\"\n and variable.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"(Crypto\\.Cipher\\.DES3\\.DES3)(_)?Cipher\"\n and arguments[1] is [Expression e:\n constantValue is [String s: s.length < 21]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|Blowfish|CAST)\\.(AES|Blowfish|CAST128)(_)?Cipher\"\n and arguments[1] is [Expression e:\n constantValue is [String s: s.length < 16]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name == \"Crypto.Cipher.DES3\"\n and arguments[0] is [Expression e:\n constantValue is [String s: s.length < 21]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|Blowfish|CAST)\"\n and arguments[0] is [Expression e:\n constantValue is [String s: s.length < 16]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Predictable Salt", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)|scrypt\"\n and fc.function.namespace.name == \"Crypto.Protocol.KDF\"\n and arguments[0] is arguments[1]\n and arguments[0].constantValue.None\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Predictable Salt", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)|scrypt\"\n and fc.function.namespace.name == \"Crypto.Protocol.KDF\"\n and arguments[0].constantValue === arguments[1].constantValue\n and not arguments[0].constantValue.None\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Predictable Salt", - "predicate": "\n FunctionCall fc: name == \"pbkdf2_hmac\"\n and fc.function.namespace.name == \"hashlib\"\n and arguments[1] is arguments[2]\n and arguments[1].constantValue.None\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Predictable Salt", - "predicate": "\n FunctionCall fc: name == \"pbkdf2_hmac\"\n and fc.function.namespace.name == \"hashlib\"\n and arguments[1].constantValue === arguments[2].constantValue\n and not arguments[1].constantValue.None\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and arguments[1] is arguments[5]\n and arguments[1].constantValue.None\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and arguments[0] is arguments[4]\n and arguments[0].constantValue.None\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and arguments[1].constantValue === arguments[5].constantValue\n and not arguments[1].constantValue.None\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and arguments[0].constantValue === arguments[2].constantValue\n and not arguments[0].constantValue.None\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and arguments[0].constantValue === arguments[4].constantValue\n and not arguments[0].constantValue.None\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Inadequate RSA Padding", - "predicate": "\n FunctionCall fc: name matches \"encrypt|decrypt\"\n and function.enclosingClass.name == \"Crypto.PublicKey.RSA._RSAobj\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc: name == \"importKey\"\n and function.namespace.name == \"Crypto.PublicKey.RSA\"\n and namedParameters contains [NamedParameter p:\n name == \"passphrase\"\n and expression is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n ]\n and arguments.length < 3\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Unencrypted Private Key", - "predicate": "\n FunctionCall fc: name == \"importKey\"\n and function.namespace.name == \"Crypto.PublicKey.RSA\"\n and namedParameters contains [NamedParameter p:\n name == \"passphrase\"\n and expression is [Expression e:\n e.constantValue is [None:]\n or e.constantValue == \"\"\n ]\n ]\n and arguments.length < 3\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc: name == \"exportKey\"\n and function.enclosingClass.name == \"Crypto.PublicKey.RSA._RSAobj\"\n and namedParameters contains [NamedParameter p:\n name == \"passphrase\"\n and expression is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n ]\n and arguments.length < 4\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Unencrypted Private Key", - "predicate": "\n FunctionCall fc: name == \"exportKey\"\n and function.enclosingClass.name == \"Crypto.PublicKey.RSA._RSAobj\"\n and namedParameters contains [NamedParameter p:\n name == \"passphrase\"\n and expression is [Expression e:\n e.constantValue is [None:]\n or e.constantValue == \"\"\n ]\n ]\n and arguments.length < 4\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc: name == \"importKey\"\n and function.namespace.name == \"Crypto.PublicKey.RSA\"\n and arguments[1] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Unencrypted Private Key", - "predicate": "\n FunctionCall fc: name == \"importKey\"\n and function.namespace.name == \"Crypto.PublicKey.RSA\"\n and arguments[1] is [Expression e:\n e.constantValue is [None:]\n or e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc: name == \"exportKey\"\n and function.enclosingClass.name == \"Crypto.PublicKey.RSA._RSAobj\"\n and arguments[2] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Unencrypted Private Key", - "predicate": "\n FunctionCall fc: name == \"exportKey\"\n and function.enclosingClass.name == \"Crypto.PublicKey.RSA._RSAobj\"\n and arguments.length == 1\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Unencrypted Private Key", - "predicate": "\n FunctionCall fc: name == \"exportKey\"\n and function.enclosingClass.name == \"Crypto.PublicKey.RSA._RSAobj\"\n and arguments[2] is [Expression e:\n e.constantValue is [None:]\n or e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and arguments[1] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None: ]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[0] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue is [None:]\n and constantValue == \"\"\n ] or arguments[0] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[0] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or arguments[0] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[0] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or arguments[0] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[0] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or arguments[0] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[0] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or arguments[0] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[0] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or arguments[0] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[1] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or arguments[1] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[1] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[1] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[1] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or arguments[1] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[1] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Hash\\.(.*)\"\n and (arguments[1] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: name == \"update\"\n and function.enclosingClass.name == \"Crypto.Hash.hashalgo.HashAlgo\"\n and (arguments[1] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or arguments[1] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: name == \"update\"\n and function.enclosingClass.name == \"Crypto.Hash.hashalgo.HashAlgo\"\n and (arguments[1] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: name == \"update\"\n and function.enclosingClass.name == \"Crypto.Hash.hashalgo.HashAlgo\"\n and (arguments[1] is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [FieldAccess:\n field.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None Salt", - "predicate": "\n FunctionCall fc: name == \"update\"\n and function.enclosingClass.name == \"Crypto.Hash.hashalgo.HashAlgo\"\n and (arguments[1] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n ] or arguments[1] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and constantValue is [None:]\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty Salt", - "predicate": "\n FunctionCall fc: name == \"update\"\n and function.enclosingClass.name == \"Crypto.Hash.hashalgo.HashAlgo\"\n and (arguments[1] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded Salt", - "predicate": "\n FunctionCall fc: name == \"update\"\n and function.enclosingClass.name == \"Crypto.Hash.hashalgo.HashAlgo\"\n and (arguments[1] is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or arguments[1] is [Operation:\n (rhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ] or lhs is [VariableAccess:\n variable.name matches \"(?i).*salt.*\"\n and not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ])\n ])\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: name matches \"__init__|new\"\n and function.enclosingClass.name matches \"Crypto\\.Hash\\.(MD2|MD4|MD5|SHA|RIPEMD|keccak)\\.(MD2|MD4|MD5|RIPEMD160|SHA1|Keccak_)Hash\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Hash\\.(MD2|MD4|MD5|SHA|RIPEMD|keccak)\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None PBE Salt", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)\"\n and function.namespace.name == \"Crypto.Protocol.KDF\"\n and arguments[1] is [FieldAccess:\n not constantValue.None\n and constantValue is [None:]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty PBE Salt", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)\"\n and function.namespace.name == \"Crypto.Protocol.KDF\"\n and arguments[1] is [FieldAccess:\n constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded PBE Salt", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)\"\n and function.namespace.name == \"Crypto.Protocol.KDF\"\n and arguments[1] is [FieldAccess:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "None PBE Salt", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)\"\n and function.namespace.name == \"Crypto.Protocol.KDF\"\n and arguments[1] is [VariableAccess:\n not constantValue.None\n and constantValue is [None:]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty PBE Salt", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)\"\n and function.namespace.name == \"Crypto.Protocol.KDF\"\n and arguments[1] is [VariableAccess:\n constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded PBE Salt", - "predicate": "\n FunctionCall fc: name matches \"PBKDF(1|2)\"\n and function.namespace.name == \"Crypto.Protocol.KDF\"\n and arguments[1] is [VariableAccess:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and arguments[0] is [Expression e:\n not e.constantValue.None\n and not e.constantValue is [None:]\n and not e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and arguments[1] is [Expression e:\n e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and arguments[0] is [Expression e:\n e.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and not namedParameters contains [NamedParameter p:\n name == \"mode\"\n ] and not arguments contains [VariableAccess va:\n variable.name matches \"MODE_.*\"\n and variable.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and not namedParameters contains [NamedParameter p:\n name == \"mode\"\n ] and not arguments contains [VariableAccess va:\n variable.name matches \"MODE_.*\"\n and variable.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and arguments contains [VariableAccess va:\n variable.name == \"MODE_CBC\"\n and variable.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall fc: name == \"__init__\"\n and function.enclosingClass.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\\.(AES|RC2|Blowfish|CAST128|DES|DES3)(_)?Cipher\"\n and arguments contains [VariableAccess va:\n variable.name == \"MODE_ECB\"\n and variable.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and arguments contains [VariableAccess va:\n variable.name == \"MODE_CBC\"\n and variable.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall fc: name == \"new\"\n and function.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n and arguments contains [VariableAccess va:\n variable.name == \"MODE_ECB\"\n and variable.namespace.name matches \"Crypto\\.Cipher\\.(AES|ARC2|Blowfish|CAST|DES|DES3)\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: fc.function.name matches \"wrap_socket|get_server_certificate\"\n and fc.function.namespace.name == \"ssl\"\n and (\n not fc.namedParameters contains [NamedParameter p1: name == \"ssl_version\"]\n or fc.namedParameters contains [NamedParameter np:\n name == \"ssl_version\"\n and (\n expression is [VariableAccess va:\n va.variable.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ]\n or expression is [FieldAccess fa:\n fa.field.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ])\n ]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: fc.function.name matches \"wrap_socket|get_server_certificate\"\n and fc.function.namespace.name == \"ssl\"\n and (\n not fc.namedParameters contains [NamedParameter p1: name == \"ssl_version\"]\n or fc.namedParameters contains [NamedParameter np:\n name == \"ssl_version\"\n and (\n expression is [VariableAccess va:\n va.variable.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ]\n or expression is [FieldAccess fa:\n fa.field.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ])\n ]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Cipher", - "predicate": "\n FunctionCall fc: fc.function.name == \"wrap_socket\"\n and fc.function.namespace.name == \"ssl\"\n and fc.namedParameters contains [NamedParameter np:\n name == \"ciphers\"\n and expression is [VariableAccess va:\n /* CBC Mode */\n va.constantValue matches \"(?i).*-CBC(3)?-.*\"\n /* Weak Hash Functions */\n or va.constantValue matches \"(?i)-(SHA|MD5|GOSTR3411)\"\n /* Weak Ciphers */\n or va.constantValue matches \"(?i).*-(RC2|RC4|DES|3DES)-.*\"\n /* None or Anonymous Algorithms */\n or va.constantValue matches \"(?i).*-(None|ANON)-.*\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Cipher", - "predicate": "\n FunctionPointerCall:\n name == \"set_ciphers\"\n and arguments contains [StringLiteral s:\n /* CBC Mode */\n s.constantValue matches \"(?i).*-CBC(3)?-.*\"\n /* Weak Hash Functions */\n or s.constantValue matches \"(?i)-(SHA|MD5|GOSTR3411)\"\n /* Weak Ciphers */\n or s.constantValue matches \"(?i).*-(RC2|RC4|DES|3DES)-.*\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: fc.function.name == \"__init__\"\n and function.enclosingClass.name == \"ssl.SSLContext\"\n and arguments contains [Expression e :\n e is [VariableAccess va:\n va.variable.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ]\n or e is [FieldAccess fa:\n fa.field.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.function.name == \"wrap_socket\"\n and fc.function.namespace.name == \"ssl\"\n and (\n not fc.namedParameters contains [NamedParameter p1: name == \"cert_reqs\"]\n or fc.namedParameters contains [NamedParameter p2: name == \"cert_reqs\" and expression is [VariableAccess va: va.variable.name == \"CERT_NONE\"]]\n or fc.namedParameters contains [NamedParameter p3: name == \"cert_reqs\" and expression is [FieldAccess fa: fa.field.name == \"CERT_NONE\"]])\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Poor Logging Practice", - "vuln_subcategory": "Use of a System Output Stream", - "predicate": "\n FunctionCall: name matches \"write|writelines\"\n and instance is [VariableAccess stdout:\n name matches \"std(out|err)\"\n and variable.enclosingClass is [Class: name == \"sys~module\"]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Empty Catch Block", - "predicate": "\n CatchBlock: empty\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: fc.function.name matches \"set_alpn_protocols\"\n and fc.arguments[1] is [FunctionCall tuple:\n arguments contains [Expression e: constantValue matches \"(?i)spdy/.*\"]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"__init__\"\n and enclosingClass.supers contains [Class:\n name == \"pymongo.mongo_client.MongoClient\"\n ]\n ]\n and (\n namedParameters contains [NamedParameter: name == \"host\"\n and not expression.constantValue.None\n and not expression.constantValue is [None:]\n and not expression.constantValue == \"\"\n and expression.constantValue matches \"mongodb(\\+srv)?://.*:@.*\"\n ]\n or namedParameters contains [NamedParameter: name == \"password\"\n and expression.constantValue == \"\"\n ]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"__init__\"\n and enclosingClass.supers contains [Class:\n name == \"pymongo.mongo_client.MongoClient\"\n ]\n ]\n and (\n namedParameters contains [NamedParameter: name == \"host\"\n and not expression.constantValue.None\n and not expression.constantValue is [None:]\n and expression.constantValue matches \"mongodb(\\+srv)?://.*:.+@.*\"\n ]\n or namedParameters contains [NamedParameter: name == \"password\"\n and not expression.constantValue.None\n and not expression.constantValue is [None:]\n and not expression.constantValue == \"\"\n ]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Unauthenticated Service", - "vuln_subcategory": "MongoDB", - "predicate": "\n FunctionCall fc:\n function.name == \"__init__\"\n and function.enclosingClass.supers contains [Class:\n name == \"pymongo.mongo_client.MongoClient\"\n ]\n and not namedParameters contains [NamedParameter: name == \"username\"\n and not expression.constantValue is [None:]\n ]\n and not namedParameters contains [NamedParameter: name == \"password\"\n and not expression.constantValue is [None:]\n ]\n and namedParameters contains [NamedParameter: name == \"host\"\n and (expression.constantValue is [None:]\n or (not expression.constantValue.None\n and not expression.constantValue matches \"mongodb(\\+srv)?://.*:.*@.*\"\n )\n )\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Insecure PBE Iteration Count", - "predicate": "\n FunctionCall fc: fc.function.name matches \"PBKDF(1|2)\"\n and fc.function.namespace.name == \"Crypto.Protocol.KDF\"\n and fc.namedParameters contains [NamedParameter: name == \"count\"\n and expression.constantValue is [Number n:\n n > 999 and n < 100000\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Insecure PBE Iteration Count", - "predicate": "\n FunctionCall fc: fc.function.name == \"bcrypt\"\n and fc.function.namespace.name == \"Crypto.Protocol.KDF\"\n and arguments[1] is [Expression e:\n constantValue is [Number n: n < 12]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Insecure PBE Iteration Count", - "predicate": "\n FunctionCall fc: fc.function.name matches \"PBKDF(1|2)\"\n and fc.function.namespace.name == \"Crypto.Protocol.KDF\"\n and fc.namedParameters contains [NamedParameter: name == \"count\"\n and expression.constantValue is [Number n:\n n < 1000\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"login\"\n and function.enclosingClass.supers contains [Class:\n name matches \"ftplib\\.(FTP|FTP_TLS)\"\n ]\n and fc.namedParameters contains [NamedParameter: name == \"passwd\"\n and not expression.constantValue.None\n and expression.constantValue is [None: ]\n and not expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"__init__\"\n and function.enclosingClass.supers contains [Class:\n name matches \"ftplib\\.(FTP|FTP_TLS)\"\n ]\n and fc.namedParameters contains [NamedParameter: name == \"passwd\"\n and not expression.constantValue.None\n and expression.constantValue is [None: ]\n and not expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"login\"\n and function.enclosingClass.supers contains [Class:\n name matches \"ftplib\\.(FTP|FTP_TLS)\"\n ]\n and fc.namedParameters contains [NamedParameter: name == \"passwd\"\n and not expression.constantValue.None\n and not expression.constantValue is [None: ]\n and expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"__init__\"\n and function.enclosingClass.supers contains [Class:\n name matches \"ftplib\\.(FTP|FTP_TLS)\"\n ]\n and fc.namedParameters contains [NamedParameter: name == \"passwd\"\n and not expression.constantValue.None\n and not expression.constantValue is [None: ]\n and expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"login\"\n and function.enclosingClass.supers contains [Class:\n name matches \"ftplib\\.(FTP|FTP_TLS)\"\n ]\n and fc.namedParameters contains [NamedParameter: name == \"passwd\"\n and not expression.constantValue.None\n and not expression.constantValue is [None: ]\n and not expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: fc.function.name == \"__init__\"\n and function.enclosingClass.supers contains [Class:\n name matches \"ftplib\\.(FTP|FTP_TLS)\"\n ]\n and fc.namedParameters contains [NamedParameter: name == \"passwd\"\n and not expression.constantValue.None\n and not expression.constantValue is [None: ]\n and not expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall fc: function is [Function f: f.name == \"__init__\"\n and f.enclosingClass.supers contains [Class:\n name matches \"urllib3\\.poolmanager\\.(Proxy|Pool)Manager\"\n ]\n ]\n and fc.namedParameters contains [NamedParameter: name == \"key_password\"\n and not expression.constantValue.None\n and expression.constantValue is [None: ]\n and not expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: function is [Function f: f.name == \"__init__\"\n and f.enclosingClass.supers contains [Class:\n name matches \"urllib3\\.poolmanager\\.(Proxy|Pool)Manager\"\n ]\n ]\n and fc.namedParameters contains [NamedParameter: name == \"key_password\"\n and not expression.constantValue.None\n and not expression.constantValue is [None: ]\n and expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: function is [Function f: f.name == \"__init__\"\n and f.enclosingClass.supers contains [Class:\n name matches \"urllib3\\.poolmanager\\.(Proxy|Pool)Manager\"\n ]\n ]\n and fc.namedParameters contains [NamedParameter: name == \"key_password\"\n and not expression.constantValue.None\n and not expression.constantValue is [None: ]\n and not expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: function is [Function f: f.name == \"__init__\"\n and f.enclosingClass.supers contains [Class:\n name == \"urllib3.connectionpool.HTTPSConnectionPool\"\n ]\n ]\n and fc.namedParameters contains [NamedParameter: name == \"cert_reqs\"\n and expression is [Expression:\n constantValue == \"CERT_NONE\"\n or constantValues contains [String: == \"CERT_NONE\"]\n or partialConstantValues contains [String: == \"CERT_NONE\"]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: function is [Function f: f.name == \"__init__\"\n and f.enclosingClass.supers contains [Class:\n name matches \"urllib3\\.poolmanager\\.(Proxy|Pool)Manager\"\n ]\n ]\n and fc.namedParameters contains [NamedParameter: name == \"cert_reqs\"\n and expression is [Expression:\n constantValue == \"CERT_NONE\"\n or constantValues contains [String: == \"CERT_NONE\"]\n or partialConstantValues contains [String: == \"CERT_NONE\"]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: function is [Function f: f.name == \"__init__\"\n and f.enclosingClass.supers contains [Class:\n name == \"urllib3.connectionpool.HTTPSConnectionPool\"\n ]\n ] and arguments contains [Expression e :\n e is [VariableAccess va:\n va.variable.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ]\n or e is [FieldAccess fa:\n fa.field.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: function is [Function f: f.name == \"__init__\"\n and f.enclosingClass.supers contains [Class:\n name matches \"urllib3\\.poolmanager\\.(Proxy|Pool)Manager\"\n ]\n ] and arguments contains [Expression e :\n e is [VariableAccess va:\n va.variable.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ]\n or e is [FieldAccess fa:\n fa.field.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Cipher", - "predicate": "\n FunctionCall fc: function is [Function f: f.name == \"ssl_wrap_socket\"\n and f.namespace.name == \"urllib3.util.ssl_\"\n ] and fc.namedParameters contains [NamedParameter np:\n name == \"ciphers\"\n and expression is [VariableAccess s:\n /* CBC Mode */\n s.constantValue matches \"(?i).*-CBC(3)?-.*\"\n /* Weak Hash Functions */\n or s.constantValue matches \"(?i)-(SHA|MD5|GOSTR3411)\"\n /* Weak Ciphers */\n or s.constantValue matches \"(?i).*-(RC2|RC4|DES|3DES)-.*\"\n /* None */\n or s.constantValue matches \"(?i).*-None-.*\"\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: function is [Function f: f.name == \"ssl_wrap_socket\"\n and f.namespace.name == \"urllib3.util.ssl_\"\n ] and (\n not fc.namedParameters contains [NamedParameter p: name == \"ssl_version\"]\n or fc.namedParameters contains [NamedParameter np:\n name == \"ssl_version\"\n and (\n expression is [VariableAccess va:\n va.variable.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ]\n or expression is [FieldAccess fa:\n fa.field.name matches \"PROTOCOL_(SSLv2|SSLv3|SSLv23|TLSv1|TLSv1_1)\"\n ])\n ]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall fc: fc.function.name matches \"connect|create_pool\"\n and fc.function.namespace.name == \"aiopg\"\n and fc.namedParameters contains [NamedParameter p:\n p.name == \"password\"\n and (p.expression is [VariableAccess va: va.variable.name == \"None\"]\n or p.expression.constantValue is [None: ])\n and not p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: fc.function.name matches \"connect|create_pool\"\n and fc.function.namespace.name == \"aiopg\"\n and fc.namedParameters contains [NamedParameter p:\n p.name == \"password\"\n and not p.expression.constantValue.None\n and not p.expression.constantValue is [None: ]\n and p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: fc.function.name matches \"connect|create_pool\"\n and fc.function.namespace.name == \"aiopg\"\n and fc.namedParameters contains [NamedParameter p:\n p.name == \"password\"\n and not p.expression.constantValue.None\n and not p.expression.constantValue is [None: ]\n and not p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Cipher", - "predicate": "\n FunctionCall fc:\n function is [Function:\n enclosingClass.name == \"paramiko.rsakey.RSAKey\"\n and name == \"__init__\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"filename\"\n and expression is [NoneLiteral: ]\n ]\n and namedParameters contains [NamedParameter:\n name == \"key\"\n and expression is [NoneLiteral: ]\n ]\n and namedParameters contains [NamedParameter:\n name == \"file_obj\"\n and expression is [NoneLiteral: ]\n ] \n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc:\n function is [Function:\n enclosingClass.name == \"paramiko.client.SSHClient\"\n and name == \"connect\"\n ]\n and namedParameters contains [NamedParameter: \n name == \"passphrase\"\n and expression is [Expression: \n not constantValue.None\n and not constantValue == \"\"\n and not constantValue is [None: ]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc:\n function is [Function:\n enclosingClass.name == \"paramiko.client.SSHClient\"\n and name == \"connect\"\n ]\n and namedParameters contains [NamedParameter: \n name == \"password\"\n and expression is [Expression: \n not constantValue.None\n and not constantValue == \"\"\n and not constantValue is [None: ]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "SSH Misconfiguration", - "vuln_subcategory": "Missing Authentication", - "predicate": "\n FunctionCall fc:\n function is [Function:\n enclosingClass.name == \"paramiko.client.SSHClient\"\n and name == \"connect\"\n ]\n and namedParameters contains [NamedParameter:\n name == \"auth_strategy\"\n and expression.type.name == \"paramiko.auth_strategy.NoneAuth\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n function is [Function:\n enclosingClass.name == \"paramiko.client.SSHClient\"\n and name == \"exec_command\"\n ]\n and namedParameters contains [NamedParameter: \n name == \"environment\"\n and expression is [Expression: \n not constantValue == \"\"\n and not constantValue is [None: ]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: function is [Function:\n name matches \"cmd_change_user\"\n and fc.function.enclosingClass.name == \"mysql.connector.MySQLConnection\"\n ]\n and fc.namedParameters contains [NamedParameter p:\n p.name == \"password\" \n and p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: function is [Function:\n name matches \"__init__|connect\"\n and enclosingClass.name == \"mysql.connector.MySQLConnection\"\n ]\n and fc.namedParameters contains [NamedParameter p:\n p.name matches \"password(1|2|3)?\" \n and not p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: function is [Function:\n name matches \"__init__|connect\"\n and enclosingClass.name == \"mysql.connector.MySQLConnection\"\n ]\n and fc.namedParameters contains [NamedParameter p:\n p.name matches \"password(1|2|3)?\" \n and p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: function is [Function:\n name matches \"connect\"\n and namespace.name == \"mysql.connector\"\n ]\n and fc.namedParameters contains [NamedParameter p:\n p.name matches \"password(1|2|3)?\" \n and not p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: function is [Function:\n name matches \"connect\"\n and namespace.name == \"mysql.connector\"\n ]\n and fc.namedParameters contains [NamedParameter p:\n p.name matches \"password(1|2|3)?\"\n and p.expression.constantValue == \"\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "gRPC Server Credentials", - "predicate": "\n FunctionCall fc: fc.name == \"ssl_server_credentials\" and \n fc.function.namespace.name == \"grpc\"\n\n /* Match if arg 2 & 3 are are empty regardless of order (1 arg required, others have default if not \n specified) and if root_certificates is None/Empty or if require_client_auth is false */\n\n and ( \n (fc.namedParameters contains [NamedParameter p1: p1.name == \"root_certificates\"\n and (p1.expression is [VariableAccess va1: va1.variable.name == \"None\"]\n or p1.expression.constantValue == \"\")]\n ) \n or\n (fc.namedParameters contains [NamedParameter p2: p2.name == \"require_client_auth\"\n and p2.expression is [VariableAccess va2: va2.variable.name == \"False\"]])\n or \n fc.arguments[1].constantValue is [None: ]\n or\n fc.arguments[2].constantValue is [None: ]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "gRPC Channel Credentials", - "predicate": "\n FunctionCall fc: fc.name is \"ssl_channel_credentials\" and \n fc.function.namespace.name == \"grpc\"\n\n /* Match if any argument is empty or None as it will mean a default or empty value is taken */\n \n and (\n fc.arguments contains [Expression: constantValue is [None: ] or constantValue is \"\"]\n )\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.name is \"add_insecure_port\" and \n fc.function.enclosingClass.name matches \"grpc.+Server\"\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.name is \"insecure_channel\" and \n fc.function.namespace.name == \"grpc\"\n " - }, - { - "language": "python", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n\t\t\t\tFieldAccess fa: field.name == \"files\"\n\t\t\t\t\tand instance is [VariableAccess:\n\t\t\t\t\t\tvariable.name == \"request\"\n\t\t\t\t\t\tand variable.enclosingClass is [Class:\n\t\t\t\t\t\t\tname == \"flask.globals~module\"\n\t\t\t\t\t\t]\n\t\t\t\t\t] and not in [AssignmentStatement:\n\t\t\t\t\t\tlhs is fa\n\t\t\t\t\t]\n\t\t\t" - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n FunctionPointerCall fpc:\n closureExpression is [FieldAccess: \n instance is [FieldAccess fa:\n name == \"headers\"\n and transitiveBase is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n ] and name == \"add\"\n and fpc.arguments[1] is [Expression: constantValue == \"Access-Control-Allow-Origin\"]\n and fpc.arguments[2] is [Expression: constantValue == \"*\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n FunctionCall fc: \n possibleTargets contains [Function f:\n name == \"__setitem__\"\n ] and instance is [FieldAccess:\n name == \"headers\"\n and instance is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n and arguments[1] is [Expression: constantValue == \"Access-Control-Allow-Origin\"]\n and arguments[2] is [Expression: constantValue == \"*\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n AssignmentStatement as: \n rhs is [Expression e: constantValue == \"*\"]\n and lhs is [FieldAccess fa:\n name == \"access_control_allow_origin\"\n and instance is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n FunctionPointerCall fpc:\n closureExpression is [FieldAccess: \n instance is [FieldAccess fa:\n name == \"headers\"\n and transitiveBase is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n ] and name == \"add\"\n and fpc.arguments[1] is [Expression: constantValue == \"Content-Security-Policy\"]\n and fpc.arguments[2] is [Expression: constantValue == \"*\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n FunctionCall fc: \n possibleTargets contains [Function f:\n name == \"__setitem__\"\n ] and instance is [FieldAccess:\n name == \"headers\"\n and instance is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n and arguments[1] is [Expression: constantValue == \"Content-Security-Policy\"]\n and arguments[2] is [Expression: constantValue == \"*\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n AssignmentStatement as: \n rhs is [Expression e: constantValue == \"*\"]\n and lhs is [FieldAccess fa:\n name == \"content_security_policy\"\n and instance is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Misconfigured Content Security Policy", - "predicate": "\n FunctionPointerCall fpc:\n closureExpression is [FieldAccess: \n instance is [FieldAccess fa:\n name == \"headers\"\n and transitiveBase is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n ] and name == \"add\"\n and fpc.arguments[1] is [Expression: constantValue == \"Content-Security-Policy\"]\n and fpc.arguments[2] is [Expression: constantValue matches \"(?i).*unsafe-(eval|inline).*\" ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Misconfigured Content Security Policy", - "predicate": "\n FunctionCall fc: \n possibleTargets contains [Function f:\n name == \"__setitem__\"\n ] and instance is [FieldAccess:\n name == \"headers\"\n and instance is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n and arguments[1] is [Expression: constantValue == \"Content-Security-Policy\"]\n and arguments[2] is [Expression: constantValue matches \"(?i).*unsafe-(eval|inline).*\" ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Misconfigured Content Security Policy", - "predicate": "\n AssignmentStatement as: \n rhs is [Expression e: constantValue matches \"(?i).*unsafe-(eval|inline).*\"]\n and lhs is [FieldAccess fa:\n name == \"content_security_policy\"\n and instance is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Unenforced Content Security Policy", - "predicate": "\n FunctionPointerCall fpc:\n closureExpression is [FieldAccess: \n instance is [FieldAccess fa:\n name == \"headers\"\n and transitiveBase is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n ] and name == \"add\"\n and fpc.arguments[1] is [Expression: constantValue == \"Content-Security-Policy-Report-Only\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Unenforced Content Security Policy", - "predicate": "\n FunctionCall fc: \n possibleTargets contains [Function f:\n name == \"__setitem__\"\n ] and instance is [FieldAccess:\n name == \"headers\"\n and instance is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n and arguments[1] is [Expression: constantValue == \"Content-Security-Policy-Report-Only\"]\n " - }, - { - "language": "python", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Unenforced Content Security Policy", - "predicate": "\n AssignmentStatement as: \n lhs is [FieldAccess fa:\n name == \"content_security_policy_report_only\"\n and instance is [VariableAccess: \n possibleTypes contains [Type:\n definition.supers contains [Class: name == \"flask.wrappers.Response\"]\n ]\n ]\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function f:\n f.name matches \"set_cookie\"\n and f.enclosingClass.supers contains [Class: \n name matches \"(flask\\.wrappers|werkzeug\\.sansio\\.response).Response\"\n ]\n ] and fc.namedParameters contains [NamedParameter p:\n p.name == \"domain\"\n and p.expression.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function f:\n f.name matches \"set_cookie\"\n and f.enclosingClass.supers contains [Class: \n name matches \"(flask\\.wrappers|werkzeug\\.sansio\\.response).Response\"\n ]\n ] and fc.namedParameters contains [NamedParameter p:\n p.name == \"domain\"\n and p.expression.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.([a-z0-9\\-]+)$\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Path", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function f:\n f.name matches \"set_cookie\"\n and f.enclosingClass.supers contains [Class: \n name matches \"(flask\\.wrappers|werkzeug\\.sansio\\.response).Response\"\n ]\n ] and fc.namedParameters contains [NamedParameter p:\n p.name == \"path\"\n and p.expression.constantValue == \"/\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Persistent Cookie", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function f:\n f.name matches \"set_cookie\"\n and f.enclosingClass.supers contains [Class: \n name matches \"(flask\\.wrappers|werkzeug\\.sansio\\.response).Response\"\n ]\n ] and fc.namedParameters contains [NamedParameter p:\n p.name == \"expires\"\n and (p.expression is [VariableAccess: variable.name == \"None\"]\n or p.expression is [NoneLiteral:]\n or p.expression.constantValue == \"None\")\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Permissive SameSite Attribute", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function f:\n f.name matches \"set_cookie\"\n and f.enclosingClass.supers contains [Class: \n name matches \"(flask\\.wrappers|werkzeug\\.sansio\\.response).Response\"\n ]\n ] and fc.namedParameters contains [NamedParameter p:\n p.name == \"samesite\"\n and p.expression.constantValue == \"Lax\"\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Missing SameSite Attribute", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function f:\n f.name matches \"set_cookie\"\n and f.enclosingClass.supers contains [Class: \n name matches \"(flask\\.wrappers|werkzeug\\.sansio\\.response).Response\"\n ]\n ] and fc.namedParameters contains [NamedParameter p:\n p.name == \"samesite\"\n and (p.expression is [VariableAccess: variable.name == \"None\"]\n or p.expression is [NoneLiteral:]\n or p.expression.constantValue == \"None\")\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function f:\n f.name matches \"set_cookie\"\n and f.enclosingClass.supers contains [Class: \n name matches \"(flask\\.wrappers|werkzeug\\.sansio\\.response).Response\"\n ]\n ] and fc.namedParameters contains [NamedParameter p:\n p.name == \"httponly\"\n and (p.expression is [VariableAccess: variable.name == \"False\"]\n or p.expression is [BooleanLiteral: value is false])\n ]\n " - }, - { - "language": "python", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function f:\n f.name matches \"set_cookie\"\n and f.enclosingClass.supers contains [Class: \n name matches \"(flask\\.wrappers|werkzeug\\.sansio\\.response).Response\"\n ]\n ] and fc.namedParameters contains [NamedParameter p:\n p.name == \"secure\"\n and (p.expression is [VariableAccess: variable.name == \"False\"]\n or p.expression is [BooleanLiteral: value is false])\n ]\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Code Quality", - "vuln_category": "Android Bad Practices", - "vuln_subcategory": "Use of Internal APIs", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"FindClass\"\n and enclosingClass.supers contains [Class:\n name == \"JNIEnv_\"\n ]\n ]\n and (\n /* Interal APIs */\n arguments[0].constantValue matches \".*/internal/.*\"\n /* Hidden APIs */\n or arguments[0].constantValue is [String v:\n v == \"android/net/wifi/ActionListener\"\n or v == \"android/net/wifi/TxPacketCountListener\"\n or v == \"android/net/wifi/LocalOnlyHotspotSubscription\"\n or v == \"android/net/wifi/LocalOnlyHotspotObserver\"\n or v == \"android/net/wifi/WifiScanner\"\n or v == \"android/net/wifi/ActionListener\"\n or v == \"android/net/wifi/HiddenNetwork\"\n or v == \"android/net/wifi/PnoSettings\"\n or v == \"android/net/wifi/PnoNetwork\"\n or v == \"android/net/wifi/PnoScanListener\"\n or v == \"android/net/wifi/WifiChangeSettings\"\n or v == \"android/net/wifi/HotlistSettings\"\n or v == \"android/net/wifi/OperationResult\"\n or v == \"android/net/wifi/RssiPacketCountInfo\"\n or v == \"android/net/wifi/WifiWakeReasonAndCounts\"\n or v == \"android/net/wifi/RttManager\"\n or v == \"android/net/wifi/RttClient\"\n or v == \"android/net/wifi/WifiNetworkScoreCache\"\n or v == \"android/net/wifi/aware/WifiAwareNetworkSpecifier\"\n or v == \"android/net/wifi/aware/WifiAwareUtils\"\n or v == \"android/net/wifi/aware/TlvBufferUtils\"\n or v == \"android/net/wifi/aware/WifiAwareAgentNetworkSpecifier\"\n or v == \"android/net/wifi/aware/ConfigRequest\"\n or v == \"android/net/wifi/ParcelUtil\"\n or v == \"android/net/wifi/WifiSsid\"\n or v == \"android/net/wifi/WifiNetworkConnectionStatistics\"\n or v == \"android/net/wifi/BatchedScanResult\"\n or v == \"android/net/wifi/WifiLinkLayerStats\"\n or v == \"android/net/wifi/EAPConstants\"\n or v == \"android/net/wifi/SupplicantSaver\"\n or v == \"android/net/wifi/SupplicantLoader\"\n or v == \"android/net/wifi/PasspointManagementObjectDefinition\"\n or v == \"android/net/wifi/Visibility\"\n or v == \"android/net/wifi/NetworkSelectionStatus\"\n or v == \"android/net/wifi/RecentFailure\"\n or v == \"android/net/wifi/WifiConnectionStatistics\"\n or v == \"android/net/wifi/WifiActivityEnergyInfo\"\n or v == \"android/net/wifi/p2p/WifiP2pWfdInfo\"\n or v == \"android/net/wifi/p2p/PersistentGroupInfoListener\"\n or v == \"android/net/wifi/p2p/HandoverMessageListener\"\n or v == \"android/net/wifi/p2p/WifiP2pProvDiscEvent\"\n or v == \"android/net/wifi/p2p/WifiP2pGroupList\"\n or v == \"android/net/wifi/p2p/nsd/WifiP2pServiceResponse\"\n or v == \"android/net/wifi/p2p/nsd/WifiP2pDnsSdServiceResponse\"\n or v == \"android/net/wifi/p2p/nsd/WifiP2pUpnpServiceResponse\"\n or v == \"android/net/wifi/WifiChannel\"\n or v == \"android/net/wifi/hotspot2/omadm/XMLNode\"\n or v == \"android/net/wifi/hotspot2/omadm/XMLParser\"\n or v == \"android/net/wifi/hotspot2/OsuProvider\"\n or v == \"android/net/wifi/hotspot2/pps/UpdateParameter\"\n or v == \"android/net/wifi/hotspot2/pps/Policy\"\n or v == \"android/net/wifi/ScanSettings\"\n or v == \"android/net/wifi/WpsResult\"\n or v == \"android/net/wifi/InformationElement\"\n or v == \"android/net/wifi/AnqpInformationElement\"\n or v == \"android/drm/DrmOutputStream\"\n or v == \"junit/framework/ComparisonCompactor\"\n or v == \"com/google/vr/platform/DeviceInfo\"\n or v == \"com/google/vr/platform/Dvr\"\n or v == \"org/apache/http/conn/ssl/AndroidDistinguishedNameParser\"\n or v == \"android/metrics/LogMaker\"\n or v == \"android/metrics/MetricsReader\"\n or v == \"android/metrics/Event\"\n or v == \"android/metrics/LogReader\"\n or v == \"android/database/CursorWindowAllocationException\"\n or v == \"android/database/BulkCursorDescriptor\"\n or v == \"android/database/BulkCursorNative\"\n or v == \"android/database/sqlite/SQLiteDebug\"\n or v == \"android/database/sqlite/SQLiteStatementInfo\"\n or v == \"android/database/sqlite/SQLiteDirectCursorDriver\"\n or v == \"android/database/sqlite/SQLiteGlobal\"\n or v == \"android/database/sqlite/CustomFunction\"\n or v == \"android/database/sqlite/SQLiteDatabaseConfiguration\"\n or v == \"android/database/sqlite/SQLiteCustomFunction\"\n or v == \"android/database/sqlite/SQLiteSession\"\n or v == \"android/database/sqlite/DatabaseObjectNotClosedException\"\n or v == \"android/database/sqlite/SQLiteConnectionPool\"\n or v == \"android/database/sqlite/SQLiteConnection\"\n or v == \"android/database/CursorToBulkCursorAdaptor\"\n or v == \"android/database/IBulkCursor\"\n or v == \"android/database/BulkCursorToCursorAdaptor\"\n or v == \"android/transition/AnimationInfo\"\n or v == \"android/transition/ChangeText\"\n or v == \"android/transition/Rotate\"\n or v == \"android/transition/Crossfade\"\n or v == \"android/transition/TransitionUtils\"\n or v == \"android/transition/Recolor\"\n or v == \"android/webkit/JsDialogHelper\"\n or v == \"android/webkit/WebViewFactory\"\n or v == \"android/webkit/TokenBindingService\"\n or v == \"android/webkit/WebViewDelegate\"\n or v == \"android/webkit/WebViewProviderInfo\"\n or v == \"android/webkit/UrlInterceptRegistry\"\n or v == \"android/webkit/Plugin\"\n or v == \"android/webkit/DefaultClickHandler\"\n or v == \"android/webkit/WebViewUpdateService\"\n or v == \"android/webkit/UrlInterceptHandler\"\n or v == \"android/webkit/WebViewProvider\"\n or v == \"android/webkit/PrivateAccess\"\n or v == \"android/webkit/ResultReceiver\"\n or v == \"android/webkit/WebViewProviderResponse\"\n or v == \"android/webkit/WebViewZygote\"\n or v == \"android/webkit/WebViewFactoryProvider\"\n or v == \"android/webkit/PluginList\"\n or v == \"android/webkit/FindAddress\"\n or v == \"android/webkit/FindActionModeCallback\"\n or v == \"android/webkit/PluginData\"\n or v == \"android/webkit/UserPackage\"\n or v == \"android/webkit/LegacyErrorStrings\"\n or v == \"android/printservice/recommendation/RecommendationInfo\"\n or v == \"android/printservice/recommendation/RecommendationService\"\n or v == \"android/printservice/PrintServiceInfo\"\n or v == \"android/hardware/SerialPort\"\n or v == \"android/hardware/soundtrigger/SoundTrigger\"\n or v == \"android/hardware/soundtrigger/KeyphraseEnrollmentInfo\"\n or v == \"android/hardware/soundtrigger/SoundTriggerModule\"\n or v == \"android/hardware/soundtrigger/KeyphraseMetadata\"\n or v == \"android/hardware/radio/RadioManager\"\n or v == \"android/hardware/radio/RadioMetadata\"\n or v == \"android/hardware/radio/Clock\"\n or v == \"android/hardware/radio/ProgramSelector\"\n or v == \"android/hardware/radio/RadioTuner\"\n or v == \"android/hardware/fingerprint/EnrollmentCallback\"\n or v == \"android/hardware/fingerprint/RemovalCallback\"\n or v == \"android/hardware/fingerprint/EnumerateCallback\"\n or v == \"android/hardware/fingerprint/LockoutResetCallback\"\n or v == \"android/hardware/fingerprint/Fingerprint\"\n or v == \"android/hardware/SystemSensorManager\"\n or v == \"android/hardware/input/InputDeviceIdentifier\"\n or v == \"android/hardware/input/TouchCalibration\"\n or v == \"android/hardware/input/OnTabletModeChangedListener\"\n or v == \"android/hardware/input/KeyboardLayout\"\n or v == \"android/hardware/input/InputManagerInternal\"\n or v == \"android/hardware/CameraStatus\"\n or v == \"android/hardware/location/GeofenceHardwareRequestParcelable\"\n or v == \"android/hardware/location/NanoApp\"\n or v == \"android/hardware/location/GeofenceHardwareRequest\"\n or v == \"android/hardware/location/ActivityRecognitionEvent\"\n or v == \"android/hardware/location/GeofenceHardwareCallback\"\n or v == \"android/hardware/location/GeofenceHardwareService\"\n or v == \"android/hardware/location/ContextHubInfo\"\n or v == \"android/hardware/location/NanoAppFilter\"\n or v == \"android/hardware/location/NanoAppInstanceInfo\"\n or v == \"android/hardware/location/ActivityRecognitionHardware\"\n or v == \"android/hardware/location/GeofenceHardwareMonitorEvent\"\n or v == \"android/hardware/location/GeofenceHardware\"\n or v == \"android/hardware/location/GeofenceHardwareImpl\"\n or v == \"android/hardware/location/GeofenceHardwareMonitorCallback\"\n or v == \"android/hardware/location/ContextHubMessage\"\n or v == \"android/hardware/location/ActivityChangedEvent\"\n or v == \"android/hardware/location/ContextHubManager\"\n or v == \"android/hardware/location/ICallback\"\n or v == \"android/hardware/location/MemoryRegion\"\n or v == \"android/hardware/hdmi/HdmiClient\"\n or v == \"android/hardware/hdmi/HdmiControlManager\"\n or v == \"android/hardware/hdmi/HdmiTimerRecordSources\"\n or v == \"android/hardware/hdmi/TimeUnit\"\n or v == \"android/hardware/hdmi/Time\"\n or v == \"android/hardware/hdmi/Duration\"\n or v == \"android/hardware/hdmi/TimerInfo\"\n or v == \"android/hardware/hdmi/TimerRecordSource\"\n or v == \"android/hardware/hdmi/HdmiTvClient\"\n or v == \"android/hardware/hdmi/HdmiHotplugEvent\"\n or v == \"android/hardware/hdmi/HdmiRecordSources\"\n or v == \"android/hardware/hdmi/RecordSource\"\n or v == \"android/hardware/hdmi/OwnSource\"\n or v == \"android/hardware/hdmi/AribData\"\n or v == \"android/hardware/hdmi/AtscData\"\n or v == \"android/hardware/hdmi/DvbData\"\n or v == \"android/hardware/hdmi/DigitalChannelData\"\n or v == \"android/hardware/hdmi/DigitalServiceSource\"\n or v == \"android/hardware/hdmi/AnalogueServiceSource\"\n or v == \"android/hardware/hdmi/ExternalPlugData\"\n or v == \"android/hardware/hdmi/ExternalPhysicalAddress\"\n or v == \"android/hardware/hdmi/HdmiPlaybackClient\"\n or v == \"android/hardware/hdmi/HdmiDeviceInfo\"\n or v == \"android/hardware/hdmi/HdmiRecordListener\"\n or v == \"android/hardware/hdmi/TimerStatusData\"\n or v == \"android/hardware/hdmi/HdmiPortInfo\"\n or v == \"android/hardware/usb/UsbPortStatus\"\n or v == \"android/hardware/usb/UsbPort\"\n or v == \"android/hardware/display/DisplayManagerInternal\"\n or v == \"android/hardware/display/DisplayManagerGlobal\"\n or v == \"android/hardware/display/WifiDisplayStatus\"\n or v == \"android/hardware/display/WifiDisplaySessionInfo\"\n or v == \"android/hardware/display/DisplayViewport\"\n or v == \"android/hardware/display/WifiDisplay\"\n or v == \"android/hardware/SerialManager\"\n or v == \"android/hardware/CameraInfo\"\n or v == \"android/hardware/LegacySensorManager\"\n or v == \"android/hardware/camera2/impl/ICameraDeviceUserWrapper\"\n or v == \"android/hardware/camera2/impl/CaptureResultExtras\"\n or v == \"android/hardware/camera2/utils/LongParcelable\"\n or v == \"android/hardware/camera2/utils/UncheckedThrow\"\n or v == \"android/hardware/camera2/utils/SubmitInfo\"\n or v == \"android/hardware/camera2/params/StreamConfigurationDuration\"\n or v == \"android/hardware/camera2/params/ReprocessFormatsMap\"\n or v == \"android/hardware/camera2/params/HighSpeedVideoConfiguration\"\n or v == \"android/hardware/camera2/params/VendorTagDescriptorCache\"\n or v == \"android/hardware/camera2/params/VendorTagDescriptor\"\n or v == \"android/hardware/camera2/params/StreamConfiguration\"\n or v == \"android/net/NetworkStatsHistory\"\n or v == \"android/net/metrics/RaEvent\"\n or v == \"android/net/metrics/DefaultNetworkEvent\"\n or v == \"android/net/metrics/WakeupEvent\"\n or v == \"android/net/metrics/ConnectStats\"\n or v == \"android/net/metrics/IpConnectivityLog\"\n or v == \"android/net/metrics/DhcpClientEvent\"\n or v == \"android/net/metrics/DnsEvent\"\n or v == \"android/net/metrics/ValidationProbeEvent\"\n or v == \"android/net/metrics/NetworkMetrics\"\n or v == \"android/net/metrics/DhcpErrorEvent\"\n or v == \"android/net/metrics/IpManagerEvent\"\n or v == \"android/net/metrics/IpReachabilityEvent\"\n or v == \"android/net/metrics/WakeupStats\"\n or v == \"android/net/metrics/ApfProgramEvent\"\n or v == \"android/net/metrics/ApfStats\"\n or v == \"android/net/metrics/NetworkEvent\"\n or v == \"android/net/Status\"\n or v == \"android/net/PacketKeepaliveCallback\"\n or v == \"android/net/PacketKeepalive\"\n or v == \"android/net/OnStartTetheringCallback\"\n or v == \"android/net/Errors\"\n or v == \"android/net/TooManyRequestsException\"\n or v == \"android/net/DataUsageRequest\"\n or v == \"android/net/IpConfiguration\"\n or v == \"android/net/InterfaceConfiguration\"\n or v == \"android/net/SntpClient\"\n or v == \"android/net/IpSecTransformResponse\"\n or v == \"android/net/ScoredNetwork\"\n or v == \"android/net/NetworkKey\"\n or v == \"android/net/NetworkIdentity\"\n or v == \"android/net/NetworkPolicy\"\n or v == \"android/net/NetworkUtils\"\n or v == \"android/net/DhcpResults\"\n or v == \"android/net/StaticIpConfiguration\"\n or v == \"android/net/MatchAllNetworkSpecifier\"\n or v == \"android/net/NetworkPolicyManager\"\n or v == \"android/net/NetworkScoreManager\"\n or v == \"android/net/StringNetworkSpecifier\"\n or v == \"android/net/MobileLinkQualityInfo\"\n or v == \"android/net/LinkQualityInfo\"\n or v == \"android/net/NetworkConfig\"\n or v == \"android/net/NetworkStats\"\n or v == \"android/net/RssiCurve\"\n or v == \"android/net/PacProxySelector\"\n or v == \"android/net/EthernetManager\"\n or v == \"android/net/UidRange\"\n or v == \"android/net/IpSecSpiResponse\"\n or v == \"android/net/NetworkTemplate\"\n or v == \"android/net/NetworkState\"\n or v == \"android/net/WifiLinkQualityInfo\"\n or v == \"android/net/NetworkQuotaInfo\"\n or v == \"android/net/WifiKey\"\n or v == \"android/net/wimax/WimaxManagerConstants\"\n or v == \"android/net/NetworkMisc\"\n or v == \"android/net/ConnectivityMetricsEvent\"\n or v == \"android/net/ConnectivityThread\"\n or v == \"android/net/NetworkAgent\"\n or v == \"android/net/IpSecUdpEncapResponse\"\n or v == \"android/net/CompareResult\"\n or v == \"android/net/IpSecConfig\"\n or v == \"android/net/NetworkRecommendationProvider\"\n or v == \"android/net/NetworkScorerAppData\"\n or v == \"android/net/nsd/DnsSdTxtRecord\"\n or v == \"android/net/NetworkFactory\"\n or v == \"android/app/ActivityManagerNative\"\n or v == \"android/app/BackStackRecord\"\n or v == \"android/app/PackageInstallObserver\"\n or v == \"android/app/LoadedApk\"\n or v == \"android/app/StackId\"\n or v == \"android/app/TaskThumbnailInfo\"\n or v == \"android/app/TaskThumbnail\"\n or v == \"android/app/TaskSnapshot\"\n or v == \"android/app/StackInfo\"\n or v == \"android/app/OnUidImportanceListener\"\n or v == \"android/app/assist/AutofillOverlay\"\n or v == \"android/app/TranslucentConversionListener\"\n or v == \"android/app/ActivityManagerInternal\"\n or v == \"android/app/ApplicationPackageManager\"\n or v == \"android/app/MoveCallbackDelegate\"\n or v == \"android/app/WaitResult\"\n or v == \"android/app/UiAutomationConnection\"\n or v == \"android/app/timezone/RulesManager\"\n or v == \"android/app/timezone/RulesState\"\n or v == \"android/app/timezone/Callback\"\n or v == \"android/app/timezone/DistroFormatVersion\"\n or v == \"android/app/timezone/DistroRulesVersion\"\n or v == \"android/app/timezone/RulesUpdaterContract\"\n or v == \"android/app/VrManager\"\n or v == \"android/app/ActivityView\"\n or v == \"android/app/ActivityThread\"\n or v == \"android/app/ContentProviderHolder\"\n or v == \"android/app/BroadcastOptions\"\n or v == \"android/app/JobSchedulerImpl\"\n or v == \"android/app/ResultInfo\"\n or v == \"android/app/TvExtender\"\n or v == \"android/app/UserSwitchObserver\"\n or v == \"android/app/admin/PasswordMetrics\"\n or v == \"android/app/admin/PolicyInfo\"\n or v == \"android/app/admin/DevicePolicyManagerInternal\"\n or v == \"android/app/ResourcesManager\"\n or v == \"android/app/PackageOps\"\n or v == \"android/app/OpEntry\"\n or v == \"android/app/OnOpChangedInternalListener\"\n or v == \"android/app/QueuedWork\"\n or v == \"android/app/ServiceStartArgs\"\n or v == \"android/app/usage/TimeSparseArray\"\n or v == \"android/app/usage/UsageStatsManagerInternal\"\n or v == \"android/app/usage/CacheQuotaService\"\n or v == \"android/app/usage/CacheQuotaHint\"\n or v == \"android/app/TaskStackListener\"\n or v == \"android/app/AppGlobals\"\n or v == \"android/app/StatusBarManager\"\n or v == \"android/app/OnMarshaledListener\"\n or v == \"android/app/ApplicationThreadConstants\"\n or v == \"android/app/EphemeralResolverService\"\n or v == \"android/app/ParcelableCrashInfo\"\n or v == \"android/app/job/JobHandler\"\n or v == \"android/app/Vr2dDisplayProperties\"\n or v == \"android/app/ProfilerInfo\"\n or v == \"android/app/trust/TrustManager\"\n or v == \"android/app/SearchDialog\"\n or v == \"android/app/InstantAppResolverService\"\n or v == \"android/app/OnActivityPausedListener\"\n or v == \"android/app/ActionKeyInfo\"\n or v == \"android/app/backup/BackupHelperDispatcher\"\n or v == \"android/app/backup/BackupManagerMonitor\"\n or v == \"android/app/backup/RestoreDescription\"\n or v == \"android/app/backup/SelectBackupTransportCallback\"\n or v == \"android/app/backup/BackupProgress\"\n or v == \"android/app/backup/AbsoluteFileBackupHelper\"\n or v == \"android/app/backup/FullBackup\"\n or v == \"android/app/backup/RestoreSession\"\n or v == \"android/app/backup/RestoreSet\"\n or v == \"android/app/backup/BlobBackupHelper\"\n or v == \"android/app/backup/BackupObserver\"\n or v == \"android/app/backup/WallpaperBackupHelper\"\n or v == \"android/app/backup/BackupTransport\"\n or v == \"android/app/SynchronousUserSwitchObserver\"\n or v == \"android/app/RecoverableSecurityException\"\n or v == \"android/app/LocalDialog\"\n or v == \"android/app/ApplicationLoaders\"\n or v == \"android/app/PackageDeleteObserver\"\n or v == \"android/app/OnAnimationStartedListener\"\n or v == \"android/app/OnAnimationFinishedListener\"\n or v == \"android/app/VrStateCallback\"\n or v == \"android/widget/SuggestionsAdapter\"\n or v == \"android/widget/DropDownListView\"\n or v == \"android/widget/ActionMenuChildView\"\n or v == \"android/widget/AppSecurityPermissions\"\n or v == \"android/widget/MyPermissionGroupInfo\"\n or v == \"android/widget/MyPermissionInfo\"\n or v == \"android/widget/PermissionItemView\"\n or v == \"android/widget/RadialTimePickerView\"\n or v == \"android/widget/Editor\"\n or v == \"android/widget/RemoteViewsAdapter\"\n or v == \"android/widget/RemoteViewsListAdapter\"\n or v == \"android/widget/MenuItemHoverListener\"\n or v == \"android/widget/MenuPopupWindow\"\n or v == \"android/widget/MenuDropDownListView\"\n or v == \"android/widget/CustomEditText\"\n or v == \"android/widget/TextInputTimePickerView\"\n or v == \"android/widget/ScrollBarDrawable\"\n or v == \"android/widget/SearchAutoComplete\"\n or v == \"android/widget/ActivityChooserView\"\n or v == \"android/widget/ActionMenuPresenter\"\n or v == \"android/widget/DatePickerDelegate\"\n or v == \"android/widget/ValidationCallback\"\n or v == \"android/widget/OnClickHandler\"\n or v == \"android/widget/OnViewAppliedListener\"\n or v == \"android/widget/ForwardingListener\"\n or v == \"android/widget/DateTimeView\"\n or v == \"android/widget/DatePickerController\"\n or v == \"android/widget/TextViewMetrics\"\n or v == \"android/widget/Delayer\"\n or v == \"android/widget/ActivityChooserModel\"\n or v == \"android/widget/SpellChecker\"\n or v == \"android/util/MergedConfiguration\"\n or v == \"android/util/PackageUtils\"\n or v == \"android/util/Spline\"\n or v == \"android/util/LocalLog\"\n or v == \"android/util/apk/ApkSignatureSchemeV2Verifier\"\n or v == \"android/util/proto/ProtoParseException\"\n or v == \"android/util/proto/EncodedBuffer\"\n or v == \"android/util/SuperNotCalledException\"\n or v == \"android/util/BackupUtils\"\n or v == \"android/util/Singleton\"\n or v == \"android/util/jar/StrictJarFile\"\n or v == \"android/util/jar/ZipInflaterInputStream\"\n or v == \"android/util/jar/FDStream\"\n or v == \"android/util/jar/StrictJarManifest\"\n or v == \"android/util/Pools\"\n or v == \"android/util/PrefixPrinter\"\n or v == \"android/util/PathParser\"\n or v == \"android/util/LongArray\"\n or v == \"android/util/MathUtils\"\n or v == \"android/util/FastImmutableArraySet\"\n or v == \"android/util/IntArray\"\n or v == \"android/util/ExceptionUtils\"\n or v == \"android/util/MemoryIntArray\"\n or v == \"android/util/DayOfMonthCursor\"\n or v == \"android/util/TrustedTime\"\n or v == \"android/util/ByteStringUtils\"\n or v == \"android/util/TerribleFailure\"\n or v == \"android/util/TerribleFailureHandler\"\n or v == \"android/util/NtpTrustedTime\"\n or v == \"android/util/TimingsTraceLog\"\n or v == \"android/util/IconDrawableFactory\"\n or v == \"android/util/LongSparseLongArray\"\n or v == \"android/util/RecurrenceRule\"\n or v == \"android/util/Slog\"\n or v == \"android/util/LauncherIcons\"\n or v == \"android/util/LogWriter\"\n or v == \"android/util/MapCollections\"\n or v == \"android/util/TimedRemoteCaller\"\n or v == \"android/util/KeyValueListParser\"\n or v == \"android/security/net/config/ApplicationConfig\"\n or v == \"android/security/net/config/ConfigSource\"\n or v == \"android/security/net/config/UserCertificateSource\"\n or v == \"android/security/net/config/CertificatesEntryRef\"\n or v == \"android/security/net/config/SystemCertificateSource\"\n or v == \"android/security/net/config/NetworkSecurityConfig\"\n or v == \"android/security/net/config/Builder\"\n or v == \"android/security/net/config/TrustAnchor\"\n or v == \"android/security/net/config/NetworkSecurityTrustManager\"\n or v == \"android/security/net/config/XmlConfigSource\"\n or v == \"android/security/net/config/Pin\"\n or v == \"android/security/net/config/ResourceCertificateSource\"\n or v == \"android/security/net/config/RootTrustManager\"\n or v == \"android/security/net/config/ManifestConfigSource\"\n or v == \"android/security/net/config/DirectoryCertificateSource\"\n or v == \"android/security/net/config/CertificateSource\"\n or v == \"android/security/net/config/PinSet\"\n or v == \"android/security/net/config/ConfigNetworkSecurityPolicy\"\n or v == \"android/security/net/config/TrustedCertificateStoreAdapter\"\n or v == \"android/security/net/config/RootTrustManagerFactorySpi\"\n or v == \"android/security/net/config/NetworkSecurityConfigProvider\"\n or v == \"android/security/net/config/Domain\"\n or v == \"android/security/keymaster/KeyCharacteristics\"\n or v == \"android/security/keymaster/KeymasterArguments\"\n or v == \"android/security/keymaster/KeyAttestationApplicationId\"\n or v == \"android/security/keymaster/ExportResult\"\n or v == \"android/security/keymaster/KeymasterDefs\"\n or v == \"android/security/keymaster/KeymasterCertificateChain\"\n or v == \"android/security/keymaster/KeymasterDateArgument\"\n or v == \"android/security/keymaster/KeymasterBooleanArgument\"\n or v == \"android/security/keymaster/KeymasterArgument\"\n or v == \"android/security/keymaster/KeymasterBlob\"\n or v == \"android/security/keymaster/OperationResult\"\n or v == \"android/security/keymaster/KeymasterBlobArgument\"\n or v == \"android/security/keymaster/KeyAttestationPackageInfo\"\n or v == \"android/security/keymaster/KeymasterIntArgument\"\n or v == \"android/security/keymaster/KeymasterLongArgument\"\n or v == \"android/security/FrameworkNetworkSecurityPolicy\"\n or v == \"android/security/KeystoreArguments\"\n or v == \"android/inputmethodservice/CompactExtractEditLayout\"\n or v == \"android/inputmethodservice/SoftInputWindow\"\n or v == \"android/inputmethodservice/ExtractEditLayout\"\n or v == \"android/provider/Presence\"\n or v == \"android/provider/SearchIndexableData\"\n or v == \"android/provider/SearchIndexablesContract\"\n or v == \"android/provider/SearchIndexablesProvider\"\n or v == \"android/provider/SyncConstValue\"\n or v == \"android/provider/OneTimeUseBuilder\"\n or v == \"android/provider/BrowserContract\"\n or v == \"android/provider/BaseSyncColumns\"\n or v == \"android/provider/ChromeSyncColumns\"\n or v == \"android/provider/SyncColumns\"\n or v == \"android/provider/ImageColumns\"\n or v == \"android/provider/Accounts\"\n or v == \"android/provider/Searches\"\n or v == \"android/provider/SyncState\"\n or v == \"android/provider/Combined\"\n or v == \"android/provider/Settings\"\n or v == \"android/provider/SettingsStringUtil\"\n or v == \"android/provider/Impl\"\n or v == \"android/provider/SearchIndexableResource\"\n or v == \"android/provider/MetadataReader\"\n or v == \"android/provider/Authorization\"\n or v == \"android/provider/SyncStateColumns\"\n or v == \"android/provider/PhotoFiles\"\n or v == \"android/provider/PhotoFilesColumns\"\n or v == \"android/provider/MetadataSyncColumns\"\n or v == \"android/provider/MetadataSync\"\n or v == \"android/provider/MetadataSyncStateColumns\"\n or v == \"android/provider/MetadataSyncState\"\n or v == \"android/provider/Validator\"\n or v == \"android/provider/Bookmarks\"\n or v == \"android/provider/TimeZoneRulesDataContract\"\n or v == \"android/provider/ContactsInternal\"\n or v == \"android/provider/CalendarMetaDataColumns\"\n or v == \"android/provider/CalendarMetaData\"\n or v == \"android/provider/EventsRawTimesColumns\"\n or v == \"android/provider/EventsRawTimes\"\n or v == \"android/provider/SystemContract\"\n or v == \"android/animation/AnimationHandler\"\n or v == \"android/animation/AnimationFrameCallbackProvider\"\n or v == \"android/animation/Tuple\"\n or v == \"android/animation/RevealAnimator\"\n or v == \"android/animation/KeyframeSet\"\n or v == \"android/animation/PropertyValues\"\n or v == \"android/animation/Keyframes\"\n or v == \"android/animation/PathKeyframes\"\n or v == \"android/content/pm/MacAuthenticatedInputStream\"\n or v == \"android/content/pm/InstantAppInfo\"\n or v == \"android/content/pm/split/SplitAssetDependencyLoader\"\n or v == \"android/content/pm/split/SplitAssetLoader\"\n or v == \"android/content/pm/split/DefaultSplitAssetLoader\"\n or v == \"android/content/pm/split/SplitDependencyLoader\"\n or v == \"android/content/pm/KeySet\"\n or v == \"android/content/pm/StringParceledListSlice\"\n or v == \"android/content/pm/VerifierInfo\"\n or v == \"android/content/pm/InstantAppRequest\"\n or v == \"android/content/pm/PackageBackwardCompatibility\"\n or v == \"android/content/pm/PackageManagerInternal\"\n or v == \"android/content/pm/InstantAppResolveInfo\"\n or v == \"android/content/pm/InstantAppDigest\"\n or v == \"android/content/pm/BaseParceledListSlice\"\n or v == \"android/content/pm/IntentFilterVerificationInfo\"\n or v == \"android/content/pm/OnPermissionsChangedListener\"\n or v == \"android/content/pm/MoveCallback\"\n or v == \"android/content/pm/LegacyPackageInstallObserver\"\n or v == \"android/content/pm/LegacyPackageDeleteObserver\"\n or v == \"android/content/pm/DexModuleRegisterCallback\"\n or v == \"android/content/pm/AppsQueryHelper\"\n or v == \"android/content/pm/FallbackCategoryProvider\"\n or v == \"android/content/pm/LimitedLengthInputStream\"\n or v == \"android/content/pm/VerificationParams\"\n or v == \"android/content/pm/PackageInfoLite\"\n or v == \"android/content/pm/PackageUserState\"\n or v == \"android/content/pm/SessionCallbackDelegate\"\n or v == \"android/content/pm/AuxiliaryResolveInfo\"\n or v == \"android/content/pm/RegisteredServicesCache\"\n or v == \"android/content/pm/InstantAppIntentFilter\"\n or v == \"android/content/pm/UserInfo\"\n or v == \"android/content/pm/PackageCleanItem\"\n or v == \"android/content/pm/XmlSerializerAndParser\"\n or v == \"android/content/pm/ParceledListSlice\"\n or v == \"android/content/pm/VerifierDeviceIdentity\"\n or v == \"android/content/pm/EphemeralResolveInfo\"\n or v == \"android/content/pm/EphemeralDigest\"\n or v == \"android/content/pm/EphemeralIntentFilter\"\n or v == \"android/content/pm/SELinuxUtil\"\n or v == \"android/content/pm/PackageParserCacheHelper\"\n or v == \"android/content/pm/permission/RuntimePermissionPresenter\"\n or v == \"android/content/pm/permission/RuntimePermissionPresentationInfo\"\n or v == \"android/content/pm/RegisteredServicesCacheListener\"\n or v == \"android/content/pm/PackageParser\"\n or v == \"android/content/pm/NewPermissionInfo\"\n or v == \"android/content/pm/SplitPermissionInfo\"\n or v == \"android/content/pm/ParseComponentArgs\"\n or v == \"android/content/pm/ShortcutServiceInternal\"\n or v == \"android/content/res/ResourcesKey\"\n or v == \"android/content/res/GradientColor\"\n or v == \"android/content/res/ComplexColor\"\n or v == \"android/content/res/ConfigurationBoundResourceCache\"\n or v == \"android/content/res/StringBlock\"\n or v == \"android/content/res/ResourceId\"\n or v == \"android/content/res/ResourcesImpl\"\n or v == \"android/content/res/CompatResources\"\n or v == \"android/content/res/ConstantState\"\n or v == \"android/content/res/XmlBlock\"\n or v == \"android/content/res/FontResourcesParser\"\n or v == \"android/content/res/CompatibilityInfo\"\n or v == \"android/content/res/Translator\"\n or v == \"android/content/OpenResourceIdResult\"\n or v == \"android/content/Transport\"\n or v == \"android/content/ContentInsertHandler\"\n or v == \"android/content/DefaultDataHandler\"\n or v == \"android/content/SyncActivityTooManyDeletes\"\n or v == \"android/content/DatabaseHelper\"\n or v == \"android/content/om/OverlayInfo\"\n or v == \"android/content/SyncStatusInfo\"\n or v == \"android/content/UndoOwner\"\n or v == \"android/content/CursorEntityIterator\"\n or v == \"android/content/ContentProviderNative\"\n or v == \"android/content/IContentProvider\"\n or v == \"android/content/SyncAdaptersCache\"\n or v == \"android/content/UndoManager\"\n or v == \"android/content/UndoOperation\"\n or v == \"android/content/CommandOptionHandler\"\n or v == \"android/print/PrintServiceRecommendationsLoader\"\n or v == \"android/print/PrintJobStateChangeListener\"\n or v == \"android/print/PrintServicesChangeListener\"\n or v == \"android/print/PrintServiceRecommendationsChangeListener\"\n or v == \"android/print/PrintDocumentAdapterDelegate\"\n or v == \"android/print/PrintJobStateChangeListenerWrapper\"\n or v == \"android/print/PrintServicesChangeListenerWrapper\"\n or v == \"android/print/PrintServiceRecommendationsChangeListenerWrapper\"\n or v == \"android/print/PrintFileDocumentAdapter\"\n or v == \"android/print/PrintServicesLoader\"\n or v == \"android/print/PrinterDiscoverySession\"\n or v == \"android/speech/tts/TtsEngines\"\n or v == \"android/preference/SeekBarVolumizer\"\n or v == \"android/preference/SeekBarDialogPreference\"\n or v == \"android/preference/MultiCheckPreference\"\n or v == \"android/preference/OnPreferenceTreeClickListener\"\n or v == \"android/preference/SeekBarPreference\"\n or v == \"android/preference/VolumePreference\"\n or v == \"android/preference/GenericInflater\"\n or v == \"android/preference/PreferenceGroupAdapter\"\n or v == \"android/preference/PreferenceFrameLayout\"\n or v == \"android/permissionpresenterservice/RuntimePermissionPresenterService\"\n or v == \"android/accounts/ChooseAccountTypeActivity\"\n or v == \"android/accounts/GrantCredentialsPermissionActivity\"\n or v == \"android/accounts/ChooseTypeAndAccountActivity\"\n or v == \"android/accounts/AccountManagerInternal\"\n or v == \"android/accounts/AccountManagerResponse\"\n or v == \"android/accounts/AccountAndUser\"\n or v == \"android/accounts/CantAddAccountActivity\"\n or v == \"android/accounts/ChooseAccountActivity\"\n or v == \"android/appwidget/PendingHostUpdate\"\n or v == \"android/nfc/dta/NfcDta\"\n or v == \"android/nfc/BeamShareData\"\n or v == \"android/nfc/cardemulation/ApduServiceInfo\"\n or v == \"android/nfc/cardemulation/AidGroup\"\n or v == \"android/nfc/cardemulation/NfcFServiceInfo\"\n or v == \"android/nfc/NfcUnlockHandler\"\n or v == \"android/nfc/NfcActivityManager\"\n or v == \"android/nfc/TechListParcel\"\n or v == \"android/nfc/ApduList\"\n or v == \"android/nfc/ErrorCodes\"\n or v == \"android/nfc/TransceiveResult\"\n or v == \"android/bluetooth/BluetoothCodecStatus\"\n or v == \"android/bluetooth/SdpRecord\"\n or v == \"android/bluetooth/BluetoothActivityEnergyInfo\"\n or v == \"android/bluetooth/SdpOppOpsRecord\"\n or v == \"android/bluetooth/SdpSapsRecord\"\n or v == \"android/bluetooth/BluetoothUuid\"\n or v == \"android/bluetooth/BluetoothA2dpSink\"\n or v == \"android/bluetooth/BluetoothHeadsetClientCall\"\n or v == \"android/bluetooth/BluetoothHeadsetClient\"\n or v == \"android/bluetooth/BluetoothAvrcpController\"\n or v == \"android/bluetooth/BluetoothPbapClient\"\n or v == \"android/bluetooth/BluetoothMapClient\"\n or v == \"android/bluetooth/UidTraffic\"\n or v == \"android/bluetooth/le/PeriodicAdvertisingManager\"\n or v == \"android/bluetooth/le/PeriodicAdvertisingReport\"\n or v == \"android/bluetooth/le/TruncatedFilter\"\n or v == \"android/bluetooth/le/BluetoothLeUtils\"\n or v == \"android/bluetooth/le/PeriodicAdvertisingCallback\"\n or v == \"android/bluetooth/le/ResultStorageDescriptor\"\n or v == \"android/bluetooth/BluetoothStateChangeCallback\"\n or v == \"android/bluetooth/StateChangeCallbackWrapper\"\n or v == \"android/bluetooth/BluetoothPan\"\n or v == \"android/bluetooth/BluetoothGattIncludedService\"\n or v == \"android/bluetooth/BluetoothAvrcp\"\n or v == \"android/bluetooth/BluetoothAvrcpPlayerSettings\"\n or v == \"android/bluetooth/BluetoothSap\"\n or v == \"android/bluetooth/BluetoothMasInstance\"\n or v == \"android/bluetooth/BluetoothDevicePicker\"\n or v == \"android/bluetooth/BluetoothHidHost\"\n or v == \"android/bluetooth/BluetoothCodecConfig\"\n or v == \"android/bluetooth/SdpMasRecord\"\n or v == \"android/bluetooth/BluetoothPbap\"\n or v == \"android/bluetooth/BluetoothAudioConfig\"\n or v == \"android/bluetooth/BluetoothMap\"\n or v == \"android/bluetooth/SdpPseRecord\"\n or v == \"android/bluetooth/SdpMnsRecord\"\n or v == \"android/bluetooth/OobData\"\n or v == \"android/view/InputFilter\"\n or v == \"android/view/HandlerActionQueue\"\n or v == \"android/view/WindowInfo\"\n or v == \"android/view/inputmethod/FinishedInputEventCallback\"\n or v == \"android/view/inputmethod/InputMethodSubtypeArray\"\n or v == \"android/view/inputmethod/InputMethodManagerInternal\"\n or v == \"android/view/inputmethod/SparseRectFArray\"\n or v == \"android/view/inputmethod/SparseRectFArrayBuilder\"\n or v == \"android/view/inputmethod/InputConnectionInspector\"\n or v == \"android/view/WindowManagerInternal\"\n or v == \"android/view/SurfaceControl\"\n or v == \"android/view/ViewHierarchyEncoder\"\n or v == \"android/view/OnWindowDismissedCallback\"\n or v == \"android/view/OnWindowSwipeDismissedCallback\"\n or v == \"android/view/WindowControllerCallback\"\n or v == \"android/view/InputChannel\"\n or v == \"android/view/InputEventReceiver\"\n or v == \"android/view/OnWindowShownListener\"\n or v == \"android/view/InternalInsetsInfo\"\n or v == \"android/view/OnComputeInternalInsetsListener\"\n or v == \"android/view/OnEnterAnimationCompleteListener\"\n or v == \"android/view/WindowManagerGlobal\"\n or v == \"android/view/textclassifier/TextClassifierConstants\"\n or v == \"android/view/textclassifier/TextClassifierImpl\"\n or v == \"android/view/textclassifier/LinksInfo\"\n or v == \"android/view/textclassifier/EntityConfidence\"\n or v == \"android/view/InputEventSender\"\n or v == \"android/view/FrameInfo\"\n or v == \"android/view/ViewRootImpl\"\n or v == \"android/view/RenderNode\"\n or v == \"android/view/animation/TranslateYAnimation\"\n or v == \"android/view/animation/ClipRectAnimation\"\n or v == \"android/view/animation/TranslateXAnimation\"\n or v == \"android/view/autofill/AutofillPopupWindow\"\n or v == \"android/view/autofill/Helper\"\n or v == \"android/view/autofill/AutofillClient\"\n or v == \"android/view/autofill/ParcelableMap\"\n or v == \"android/view/autofill/AutofillManagerInternal\"\n or v == \"android/view/RecordingCanvas\"\n or v == \"android/view/ThreadedRenderer\"\n or v == \"android/view/DisplayEventReceiver\"\n or v == \"android/view/GhostView\"\n or v == \"android/view/NotificationHeaderView\"\n or v == \"android/view/RenderNodeAnimator\"\n or v == \"android/view/WindowManagerPolicy\"\n or v == \"android/view/FinishedInputEventCallback\"\n or v == \"android/view/WindowCallbackWrapper\"\n or v == \"android/view/FallbackAction\"\n or v == \"android/view/DisplayAdjustments\"\n or v == \"android/view/AppTransitionAnimationSpec\"\n or v == \"android/view/InputEventConsistencyVerifier\"\n or v == \"android/view/KeyboardShortcutsReceiver\"\n or v == \"android/view/FallbackEventHandler\"\n or v == \"android/view/ViewReplaceRunnable\"\n or v == \"android/view/WindowCallbacks\"\n or v == \"android/view/WindowManagerImpl\"\n or v == \"android/view/RenderNodeAnimatorSetHelper\"\n or v == \"android/view/MagnificationSpec\"\n or v == \"android/view/DisplayListCanvas\"\n or v == \"android/view/accessibility/AccessibilityServicesStateChangeListener\"\n or v == \"android/view/accessibility/HighTextContrastChangeListener\"\n or v == \"android/view/accessibility/AccessibilityInteractionClient\"\n or v == \"android/view/accessibility/AccessibilityCache\"\n or v == \"android/view/Estimator\"\n or v == \"android/view/HierarchyHandler\"\n or v == \"android/view/DisplayInfo\"\n or v == \"android/view/HardwareLayer\"\n or v == \"android/view/SurfaceSession\"\n or v == \"android/view/BatchedInputEventReceiver\"\n or v == \"android/view/FrameMetricsObserver\"\n or v == \"android/view/FocusFinderHelper\"\n or v == \"android/view/AccessibilityIterators\"\n or v == \"android/view/TextSegmentIterator\"\n or v == \"android/view/AbstractTextSegmentIterator\"\n or v == \"android/view/SubUiVisibilityListener\"\n or v == \"android/accessibilityservice/CapabilityInfo\"\n or v == \"android/accessibilityservice/TouchPoint\"\n or v == \"android/accessibilityservice/GestureStep\"\n or v == \"android/accessibilityservice/MotionEventGenerator\"\n or v == \"android/accessibilityservice/Callbacks\"\n or v == \"android/accessibilityservice/IAccessibilityServiceClientWrapper\"\n or v == \"android/os/MyReadMapCallback\"\n or v == \"android/os/SynchronousResultReceiver\"\n or v == \"android/os/BatteryProperty\"\n or v == \"android/os/NoImagePreloadHolder\"\n or v == \"android/os/IHwInterface\"\n or v == \"android/os/PerformanceCollector\"\n or v == \"android/os/SystemVibrator\"\n or v == \"android/os/IServiceManager\"\n or v == \"android/os/HidlSupport\"\n or v == \"android/os/ServiceSpecificException\"\n or v == \"android/os/UserEnvironment\"\n or v == \"android/os/AsyncResult\"\n or v == \"android/os/PowerSaveState\"\n or v == \"android/os/Broadcaster\"\n or v == \"android/os/FactoryTest\"\n or v == \"android/os/HwParcel\"\n or v == \"android/os/IHwBinder\"\n or v == \"android/os/ParcelableException\"\n or v == \"android/os/ShellCommand\"\n or v == \"android/os/ServiceManager\"\n or v == \"android/os/ServiceNotFoundException\"\n or v == \"android/os/ProcessStartResult\"\n or v == \"android/os/SELinux\"\n or v == \"android/os/ReadWriteHelper\"\n or v == \"android/os/NoneVibrator\"\n or v == \"android/os/VintfObject\"\n or v == \"android/os/BatteryProperties\"\n or v == \"android/os/HwBinder\"\n or v == \"android/os/HwRemoteBinder\"\n or v == \"android/os/GraphicsEnvironment\"\n or v == \"android/os/ShellCallback\"\n or v == \"android/os/IncidentManager\"\n or v == \"android/os/FileUtils\"\n or v == \"android/os/health/HealthStatsWriter\"\n or v == \"android/os/health/HealthKeys\"\n or v == \"android/os/health/Constants\"\n or v == \"android/os/health/HealthStatsParceler\"\n or v == \"android/os/ParcelableParcel\"\n or v == \"android/os/PowerManagerInternal\"\n or v == \"android/os/Temperature\"\n or v == \"android/os/BatteryStats\"\n or v == \"android/os/ZygoteProcess\"\n or v == \"android/os/ViolationListener\"\n or v == \"android/os/StrictModeViolation\"\n or v == \"android/os/StrictModeNetworkViolation\"\n or v == \"android/os/StrictModeDiskReadViolation\"\n or v == \"android/os/StrictModeDiskWriteViolation\"\n or v == \"android/os/StrictModeCustomViolation\"\n or v == \"android/os/StrictModeResourceMismatchViolation\"\n or v == \"android/os/StrictModeUnbufferedIOViolation\"\n or v == \"android/os/Span\"\n or v == \"android/os/ViolationInfo\"\n or v == \"android/os/storage/StorageManagerInternal\"\n or v == \"android/os/storage/StorageResultCode\"\n or v == \"android/os/storage/VolumeRecord\"\n or v == \"android/os/storage/DiskInfo\"\n or v == \"android/os/storage/VolumeInfo\"\n or v == \"android/os/storage/StorageEventListener\"\n or v == \"android/os/SystemProperties\"\n or v == \"android/os/RemoteCallback\"\n or v == \"android/os/Registrant\"\n or v == \"android/os/RevocableFileDescriptor\"\n or v == \"android/os/UEventObserver\"\n or v == \"android/os/ServiceManagerNative\"\n or v == \"android/os/UpdateEngine\"\n or v == \"android/os/BatteryManagerInternal\"\n or v == \"android/os/UpdateLock\"\n or v == \"android/os/OneShot\"\n or v == \"android/os/Waveform\"\n or v == \"android/os/Prebaked\"\n or v == \"android/os/EnforcingUser\"\n or v == \"android/os/PooledStringReader\"\n or v == \"android/os/CommonClock\"\n or v == \"android/os/IncidentReportArgs\"\n or v == \"android/os/RemoteMailException\"\n or v == \"android/os/CommonTimeConfig\"\n or v == \"android/os/RegistrantList\"\n or v == \"android/os/HwBlob\"\n or v == \"android/os/FileBridge\"\n or v == \"android/os/UserManagerInternal\"\n or v == \"android/os/SystemService\"\n or v == \"android/os/Seccomp\"\n or v == \"android/os/VintfRuntimeInfo\"\n or v == \"android/os/UpdateEngineCallback\"\n or v == \"android/os/TransactionTracker\"\n or v == \"android/os/ConfigUpdate\"\n or v == \"android/os/PooledStringWriter\"\n or v == \"android/text/FontConfig\"\n or v == \"android/text/TextLine\"\n or v == \"android/text/PackedIntVector\"\n or v == \"android/text/PositionIterator\"\n or v == \"android/text/style/AccessibilityClickableSpan\"\n or v == \"android/text/style/SuggestionRangeSpan\"\n or v == \"android/text/style/AccessibilityURLSpan\"\n or v == \"android/text/style/SpellCheckSpan\"\n or v == \"android/text/MeasuredText\"\n or v == \"android/text/AndroidBidi\"\n or v == \"android/text/SpanSet\"\n or v == \"android/text/format/BytesResult\"\n or v == \"android/text/CharSequenceCharacterIterator\"\n or v == \"android/text/Hyphenator\"\n or v == \"android/text/Emoji\"\n or v == \"android/text/GraphicsOperations\"\n or v == \"android/text/method/TransformationMethod2\"\n or v == \"android/text/method/WordIterator\"\n or v == \"android/text/method/AllCapsTransformationMethod\"\n or v == \"android/service/oemlock/OemLockManager\"\n or v == \"android/service/notification/SnoozeCriterion\"\n or v == \"android/service/notification/NotificationRankingUpdate\"\n or v == \"android/service/notification/Adjustment\"\n or v == \"android/service/notification/NotificationListenerWrapper\"\n or v == \"android/service/notification/NotificationAssistantService\"\n or v == \"android/service/notification/ZenModeConfig\"\n or v == \"android/service/gatekeeper/GateKeeperResponse\"\n or v == \"android/service/euicc/GetDownloadableSubscriptionMetadataResult\"\n or v == \"android/service/euicc/GetDefaultDownloadableSubscriptionListResult\"\n or v == \"android/service/euicc/EuiccProfileInfo\"\n or v == \"android/service/euicc/GetEuiccProfileInfoListResult\"\n or v == \"android/service/euicc/EuiccService\"\n or v == \"android/service/autofill/OptionalValidators\"\n or v == \"android/service/autofill/InternalValidator\"\n or v == \"android/service/autofill/RequiredValidators\"\n or v == \"android/service/autofill/AutofillServiceInfo\"\n or v == \"android/service/autofill/ValueFinder\"\n or v == \"android/service/autofill/InternalTransformation\"\n or v == \"android/service/voice/SoundTriggerListener\"\n or v == \"android/service/voice/VoiceInteractionServiceInfo\"\n or v == \"android/service/voice/VoiceInteractionManagerInternal\"\n or v == \"android/service/persistentdata/PersistentDataBlockManager\"\n or v == \"android/service/wallpaper/WallpaperSettingsActivity\"\n or v == \"android/service/trust/TrustAgentService\"\n or v == \"android/service/dreams/Sandman\"\n or v == \"android/service/dreams/DreamManagerInternal\"\n or v == \"android/service/carrier/ICarrierServiceWrapper\"\n or v == \"android/service/carrier/MatchType\"\n or v == \"android/service/resolver/ResolverRankerService\"\n or v == \"android/service/resolver/ResolverTarget\"\n or v == \"android/companion/BluetoothDeviceFilterUtils\"\n or v == \"com/android/server/AppWidgetBackupBridge\"\n or v == \"com/android/server/net/BaseNetworkObserver\"\n or v == \"com/android/server/net/NetlinkTracker\"\n or v == \"com/android/server/WidgetBackupProvider\"\n or v == \"com/android/server/LocalServices\"\n or v == \"android/security/KeyStoreException\"\n or v == \"android/security/keystore/AndroidKeyStoreBCWorkaroundProvider\"\n or v == \"android/security/keystore/AndroidKeyStoreHmacSpi\"\n or v == \"android/security/keystore/AndroidKeyStoreCipherSpiBase\"\n or v == \"android/security/keystore/AndroidKeyStorePublicKey\"\n or v == \"android/security/keystore/AndroidKeyStoreSecretKey\"\n or v == \"android/security/keystore/AndroidKeyStoreECPrivateKey\"\n or v == \"android/security/keystore/AndroidKeyStoreKeyGeneratorSpi\"\n or v == \"android/security/keystore/KeyStoreCryptoOperationChunkedStreamer\"\n or v == \"android/security/keystore/Purpose\"\n or v == \"android/security/keystore/KeyAlgorithm\"\n or v == \"android/security/keystore/BlockMode\"\n or v == \"android/security/keystore/EncryptionPadding\"\n or v == \"android/security/keystore/Digest\"\n or v == \"android/security/keystore/Origin\"\n or v == \"android/security/keystore/DeviceIdAttestationException\"\n or v == \"android/security/keystore/ArrayUtils\"\n or v == \"android/security/keystore/AndroidKeyStoreRSASignatureSpi\"\n or v == \"android/security/keystore/Utils\"\n or v == \"android/security/keystore/AndroidKeyStoreSignatureSpiBase\"\n or v == \"android/security/keystore/AndroidKeyStoreRSAPrivateKey\"\n or v == \"android/security/keystore/AndroidKeyStoreRSACipherSpi\"\n or v == \"android/security/keystore/AndroidKeyStoreECDSASignatureSpi\"\n or v == \"android/security/keystore/AndroidKeyStoreKeyFactorySpi\"\n or v == \"android/security/keystore/AndroidKeyStoreAuthenticatedAESCipherSpi\"\n or v == \"android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi\"\n or v == \"android/security/keystore/AndroidKeyStoreSpi\"\n or v == \"android/security/keystore/KeyStoreCryptoOperationUtils\"\n or v == \"android/security/keystore/AttestationUtils\"\n or v == \"android/security/keystore/KeyStoreCryptoOperation\"\n or v == \"android/security/keystore/KeymasterUtils\"\n or v == \"android/security/keystore/AndroidKeyStoreRSAPublicKey\"\n or v == \"android/security/keystore/KeyStoreConnectException\"\n or v == \"android/security/keystore/AndroidKeyStoreECPublicKey\"\n or v == \"android/security/keystore/AndroidKeyStoreKey\"\n or v == \"android/security/keystore/AndroidKeyStoreUnauthenticatedAESCipherSpi\"\n or v == \"android/security/keystore/AndroidKeyStorePrivateKey\"\n or v == \"android/security/keystore/KeyStoreCryptoOperationStreamer\"\n or v == \"android/security/keystore/AndroidKeyStoreProvider\"\n or v == \"android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi\"\n or v == \"android/security/Credentials\"\n or v == \"android/security/KeyChainConnection\"\n or v == \"android/security/GateKeeper\"\n or v == \"android/security/SystemKeyStore\"\n or v == \"android/security/KeyStore\"\n or v == \"android/net/lowpan/Builder\"\n or v == \"android/net/lowpan/LowpanProperty\"\n or v == \"android/net/lowpan/LowpanProperties\"\n or v == \"android/net/lowpan/LowpanStandardProperty\"\n or v == \"android/location/GpsMeasurementsEvent\"\n or v == \"android/location/Listener\"\n or v == \"android/location/LocalListenerHelper\"\n or v == \"android/location/Country\"\n or v == \"android/location/GpsNavigationMessage\"\n or v == \"android/location/GpsClock\"\n or v == \"android/location/GeocoderParams\"\n or v == \"android/location/FusedBatchOptions\"\n or v == \"android/location/GpsNavigationMessageEvent\"\n or v == \"android/location/Listener\"\n or v == \"android/location/BatchedLocationCallback\"\n or v == \"android/location/CountryListener\"\n or v == \"android/location/CountryDetector\"\n or v == \"android/location/Geofence\"\n or v == \"android/location/BatchedLocationCallbackTransport\"\n or v == \"android/location/GnssMeasurementCallbackTransport\"\n or v == \"android/location/LocationRequest\"\n or v == \"android/location/GpsMeasurement\"\n or v == \"android/location/GnssNavigationMessageCallbackTransport\"\n or v == \"javax/obex/HeaderSet\"\n or v == \"javax/obex/BaseStream\"\n or v == \"javax/obex/ClientOperation\"\n or v == \"javax/obex/ServerSession\"\n or v == \"javax/obex/Operation\"\n or v == \"javax/obex/PrivateInputStream\"\n or v == \"javax/obex/PrivateOutputStream\"\n or v == \"javax/obex/ClientSession\"\n or v == \"javax/obex/SessionNotifier\"\n or v == \"javax/obex/ApplicationParameter\"\n or v == \"javax/obex/ServerOperation\"\n or v == \"javax/obex/Authenticator\"\n or v == \"javax/obex/ResponseCodes\"\n or v == \"javax/obex/ObexHelper\"\n or v == \"javax/obex/PasswordAuthentication\"\n or v == \"javax/obex/ObexTransport\"\n or v == \"javax/obex/ServerRequestHandler\"\n or v == \"javax/obex/ObexSession\"\n or v == \"android/net/util/PacketReaderTest\"\n or v == \"android/net/util/ConnectivityPacketSummaryTest\"\n or v == \"android/testing/LayoutInflaterBuilder\"\n or v == \"androidx/media/filterfw/GLToolbox\"\n or v == \"android/security/net/config/TestCertificateSource\"\n or v == \"android/security/net/config/TestConfigSource\"\n or v == \"com/android/uiautomator/core/Tracer\"\n or v == \"com/android/uiautomator/core/AccessibilityNodeInfoDumper\"\n or v == \"com/android/uiautomator/core/UiAutomatorBridge\"\n or v == \"com/android/uiautomator/testrunner/UiAutomatorTestCaseFilter\"\n or v == \"com/android/uiautomator/testrunner/TestCaseCollector\"\n or v == \"com/android/uiautomator/testrunner/UiAutomatorTestRunner\"\n or v == \"com/android/uiautomator/core/ShellUiAutomatorBridge\"\n or v == \"com/android/uiautomator/core/UiAutomationShellWrapper\"\n or v == \"com/android/uiautomator/core/InstrumentationUiAutomatorBridge\"\n or v == \"android/renderscript/ProgramRaster\"\n or v == \"android/renderscript/ProgramVertex\"\n or v == \"android/renderscript/Builder\"\n or v == \"android/renderscript/ProgramFragmentFixedFunction\"\n or v == \"android/renderscript/RenderScriptGL\"\n or v == \"android/renderscript/FileA3D\"\n or v == \"android/renderscript/ProgramVertexFixedFunction\"\n or v == \"android/renderscript/ProgramFragment\"\n or v == \"android/renderscript/Font\"\n or v == \"android/renderscript/RSTextureView\"\n or v == \"android/renderscript/RSSurfaceView\"\n or v == \"android/renderscript/Program\"\n or v == \"android/renderscript/ProgramStore\"\n or v == \"android/renderscript/Mesh\"\n or v == \"android/renderscript/RenderScriptCacheDir\"\n or v == \"android/telephony/ClientRequestStats\"\n or v == \"android/telephony/TelephonyHistogram\"\n or v == \"android/telephony/ModemActivityInfo\"\n or v == \"android/telephony/PreciseDisconnectCause\"\n or v == \"android/telephony/cdma/CdmaSmsCbProgramData\"\n or v == \"android/telephony/cdma/CdmaSmsCbProgramResults\"\n or v == \"android/telephony/PreciseCallState\"\n or v == \"android/telephony/SubscriptionPlan\"\n or v == \"android/telephony/VoLteServiceState\"\n or v == \"android/telephony/DisconnectCause\"\n or v == \"android/telephony/UiccAccessRule\"\n or v == \"android/telephony/euicc/EuiccManager\"\n or v == \"android/telephony/euicc/DownloadableSubscription\"\n or v == \"android/telephony/RadioAccessFamily\"\n or v == \"android/telephony/PcoData\"\n or v == \"android/telephony/Builder\"\n or v == \"android/telephony/WifiCallingChoices\"\n or v == \"android/telephony/ims/ImsService\"\n or v == \"android/telephony/ims/stub/ImsCallSessionListenerImplBase\"\n or v == \"android/telephony/ims/feature/ImsFeature\"\n or v == \"android/telephony/CdmaBands\"\n or v == \"android/telephony/UssdResponse\"\n or v == \"android/telephony/PreciseDataConnectionState\"\n or v == \"android/provider/CarrierColumns\"\n or v == \"android/provider/WordsTable\"\n or v == \"android/provider/CellBroadcasts\"\n or v == \"android/provider/CarrierIdentification\"\n or v == \"android/telephony/data/InterfaceAddress\"\n or v == \"android/telephony/data/DataCallResponse\"\n or v == \"android/telephony/data/DataProfile\"\n or v == \"android/telephony/Rlog\"\n or v == \"android/telephony/ImsiEncryptionInfo\"\n or v == \"android/telephony/mbms/InternalStreamingSessionCallback\"\n or v == \"android/telephony/mbms/MbmsTempFileProvider\"\n or v == \"android/telephony/mbms/OpaqueDataContainer\"\n or v == \"android/telephony/mbms/InternalDownloadSessionCallback\"\n or v == \"android/telephony/mbms/InternalStreamingServiceCallback\"\n or v == \"android/telephony/mbms/UriPathPair\"\n or v == \"android/telephony/mbms/InternalDownloadStateCallback\"\n or v == \"android/telephony/mbms/MbmsUtils\"\n or v == \"android/telephony/mbms/vendor/MbmsDownloadServiceBase\"\n or v == \"android/telephony/mbms/vendor/MbmsStreamingServiceBase\"\n or v == \"android/telephony/mbms/vendor/VendorUtils\"\n or v == \"android/telephony/DataConnectionRealTimeInfo\"\n or v == \"android/telephony/SmsCbLocation\"\n or v == \"android/telephony/SmsCbEtwsInfo\"\n or v == \"android/telephony/SmsCbMessage\"\n or v == \"android/telephony/SmsCbCmasInfo\"\n or v == \"com/android/ims/ImsStreamMediaProfile\"\n or v == \"com/android/ims/ImsReasonInfo\"\n or v == \"com/android/ims/ImsCallForwardInfo\"\n or v == \"com/android/ims/ImsExternalCallState\"\n or v == \"com/android/ims/ImsConfig\"\n or v == \"com/android/ims/ImsException\"\n or v == \"com/android/ims/ImsCallProfile\"\n or v == \"com/android/ims/ImsSuppServiceNotification\"\n or v == \"com/android/ims/ImsUtInterface\"\n or v == \"com/android/ims/ImsConferenceState\"\n or v == \"com/android/ims/ImsSsInfo\"\n or v == \"com/android/ims/ImsSsData\"\n or v == \"com/android/settingslib/NetworkPolicyEditor\"\n or v == \"com/android/sharedstoragebackup/ObbBackupService\"\n or v == \"com/android/providers/settings/SettingsProtoDumpUtil\"\n or v == \"com/android/statementservice/retriever/AndroidPackageInfoFetcher\"\n or v == \"com/android/statementservice/retriever/URLFetcher\"\n or v == \"com/android/statementservice/retriever/WebContent\"\n or v == \"com/android/backupconfirm/BackupRestoreConfirmation\"\n or v == \"com/android/proxyhandler/ProxyServer\"\n or v == \"com/android/proxyhandler/SocketConnect\"\n or v == \"com/android/proxyhandler/ProxyService\"\n or v == \"com/android/pacprocessor/PacNative\"\n or v == \"com/android/systemui/media/NotificationPlayer\"\n or v == \"junit/runner/TestRunListener\"\n or v == \"junit/runner/StandardTestSuiteLoader\"\n or v == \"android/test/LaunchPerformanceBase\"\n or v == \"android/test/NoExecTestResult\"\n or v == \"android/test/ClassPathPackageInfoSource\"\n or v == \"android/test/TestPrinter\"\n or v == \"android/test/suitebuilder/UnitTestSuiteBuilder\"\n or v == \"android/test/suitebuilder/TestGrouping\"\n or v == \"android/test/suitebuilder/TestPredicates\"\n or v == \"android/test/suitebuilder/SmokeTestSuiteBuilder\"\n or v == \"android/test/TestCaseUtil\"\n or v == \"android/test/mock/MockIContentProvider\"\n or v == \"android/telecom/TimedEvent\"\n or v == \"android/telecom/DefaultDialerManager\"\n or v == \"android/telecom/ParcelableRttCall\"\n or v == \"android/telecom/AudioState\"\n or v == \"android/telecom/Phone\"\n or v == \"android/telecom/ParcelableCallAnalytics\"\n or v == \"android/telecom/VideoEvent\"\n or v == \"android/telecom/TelecomAnalytics\"\n or v == \"android/telecom/CallbackRecord\"\n or v == \"android/telecom/Response\"\n or v == \"android/telecom/VideoCallImpl\"\n or v == \"android/telecom/ConnectionServiceAdapter\"\n or v == \"android/telecom/Builder\"\n or v == \"android/telecom/RemoteConnectionService\"\n or v == \"android/telecom/AuthenticatorService\"\n or v == \"android/telecom/Listener\"\n or v == \"android/telecom/ConferenceParticipant\"\n or v == \"android/telecom/ParcelableConnection\"\n or v == \"android/telecom/ParcelableCall\"\n or v == \"android/telecom/Log\"\n or v == \"android/telecom/Listener\"\n or v == \"android/telecom/RttTextStream\"\n or v == \"android/telecom/RemoteConnectionManager\"\n or v == \"android/telecom/ParcelableConference\"\n or v == \"android/telecom/Voicemail\"\n or v == \"android/telecom/ConnectionServiceAdapterServant\"\n or v == \"android/telecom/VideoCallbackServant\"\n or v == \"android/telecom/Listener\"\n or v == \"android/telecom/Logging/TimedEvent\"\n or v == \"android/telecom/Logging/Runnable\"\n or v == \"android/telecom/Logging/Session\"\n or v == \"android/telecom/InCallAdapter\"\n or v == \"android/graphics/GraphicBuffer\"\n or v == \"android/graphics/CanvasProperty\"\n or v == \"android/graphics/drawable/AnimatedRotateDrawable\"\n or v == \"android/graphics/drawable/VectorDrawableAnimatorRT\"\n or v == \"android/graphics/drawable/DrawableInflater\"\n or v == \"android/graphics/Insets\"\n or v == \"android/graphics/BaseCanvas\"\n or v == \"android/graphics/pdf/PdfEditor\"\n or v == \"android/graphics/Renderer\"\n or v == \"android/graphics/LeakyTypefaceStorage\"\n or v == \"android/graphics/TemporaryBuffer\"\n or v == \"android/graphics/InsetStruct\"\n or v == \"android/graphics/LargeBitmap\"\n or v == \"android/graphics/FontListParser\"\n or v == \"android/graphics/FontFamily\"\n or v == \"android/graphics/TableMaskFilter\"\n or v == \"android/net/util/NetworkConstants\"\n or v == \"android/net/util/Stopwatch\"\n or v == \"android/net/util/PrefixUtils\"\n or v == \"android/net/util/NetdService\"\n or v == \"android/net/util/IpUtils\"\n or v == \"android/net/util/VersionedBroadcastListener\"\n or v == \"android/net/util/SharedLog\"\n or v == \"android/net/util/ConnectivityPacketSummary\"\n or v == \"android/net/util/MultinetworkPolicyTracker\"\n or v == \"android/net/util/PacketReader\"\n or v == \"android/net/netlink/StructNlMsgHdr\"\n or v == \"android/net/netlink/StructNdMsg\"\n or v == \"android/net/netlink/StructNlMsgErr\"\n or v == \"android/net/netlink/NetlinkSocket\"\n or v == \"android/net/netlink/StructNlAttr\"\n or v == \"android/net/netlink/NetlinkMessage\"\n or v == \"android/net/netlink/ConntrackMessage\"\n or v == \"android/net/netlink/StructNfGenMsg\"\n or v == \"android/net/netlink/StructNdaCacheInfo\"\n or v == \"android/net/netlink/NetlinkConstants\"\n or v == \"android/net/netlink/NetlinkErrorMessage\"\n or v == \"android/net/netlink/RtNetlinkNeighborMessage\"\n or v == \"android/net/apf/ApfGenerator\"\n or v == \"android/net/apf/ApfCapabilities\"\n or v == \"android/net/apf/ApfFilter\"\n or v == \"android/net/dhcp/DhcpClient\"\n or v == \"android/net/dhcp/DhcpPacket\"\n or v == \"android/net/ip/IpReachabilityMonitor\"\n or v == \"android/net/ip/InterfaceController\"\n or v == \"android/net/ip/IpClient\"\n or v == \"android/net/ip/IpNeighborMonitor\"\n or v == \"android/net/ip/RouterAdvertisementDaemon\"\n or v == \"android/net/ip/ConnectivityPacketTracker\"\n or v == \"com/android/server/pm/PackageManagerServiceUtils\"\n or v == \"com/android/server/pm/BackgroundDexOptService\"\n or v == \"com/android/server/pm/InstructionSets\"\n or v == \"com/android/server/pm/EphemeralResolverConnection\"\n or v == \"com/android/server/pm/SELinuxMMAC\"\n or v == \"com/android/server/pm/OtaDexoptService\"\n or v == \"com/android/server/pm/InstantAppResolver\"\n or v == \"com/android/server/pm/PackageManagerException\"\n or v == \"com/android/server/vr/SettingsObserver\"\n or v == \"com/android/server/vr/VrManagerInternal\"\n or v == \"com/android/server/vr/EnabledComponentsObserver\"\n or v == \"com/android/server/vr/VrManagerService\"\n or v == \"com/android/server/vr/VrStateListener\"\n or v == \"com/android/server/webkit/SystemInterface\"\n or v == \"com/android/server/webkit/WebViewUpdateService\"\n or v == \"com/android/server/webkit/SystemImpl\"\n or v == \"com/android/server/webkit/WebViewUpdateServiceImpl\"\n or v == \"com/android/server/net/NetworkPolicyManagerInternal\"\n or v == \"com/android/server/net/NetworkIdentitySet\"\n or v == \"com/android/server/fingerprint/FingerprintService\"\n or v == \"com/android/server/am/BackupRecord\"\n or v == \"com/android/server/GraphicsStatsService\"\n or v == \"com/android/server/connectivity/Vpn\"\n or v == \"com/android/server/connectivity/IpConnectivityMetrics\"\n or v == \"com/android/server/connectivity/tethering/TetheringConfiguration\"\n or v == \"com/android/server/connectivity/tethering/OffloadHardwareInterface\"\n or v == \"com/android/server/connectivity/tethering/OffloadController\"\n or v == \"com/android/server/connectivity/tethering/TetherInterfaceStateMachine\"\n or v == \"com/android/server/connectivity/tethering/UpstreamNetworkMonitor\"\n or v == \"com/android/server/connectivity/tethering/SimChangeListener\"\n or v == \"com/android/server/connectivity/tethering/IPv6TetheringCoordinator\"\n or v == \"com/android/server/connectivity/tethering/TetheringDependencies\"\n or v == \"com/android/server/connectivity/tethering/IControlsTethering\"\n or v == \"com/android/server/connectivity/PacManager\"\n or v == \"com/android/server/connectivity/NetworkMonitor\"\n or v == \"com/android/server/connectivity/CaptivePortalProbeResult\"\n or v == \"com/android/server/connectivity/IpConnectivityEventBuilder\"\n or v == \"com/android/server/connectivity/NetworkDiagnostics\"\n or v == \"com/android/server/connectivity/Tethering\"\n or v == \"com/android/server/connectivity/PermissionMonitor\"\n or v == \"com/android/server/connectivity/KeepalivePacketData\"\n or v == \"com/android/server/connectivity/DefaultNetworkMetrics\"\n or v == \"com/android/server/connectivity/Nat464Xlat\"\n or v == \"com/android/server/security/KeyAttestationApplicationIdProviderService\"\n or v == \"com/android/server/input/InputWindowHandle\"\n or v == \"com/android/server/input/InputApplicationHandle\"\n or v == \"com/android/server/notification/NotificationManagerService\"\n or v == \"com/android/server/notification/NotificationUsageStats\"\n or v == \"com/android/server/notification/RateEstimator\"\n or v == \"com/android/server/notification/AlertRateLimiter\"\n or v == \"com/android/server/notification/NotificationRecord\"\n or v == \"com/android/server/notification/ValidateNotificationPeople\"\n or v == \"com/android/server/notification/RankingReconsideration\"\n or v == \"com/android/server/camera/CameraServiceProxy\"\n or v == \"com/android/server/location/PassiveProvider\"\n or v == \"com/android/server/location/ActivityRecognitionProxy\"\n or v == \"com/android/server/location/CountryDetectorBase\"\n or v == \"com/android/server/location/GnssLocationProvider\"\n or v == \"com/android/server/location/ContextHubService\"\n or v == \"com/android/server/location/FusedProxy\"\n or v == \"com/android/server/location/GeofenceProxy\"\n or v == \"com/android/server/location/GnssNavigationMessageProvider\"\n or v == \"com/android/server/location/LocationProviderInterface\"\n or v == \"com/android/server/location/GpsXtraDownloader\"\n or v == \"com/android/server/location/FusedLocationHardwareSecure\"\n or v == \"com/android/server/location/FlpHardwareProvider\"\n or v == \"com/android/server/location/GnssMeasurementsProvider\"\n or v == \"com/android/server/location/LocationBasedCountryDetector\"\n or v == \"com/android/server/location/ComprehensiveCountryDetector\"\n or v == \"com/android/server/location/MockProvider\"\n or v == \"com/android/server/wm/WindowManagerService\"\n or v == \"com/android/server/wm/animation/ClipRectLRAnimation\"\n or v == \"com/android/server/wm/ViewServer\"\n or v == \"com/android/server/SystemServiceManager\"\n or v == \"com/android/server/content/SyncStorageEngine\"\n or v == \"com/android/server/content/SyncManager\"\n or v == \"com/android/server/content/ActiveSyncContext\"\n or v == \"com/android/server/content/ContentService\"\n or v == \"com/android/server/content/ObserverCall\"\n or v == \"com/android/server/content/ObserverNode\"\n or v == \"com/android/server/content/SyncOperation\"\n or v == \"com/android/server/utils/ManagedApplicationService\"\n or v == \"com/android/server/utils/PriorityDump\"\n or v == \"com/android/server/utils/PriorityDumper\"\n or v == \"com/android/server/NetworkManagementService\"\n or v == \"com/android/server/tv/TvInputHardwareManager\"\n or v == \"com/android/server/IpSecService\"\n or v == \"com/android/server/ConnectivityService\"\n or v == \"com/android/server/audio/MediaFocusControl\"\n or v == \"com/android/server/audio/FocusRequester\"\n or v == \"com/android/server/audio/AudioService\"\n or v == \"com/android/server/telecom/TelecomLoaderService\"\n or v == \"com/android/server/NetworkScorerAppManager\"\n or v == \"com/android/server/CountryDetectorService\"\n or v == \"com/android/server/accounts/AccountManagerService\"\n or v == \"com/android/server/accounts/IAccountAuthenticatorCache\"\n or v == \"com/android/server/job/JobSchedulerService\"\n or v == \"com/android/server/job/JobSchedulerInternal\"\n or v == \"com/android/server/job/controllers/JobStatus\"\n or v == \"com/android/server/RescueParty\"\n or v == \"com/android/server/NsdService\"\n or v == \"com/android/server/os/SchedulingPolicyService\"\n or v == \"com/android/server/SystemServerInitThreadPool\"\n or v == \"com/android/server/NetworkScoreService\"\n or v == \"com/android/server/locksettings/LockSettingsService\"\n or v == \"com/android/server/dreams/DreamManagerService\"\n or v == \"com/android/server/IntentResolver\"\n or v == \"com/android/server/GestureLauncherService\"\n or v == \"com/android/server/SystemService\"\n or v == \"com/android/server/NetworkManagementInternal\"\n or v == \"com/android/server/policy/keyguard/KeyguardStateMonitor\"\n or v == \"com/android/server/CommonTimeManagementService\"\n or v == \"com/android/server/soundtrigger/SoundTriggerService\"\n or v == \"com/android/server/soundtrigger/SoundTriggerHelper\"\n or v == \"com/android/server/soundtrigger/SoundTriggerDbHelper\"\n or v == \"com/android/server/voiceinteraction/DatabaseHelper\"\n or v == \"com/android/server/usb/descriptors/UsbTerminalTypes\"\n or v == \"com/android/server/usb/descriptors/tree/UsbDescriptorsEndpointNode\"\n or v == \"com/android/server/usb/descriptors/tree/UsbDescriptorsACInterfaceNode\"\n or v == \"com/android/server/usb/descriptors/tree/UsbDescriptorsTreeNode\"\n or v == \"com/android/server/usb/descriptors/tree/UsbDescriptorsTree\"\n or v == \"com/android/server/usb/descriptors/tree/UsbDescriptorsInterfaceNode\"\n or v == \"com/android/server/usb/descriptors/tree/UsbDescriptorsDeviceNode\"\n or v == \"com/android/server/usb/descriptors/tree/UsbDescriptorsConfigNode\"\n or v == \"com/android/server/usb/descriptors/UsbACAudioStreamEndpoint\"\n or v == \"com/android/server/usb/descriptors/UsbBinaryParser\"\n or v == \"com/android/server/usb/descriptors/Usb10ASFormatI\"\n or v == \"com/android/server/usb/descriptors/UsbACAudioControlEndpoint\"\n or v == \"com/android/server/usb/descriptors/UsbConfigDescriptor\"\n or v == \"com/android/server/usb/descriptors/Usb20ACMixerUnit\"\n or v == \"com/android/server/usb/descriptors/UsbMSMidiInputJack\"\n or v == \"com/android/server/usb/descriptors/Usb20ACInputTerminal\"\n or v == \"com/android/server/usb/descriptors/UsbACInterface\"\n or v == \"com/android/server/usb/descriptors/Usb10ACOutputTerminal\"\n or v == \"com/android/server/usb/descriptors/UsbDeviceDescriptor\"\n or v == \"com/android/server/usb/descriptors/Usb10ACHeader\"\n or v == \"com/android/server/usb/descriptors/UsbInterfaceAssoc\"\n or v == \"com/android/server/usb/descriptors/UsbHIDDescriptor\"\n or v == \"com/android/server/usb/descriptors/UsbMSMidiOutputJack\"\n or v == \"com/android/server/usb/descriptors/Usb20ASFormatI\"\n or v == \"com/android/server/usb/descriptors/Usb10ASFormatII\"\n or v == \"com/android/server/usb/descriptors/UsbMSMidiHeader\"\n or v == \"com/android/server/usb/descriptors/Usb20ASFormatIII\"\n or v == \"com/android/server/usb/descriptors/UsbACFeatureUnit\"\n or v == \"com/android/server/usb/descriptors/UsbASFormat\"\n or v == \"com/android/server/usb/descriptors/UsbACEndpoint\"\n or v == \"com/android/server/usb/descriptors/UsbUnknown\"\n or v == \"com/android/server/usb/descriptors/Usb20ACHeader\"\n or v == \"com/android/server/usb/descriptors/UsbInterfaceDescriptor\"\n or v == \"com/android/server/usb/descriptors/UsbDescriptor\"\n or v == \"com/android/server/usb/descriptors/UsbACSelectorUnit\"\n or v == \"com/android/server/usb/descriptors/UsbACHeaderInterface\"\n or v == \"com/android/server/usb/descriptors/UsbEndpointDescriptor\"\n or v == \"com/android/server/usb/descriptors/report/TextReportCanvas\"\n or v == \"com/android/server/usb/descriptors/report/Reporting\"\n or v == \"com/android/server/usb/descriptors/report/ReportCanvas\"\n or v == \"com/android/server/usb/descriptors/report/UsbStrings\"\n or v == \"com/android/server/usb/descriptors/report/HTMLReportCanvas\"\n or v == \"com/android/server/usb/descriptors/Usb10ACInputTerminal\"\n or v == \"com/android/server/usb/descriptors/UsbDescriptorParser\"\n or v == \"com/android/server/usb/descriptors/Usb10ASGeneral\"\n or v == \"com/android/server/usb/descriptors/ByteStream\"\n or v == \"com/android/server/usb/descriptors/UsbACMidiEndpoint\"\n or v == \"com/android/server/usb/descriptors/Usb20ASFormatIIEx\"\n or v == \"com/android/server/usb/descriptors/Usb10ACMixerUnit\"\n or v == \"com/android/server/usb/descriptors/Usb20ASFormatII\"\n or v == \"com/android/server/usb/descriptors/Usb20ACOutputTerminal\"\n or v == \"com/android/server/usb/descriptors/UsbACTerminal\"\n or v == \"com/android/server/usb/descriptors/UsbACInterfaceUnparsed\"\n or v == \"com/android/server/accessibility/TouchExplorer\"\n or v == \"com/android/server/coverage/CoverageService\"\n or v == \"com/android/server/companion/CompanionDeviceManagerService\"\n or v == \"android/opengl/GLWallpaperService\"\n or v == \"android/mtp/MtpDatabase\"\n or v == \"android/mtp/MtpServer\"\n or v == \"android/mtp/MtpStorage\"\n or v == \"android/media/PlayerProxy\"\n or v == \"android/media/MediaScanner\"\n or v == \"android/media/MediaTimeProvider\"\n or v == \"android/media/OnMediaTimeListener\"\n or v == \"android/media/soundtrigger/SoundTriggerDetector\"\n or v == \"android/media/soundtrigger/RecognitionCallback\"\n or v == \"android/media/soundtrigger/SoundTriggerManager\"\n or v == \"android/media/audiofx/OnParameterChangeListener\"\n or v == \"android/media/audiofx/Settings\"\n or v == \"android/media/audiofx/OnServerDiedListener\"\n or v == \"android/media/audiofx/OnParameterChangeListener\"\n or v == \"android/media/MediaFile\"\n or v == \"android/media/PlayerDeathMonitor\"\n or v == \"android/media/RemoteDisplay\"\n or v == \"android/media/AudioPort\"\n or v == \"android/media/SRTRenderer\"\n or v == \"android/media/MiniThumbFile\"\n or v == \"android/media/midi/MidiDeviceServer\"\n or v == \"android/media/TtmlRenderer\"\n or v == \"android/media/TtmlUtils\"\n or v == \"android/media/TtmlCue\"\n or v == \"android/media/TtmlNode\"\n or v == \"android/media/TtmlParser\"\n or v == \"android/media/TtmlNodeListener\"\n or v == \"android/media/TtmlTrack\"\n or v == \"android/media/TtmlRenderingWidget\"\n or v == \"android/media/audiopolicy/AudioPolicyConfig\"\n or v == \"android/media/audiopolicy/AudioMixingRule\"\n or v == \"android/media/audiopolicy/AudioMix\"\n or v == \"android/media/audiopolicy/AudioPolicy\"\n or v == \"android/media/Callback\"\n or v == \"android/media/MediaHTTPConnection\"\n or v == \"android/media/DecoderCapabilities\"\n or v == \"android/media/OnSubtitleDataListener\"\n or v == \"android/media/TimeProvider\"\n or v == \"android/media/MediaHTTPService\"\n or v == \"android/media/AudioManagerInternal\"\n or v == \"android/media/MediaScannerClient\"\n or v == \"android/media/SubtitleTrack\"\n or v == \"android/media/CueList\"\n or v == \"android/media/Cue\"\n or v == \"android/media/Run\"\n or v == \"android/media/VolumePolicy\"\n or v == \"android/media/tv/ProgramColumns\"\n or v == \"android/media/tv/PreviewProgramColumns\"\n or v == \"android/media/tv/WatchedPrograms\"\n or v == \"android/media/tv/TvStreamConfig\"\n or v == \"android/media/tv/TvInputSettings\"\n or v == \"android/media/tv/ITvInputSessionWrapper\"\n or v == \"android/media/tv/DvbDeviceInfo\"\n or v == \"android/media/tv/TvInputHardwareInfo\"\n or v == \"android/media/tv/SessionCallback\"\n or v == \"android/media/tv/HardwareCallback\"\n or v == \"android/media/tv/Session\"\n or v == \"android/media/tv/FinishedInputEventCallback\"\n or v == \"android/media/tv/Hardware\"\n or v == \"android/media/tv/TvContentRatingSystemInfo\"\n or v == \"android/media/BufferingParams\"\n or v == \"android/media/Cea708CaptionRenderer\"\n or v == \"android/media/Cea708CaptionTrack\"\n or v == \"android/media/Cea708CCParser\"\n or v == \"android/media/Const\"\n or v == \"android/media/CaptionColor\"\n or v == \"android/media/CaptionEvent\"\n or v == \"android/media/CaptionPenAttr\"\n or v == \"android/media/CaptionPenColor\"\n or v == \"android/media/CaptionPenLocation\"\n or v == \"android/media/CaptionWindowAttr\"\n or v == \"android/media/CaptionWindow\"\n or v == \"android/media/Cea708CCWidget\"\n or v == \"android/media/ScaledLayout\"\n or v == \"android/media/ScaledLayoutParams\"\n or v == \"android/media/CCLayout\"\n or v == \"android/media/CCHandler\"\n or v == \"android/media/CCWindowLayout\"\n or v == \"android/media/CCView\"\n or v == \"android/media/EncoderCapabilities\"\n or v == \"android/media/AudioFocusInfo\"\n or v == \"android/media/AudioGainConfig\"\n or v == \"android/media/RemoteDisplayState\"\n or v == \"android/media/AudioGain\"\n or v == \"android/media/AmrInputStream\"\n or v == \"android/media/ExternalRingtonesCursorWrapper\"\n or v == \"android/media/WebVttRenderer\"\n or v == \"android/media/TextTrackCueSpan\"\n or v == \"android/media/UnstyledTextExtractor\"\n or v == \"android/media/Tokenizer\"\n or v == \"android/media/TextTrackRegion\"\n or v == \"android/media/TextTrackCue\"\n or v == \"android/media/WebVttParser\"\n or v == \"android/media/WebVttCueListener\"\n or v == \"android/media/WebVttTrack\"\n or v == \"android/media/WebVttRenderingWidget\"\n or v == \"android/media/SubtitleController\"\n or v == \"android/media/AudioSystem\"\n or v == \"android/media/Metadata\"\n or v == \"android/media/AudioRoutesInfo\"\n or v == \"android/media/PlayerBase\"\n or v == \"android/media/CharPos\"\n or v == \"android/media/Justification\"\n or v == \"android/media/Style\"\n or v == \"android/media/Font\"\n or v == \"android/media/Karaoke\"\n or v == \"android/media/HyperText\"\n or v == \"android/media/browse/MediaBrowserUtils\"\n or v == \"android/media/Builder\"\n or v == \"android/media/State\"\n or v == \"android/media/MediaInserter\"\n or v == \"android/media/ClosedCaptionRenderer\"\n or v == \"android/media/Cea608CaptionTrack\"\n or v == \"android/media/ClosedCaptionWidget\"\n or v == \"android/media/ClosedCaptionLayout\"\n or v == \"android/media/Cea608CCParser\"\n or v == \"android/media/MutableBackgroundColorSpan\"\n or v == \"android/media/Cea608CCWidget\"\n or v == \"android/media/MediaRouterClientState\"\n or v == \"android/media/ResampleInputStream\"\n or v == \"android/media/OnAudioPortUpdateListener\"\n or v == \"android/media/CertificateRequest\"\n or v == \"android/media/Certificate\"\n or v == \"android/media/AudioPatch\"\n or v == \"android/media/MediaImage\"\n or v == \"android/media/SubtitleData\"\n or v == \"android/media/projection/Callback\"\n or v == \"android/media/projection/CallbackDelegate\"\n or v == \"android/media/projection/MediaProjectionInfo\"\n or v == \"android/media/session/OnVolumeKeyLongPressListener\"\n or v == \"android/media/session/OnMediaKeyListener\"\n or v == \"android/media/session/Callback\"\n or v == \"android/media/session/MediaSessionLegacyHelper\"\n or v == \"android/media/session/ParcelableVolumeInfo\"\n or v == \"android/media/session/CallbackStub\"\n or v == \"android/media/effect/FilterEffect\"\n or v == \"android/media/effect/FilterGraphEffect\"\n or v == \"android/media/effect/SingleFilterEffect\"\n or v == \"android/media/effect/effects/BrightnessEffect\"\n or v == \"android/media/effect/effects/BitmapOverlayEffect\"\n or v == \"android/media/effect/effects/DuotoneEffect\"\n or v == \"android/media/effect/effects/SharpenEffect\"\n or v == \"android/media/effect/effects/ColorTemperatureEffect\"\n or v == \"android/media/effect/effects/LomoishEffect\"\n or v == \"android/media/effect/effects/SepiaEffect\"\n or v == \"android/media/effect/effects/FlipEffect\"\n or v == \"android/media/effect/effects/VignetteEffect\"\n or v == \"android/media/effect/effects/AutoFixEffect\"\n or v == \"android/media/effect/effects/RotateEffect\"\n or v == \"android/media/effect/effects/SaturateEffect\"\n or v == \"android/media/effect/effects/CrossProcessEffect\"\n or v == \"android/media/effect/effects/BackDropperEffect\"\n or v == \"android/media/effect/effects/TintEffect\"\n or v == \"android/media/effect/effects/PosterizeEffect\"\n or v == \"android/media/effect/effects/GrayscaleEffect\"\n or v == \"android/media/effect/effects/RedEyeEffect\"\n or v == \"android/media/effect/effects/DocumentaryEffect\"\n or v == \"android/media/effect/effects/IdentityEffect\"\n or v == \"android/media/effect/effects/FisheyeEffect\"\n or v == \"android/media/effect/effects/ContrastEffect\"\n or v == \"android/media/effect/effects/StraightenEffect\"\n or v == \"android/media/effect/effects/FillLightEffect\"\n or v == \"android/media/effect/effects/GrainEffect\"\n or v == \"android/media/effect/effects/BlackWhiteEffect\"\n or v == \"android/media/effect/effects/NegativeEffect\"\n or v == \"android/media/effect/SizeChangeEffect\"\n or v == \"android/filterpacks/ui/SurfaceTargetFilter\"\n or v == \"android/filterpacks/ui/SurfaceRenderFilter\"\n or v == \"android/filterpacks/videosrc/MediaSource\"\n or v == \"android/filterpacks/videosrc/CameraSource\"\n or v == \"android/filterpacks/videosrc/SurfaceTextureSource\"\n or v == \"android/filterpacks/videosrc/SurfaceTextureTarget\"\n or v == \"android/filterpacks/videosink/MediaEncoderFilter\"\n or v == \"android/filterpacks/videosink/MediaRecorderStopException\"\n or v == \"android/filterpacks/numeric/SinWaveFilter\"\n or v == \"android/filterpacks/imageproc/ContrastFilter\"\n or v == \"android/filterpacks/imageproc/StraightenFilter\"\n or v == \"android/filterpacks/imageproc/DrawRectFilter\"\n or v == \"android/filterpacks/imageproc/CropRectFilter\"\n or v == \"android/filterpacks/imageproc/ToGrayFilter\"\n or v == \"android/filterpacks/imageproc/AlphaBlendFilter\"\n or v == \"android/filterpacks/imageproc/CropFilter\"\n or v == \"android/filterpacks/imageproc/ImageCombineFilter\"\n or v == \"android/filterpacks/imageproc/RedEyeFilter\"\n or v == \"android/filterpacks/imageproc/ToRGBFilter\"\n or v == \"android/filterpacks/imageproc/SimpleImageFilter\"\n or v == \"android/filterpacks/imageproc/FisheyeFilter\"\n or v == \"android/filterpacks/imageproc/ResizeFilter\"\n or v == \"android/filterpacks/imageproc/FixedRotationFilter\"\n or v == \"android/filterpacks/imageproc/BlendFilter\"\n or v == \"android/filterpacks/imageproc/ToRGBAFilter\"\n or v == \"android/filterpacks/imageproc/DrawOverlayFilter\"\n or v == \"android/filterpacks/imageproc/BitmapSource\"\n or v == \"android/filterpacks/imageproc/ImageEncoder\"\n or v == \"android/filterpacks/imageproc/ToPackedGrayFilter\"\n or v == \"android/filterpacks/imageproc/RotateFilter\"\n or v == \"android/filterpacks/imageproc/BrightnessFilter\"\n or v == \"android/filterpacks/imageproc/BitmapOverlayFilter\"\n or v == \"android/filterpacks/imageproc/Invert\"\n or v == \"android/filterpacks/imageproc/FlipFilter\"\n or v == \"android/filterpacks/text/ToUpperCase\"\n or v == \"android/filterpacks/text/StringSource\"\n or v == \"android/filterpacks/text/StringLogger\"\n or v == \"android/filterpacks/performance/ThroughputFilter\"\n or v == \"android/filterpacks/performance/Throughput\"\n or v == \"android/filterpacks/base/CallbackFilter\"\n or v == \"android/filterpacks/base/NoneFilter\"\n or v == \"android/filterpacks/base/GLTextureSource\"\n or v == \"android/filterpacks/base/FrameBranch\"\n or v == \"android/filterpacks/base/RetargetFilter\"\n or v == \"android/filterpacks/base/GLTextureTarget\"\n or v == \"android/filterpacks/base/FrameFetch\"\n or v == \"android/filterpacks/base/ObjectSource\"\n or v == \"android/filterpacks/base/FrameSource\"\n or v == \"android/filterpacks/base/OutputStreamTarget\"\n or v == \"android/filterpacks/base/InputStreamSource\"\n or v == \"android/filterpacks/base/FrameStore\"\n or v == \"android/filterpacks/videoproc/BackDropperFilter\"\n or v == \"android/filterfw/core/FilterSurfaceView\"\n or v == \"android/filterfw/core/InputPort\"\n or v == \"android/filterfw/core/FieldPort\"\n or v == \"android/filterfw/core/StreamPort\"\n or v == \"android/filterfw/core/FilterContext\"\n or v == \"android/filterfw/core/GLFrame\"\n or v == \"android/filterfw/core/SimpleFrame\"\n or v == \"android/filterfw/core/FilterFactory\"\n or v == \"android/filterfw/core/VertexFrame\"\n or v == \"android/filterfw/core/GraphRunner\"\n or v == \"android/filterfw/core/ProgramPort\"\n or v == \"android/filterfw/core/ShaderProgram\"\n or v == \"android/filterfw/core/NativeAllocatorTag\"\n or v == \"android/filterfw/core/Frame\"\n or v == \"android/filterfw/core/Scheduler\"\n or v == \"android/filterfw/core/SimpleFrameManager\"\n or v == \"android/filterfw/core/KeyValueMap\"\n or v == \"android/filterfw/core/ProgramVariable\"\n or v == \"android/filterfw/core/FinalPort\"\n or v == \"android/filterfw/core/FilterGraph\"\n or v == \"android/filterfw/core/CachedFrameManager\"\n or v == \"android/filterfw/core/RandomScheduler\"\n or v == \"android/filterfw/core/FilterPort\"\n or v == \"android/filterfw/core/MutableFrameFormat\"\n or v == \"android/filterfw/core/FrameManager\"\n or v == \"android/filterfw/core/NativeFrame\"\n or v == \"android/filterfw/core/FilterFunction\"\n or v == \"android/filterfw/core/AsyncRunner\"\n or v == \"android/filterfw/core/ProtocolException\"\n or v == \"android/filterfw/core/FrameFormat\"\n or v == \"android/filterfw/core/NativeBuffer\"\n or v == \"android/filterfw/core/Program\"\n or v == \"android/filterfw/core/RoundRobinScheduler\"\n or v == \"android/filterfw/core/GLEnvironment\"\n or v == \"android/filterfw/core/StopWatch\"\n or v == \"android/filterfw/core/SerializedFrame\"\n or v == \"android/filterfw/core/OneShotScheduler\"\n or v == \"android/filterfw/core/NativeProgram\"\n or v == \"android/filterfw/core/SimpleScheduler\"\n or v == \"android/filterfw/core/Filter\"\n or v == \"android/filterfw/core/OutputPort\"\n or v == \"android/filterfw/core/SyncRunner\"\n or v == \"android/filterfw/io/GraphReader\"\n or v == \"android/filterfw/io/GraphIOException\"\n or v == \"android/filterfw/io/TextGraphReader\"\n or v == \"android/filterfw/io/PatternScanner\"\n or v == \"android/filterfw/GraphEnvironment\"\n or v == \"android/filterfw/MffEnvironment\"\n or v == \"android/filterfw/FilterFunctionEnvironment\"\n or v == \"android/filterfw/format/PrimitiveFormat\"\n or v == \"android/filterfw/format/ObjectFormat\"\n or v == \"android/filterfw/format/ImageFormat\"\n or v == \"android/filterfw/geometry/Quad\"\n or v == \"android/filterfw/geometry/Point\"\n or v == \"android/filterfw/geometry/Rectangle\"\n ]\n )\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: function.name matches \"EVP_aes_.*\"\n ] and\n contains [\n FunctionCall: function.name == \"EVP_CIPHER_CTX_set_key_length\"\n and(arguments[1].constantValue is [Number: < 128])\n ]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name matches \"EVP_EncryptInit|EVP_DecryptInit|EVP_CipherInit\"\n and arguments[2] is arguments[3]\n and arguments[3].constantValue.None\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: fc.name matches \"EVP_EncryptInit|EVP_DecryptInit|EVP_CipherInit\" and\n (not arguments[3].constantValue.None\n or (arguments[2].constantValue == arguments[3].constantValue and not arguments[3].constantValue.None))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name matches \"EVP_EncryptInit_ex|EVP_DecryptInit_ex|EVP_CipherInit_ex|BF_cbc_encrypt|BF_cfb64_encrypt|BF_ofb64_encrypt|DES_ncbc_encrypt|DES_pcbc_encrypt|DES_cfb64_encrypt|DES_ofb64_encrypt|DES_xcbc_encrypt|DES_cbc_cksum|DES_enc_read|DES_enc_write\"\n and arguments[3] is arguments[4]\n and arguments[4].constantValue.None\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: fc.name matches \"EVP_EncryptInit_ex|EVP_DecryptInit_ex|EVP_CipherInit_ex|BF_cbc_encrypt|BF_cfb64_encrypt|BF_ofb64_encrypt|DES_ncbc_encrypt|DES_pcbc_encrypt|DES_cfb64_encrypt|DES_ofb64_encrypt|DES_xcbc_encrypt|DES_cbc_cksum|DES_enc_read|DES_enc_write\" and\n (not arguments[4].constantValue.None\n or (arguments[3].constantValue == arguments[4].constantValue and not arguments[4].constantValue.None))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name matches \"DES_ede2_cbc_encrypt|DES_ede2_cfb64_encrypt|DES_ede2_ofb64_encrypt\"\n and (arguments[3] is arguments[5] or arguments[4] is arguments[5])\n and arguments[5].constantValue.None\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: fc.name matches \"DES_ede2_cbc_encrypt|DES_ede2_cfb64_encrypt|DES_ede2_ofb64_encrypt\" and\n (not arguments[5].constantValue.None\n or (arguments[3].constantValue == arguments[5].constantValue and not arguments[5].constantValue.None)\n or (arguments[4].constantValue == arguments[5].constantValue and not arguments[5].constantValue.None))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name matches \"DES_ede3_cbc_encrypt|ES_ede3_cfb64_encrypt|DES_ede3_ofb64_encrypt\"\n and (arguments[3] is arguments[6] or arguments[4] is arguments[6] or arguments[5] is arguments[6])\n and arguments[6].constantValue.None\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: fc.name matches \"DES_ede3_cbc_encrypt|ES_ede3_cfb64_encrypt|DES_ede3_ofb64_encrypt\" and\n (not arguments[6].constantValue.None\n or (arguments[3].constantValue == arguments[6].constantValue and not arguments[6].constantValue.None)\n or (arguments[4].constantValue == arguments[6].constantValue and not arguments[6].constantValue.None)\n or (arguments[5].constantValue == arguments[6].constantValue and not arguments[6].constantValue.None))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: name matches \"DES_cfb_encrypt|DES_ofb_encrypt\"\n and arguments[4] is arguments[5]\n and arguments[5].constantValue.None\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall fc: fc.name matches \"DES_cfb_encrypt|DES_ofb_encrypt\" and\n (not arguments[5].constantValue.None\n or (arguments[4].constantValue == arguments[5].constantValue and not arguments[5].constantValue.None))\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n StringLiteral s: \n constantValue matches \"(?i)^PRAGMA\\s+(key|hexkey|textkey|rekey|hexrekey|textrekey)\\s*=\\s*(\\x22|\\x27)(\\x22|\\x27)(;)?\\s*$\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n StringLiteral s: \n constantValue matches \"(?i)^PRAGMA\\s+(key|hexkey|textkey|rekey|hexrekey|textrekey)\\s*=\\s*(\\x22|\\x27).+(\\x22|\\x27)(;)?\\s*$\"\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: function.name == \"BCryptOpenAlgorithmProvider\"\n and arguments[1].constantValue is [String: startsWith \"DSA\" or startsWith \"RSA_SIGN\"]\n ] and\n contains [\n FunctionCall: function.name == \"BCryptGenerateKeyPair\"\n and(arguments[2].constantValue is [Number: < 2048])\n ]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: function.name == \"BCryptOpenAlgorithmProvider\"\n and arguments[1].constantValue is [String: startsWith \"DSA\" or startsWith \"RSA_SIGN\"]\n ] and\n contains [\n FunctionCall: function.name == \"BCryptGenerateKeyPair\"\n and(arguments[2].constantValue is [Number: < 2048])\n ]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: function.name == \"BCryptOpenAlgorithmProvider\"\n and arguments[1].constantValue is [String: startsWith \"RSA\" and not startsWith \"RSA_SIGN\"]\n ] and\n contains [\n FunctionCall: function.name == \"BCryptGenerateKeyPair\"\n and(arguments[2].constantValue is [Number: < 2048])\n ]*\n " - }, - { - "language": "cpp", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: function.name == \"BCryptOpenAlgorithmProvider\"\n and arguments[1].constantValue is [String: startsWith \"RSA\" and not startsWith \"RSA_SIGN\"]\n ] and\n contains [\n FunctionCall: function.name == \"BCryptGenerateKeyPair\"\n and(arguments[2].constantValue is [Number: < 2048])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "XML External Entity Injection", - "vuln_subcategory": None, - "predicate": "\n ReturnStatement rs: rs.enclosingFunction is [\n Function f: f.name == \"resolveEntity\" and f.enclosingClass is [Class c: c.supers contains [Class p: p.name matches \"org\\.xml\\.sax\\.EntityResolver(2)?\"]]\n ] and rs.expression is [Expression e: e.constantValue is [None: ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site WebSocket Hijacking", - "vuln_subcategory": None, - "predicate": "\n ReturnStatement rs: rs.expression.constantValue == false and\n rs.enclosingFunction.name == \"checkOrigin\" and\n rs.enclosingFunction.enclosingClass.supers contains [Class c: name == \"javax.websocket.server.ServerEndpointConfig$Configurator\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Poor Style", - "vuln_subcategory": "Non-final Public Static Field", - "predicate": "\n Field:\n public\n and static\n and not(final)\n and not(volatile)\n and enclosingClass is\n /* do not count classes acting like a struct, with no methods except constructors */\n [Class:\n functions contains [Function:\n isBodyAvailable\n and not constructor\n and not name == \"init^\"\n and not name matches \"|clinit\\^\"\n ]\n ]\n and not synthetic\n /* Scala exception */\n and not name == \"MODULE$\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Poor Style", - "vuln_subcategory": "Non-final Public Static Field", - "predicate": "\n Field:\n public\n and static\n and not(final)\n and not(volatile)\n and enclosingClass is\n /* do not count classes acting like a struct, with no methods except constructors */\n [Class: functions contains [Function:\n not constructor\n and not name == \"init^\"\n and not name matches \"|clinit\\^\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Swallowed ThreadDeath", - "predicate": "CatchBlock:\n exception.type.definition.supers contains\n [Class: name == \"java.lang.ThreadDeath\"] and\n not(contains [ThrowStatement: expression.type.definition.supers contains\n [Class: name == \"java.lang.ThreadDeath\"]])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Call to notify()", - "predicate": "\n SynchronizedBlock: contains\n [\n FunctionCall: function.name == \"notify\"\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Incorrect serialPersistentFields Modifier", - "predicate": "\n Field:\n name is \"serialPersistentFields\" and\n /* enclosingClass.serializable and */\n enclosingClass.supers contains [name == \"java.io.Serializable\"] and\n not (\n private\n and static\n and final\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak SecurityManager Check", - "vuln_subcategory": "Overridable Method", - "predicate": "\n Function f:\n not f.constructor and\n not f.name == \"init^\" and\n not f.initializer and\n not f.enclosingClass.final and\n not f.private and\n not f.static and\n not f.final and\n f.callees contains [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Throw Inside Finally", - "predicate": "FinallyBlock: contains [ThrowStatement: ]" - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Castor Bad Practices", - "vuln_subcategory": "Query Mode Not Read-Only", - "predicate": "\n FunctionCall: function.name == \"execute\" and function.enclosingClass.supers contains [Class: name == \"org.exolab.castor.jdo.Query\"]\n and function.parameterTypes.length != 0\n and not (arguments[0] is [FieldAccess: field.name matches \"(?i)ReadOnly\" and type.name == \"org.exolab.castor.mapping.AccessMode\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privilege Management", - "vuln_subcategory": "Overly Broad Access Specifier", - "predicate": "\n Function f:\n f.public and\n f.callees contains [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: (function.constructor or function.name == \"init^\") and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ]\n and arguments[2].constantValue is [String: startsWith \"DESede\"]\n ] and\n contains [\n FunctionCall: function.name == \"init\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ] and(arguments[0].constantValue is [Number: < 168])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: (function.constructor or function.name == \"init^\") and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ]\n and arguments[2].constantValue is [String: startsWith \"AES\"]\n ] and\n contains [\n FunctionCall: function.name == \"init\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ] and(arguments[0].constantValue is [Number: < 128])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: function.name == \"getInstance\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ]\n and arguments[0].constantValue is [String: startsWith \"DESede\"]\n ] and\n contains [\n FunctionCall: function.name == \"init\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ] and(arguments[0].constantValue is [Number: < 168])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: function.name == \"getInstance\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ]\n and arguments[0].constantValue is [String: startsWith \"AES\"]\n ] and\n contains [\n FunctionCall: function.name == \"init\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ] and(arguments[0].constantValue is [Number: < 128])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: (function.name matches \"getInstance|init\\^\" or function.constructor)\n and function.enclosingClass.supers contains [\n Class: name == \"java.security.KeyPairGenerator\"\n ]\n and arguments[0].constantValue is [String: startsWith \"RSA\"]\n ] and\n contains [\n FunctionCall: function.name == \"initialize\" and\n function.enclosingClass.supers contains [\n Class: name == \"java.security.KeyPairGenerator\"\n ] and(arguments[0].constantValue is [Number: < 2048])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Missing SecurityManager Check", - "vuln_subcategory": "Serializable", - "predicate": "\n Function f:\n (f.constructor or f.name == \"init^\") and\n f.enclosingClass.supers contains [\n Class:\n name is \"java.io.Serializable\"\n ] and reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ] and ((not\n f.enclosingClass.functions contains [\n Function ro:\n ro.name is \"readObject\" and\n reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ]*\n ]) or (not\n f.enclosingClass.functions contains [\n Function rond:\n rond.name is \"readObjectNoData\" and\n reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ]*\n ]))\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Missing SecurityManager Check", - "vuln_subcategory": "Cloneable", - "predicate": "\n Function f:\n (f.constructor or f.name == \"init^\") and\n f.enclosingClass.supers contains [\n Class:\n name is \"java.lang.Cloneable\"\n ] and reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ] and not\n f.enclosingClass.functions contains [\n Function clone:\n clone.name is \"clone\" and\n reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Castor Bad Practices", - "vuln_subcategory": "Query Mode Not Read-Only", - "predicate": "\n FunctionCall: function.name == \"execute\" and function.enclosingClass.supers contains [Class: name == \"org.exolab.castor.jdo.Query\"]\n and function.parameterTypes.length != 0\n and not (arguments[0] is [FieldAccess: field.name matches \"(?i)ReadOnly\" and type.name == \"org.exolab.castor.mapping.AccessMode\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Privilege Management", - "vuln_subcategory": "Overly Broad Access Specifier", - "predicate": "\n Function f:\n f.public and\n f.callees contains [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: function.name == \"getInstance\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ]\n and arguments[0].constantValue is [String: startsWith \"DESede\"]\n ] and\n contains [\n FunctionCall: function.name == \"init\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ] and(arguments[0].constantValue is [Number: < 168])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: function.name == \"getInstance\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ]\n and arguments[0].constantValue is [String: startsWith \"AES\"]\n ] and\n contains [\n FunctionCall: function.name == \"init\" and\n function.enclosingClass.supers contains [\n Class: name == \"javax.crypto.KeyGenerator\"\n ] and(arguments[0].constantValue is [Number: < 128])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n Function:\n contains [\n FunctionCall: (function.name matches \"getInstance|init\\^\" or function.constructor)\n and function.enclosingClass.supers contains [\n Class: name == \"java.security.KeyPairGenerator\"\n ]\n and arguments[0].constantValue is [String: startsWith \"RSA\"]\n ] and\n contains [\n FunctionCall: function.name == \"initialize\" and\n function.enclosingClass.supers contains [\n Class: name == \"java.security.KeyPairGenerator\"\n ] and(arguments[0].constantValue is [Number: < 2048])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Missing SecurityManager Check", - "vuln_subcategory": "Serializable", - "predicate": "\n Function f:\n (f.constructor or f.name == \"init^\") and\n f.enclosingClass.supers contains [\n Class:\n name is \"java.io.Serializable\"\n ] and reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ] and ((not\n f.enclosingClass.functions contains [\n Function ro:\n ro.name is \"readObject\" and\n reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ]*\n ]) or (not\n f.enclosingClass.functions contains [\n Function rond:\n rond.name is \"readObjectNoData\" and\n reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ]*\n ]))\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Missing SecurityManager Check", - "vuln_subcategory": "Cloneable", - "predicate": "\n Function f:\n (f.constructor or f.name == \"init^\") and\n f.enclosingClass.supers contains [\n Class:\n name is \"java.lang.Cloneable\"\n ] and reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ] and not\n f.enclosingClass.functions contains [\n Function clone:\n clone.name is \"clone\" and\n reaches [\n Function:\n enclosingClass.supers contains [\n Class:\n name is \"java.security.AccessController\" or\n name is \"java.lang.SecurityManager\"\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is [FieldAccess:\n instance.location is [VariableAccess: this]\n and field is [Field dec:\n /* We assume that a static or singleton file is meant to be shared by design */\n not static\n and not type.definition.labels contains [String s: s matches \".*SingletonBean$\"]\n ]*\n ]\n and (\n enclosingClass is [Class singletons: /* TEMPLATED */ ]\n or enclosingClass.labels contains \"SpringSingletonBean\"\n )\n and not enclosingClass.supers contains [Class:\n name == \"org.springframework.web.servlet.mvc.Controller\"\n or name == \"org.springframework.web.portlet.mvc.Controller\"\n ] and not enclosingClass.supers contains [Class: annotations contains [Annotation:\n type.name == \"org.springframework.stereotype.Controller\"\n or type.name == \"org.springframework.web.bind.annotation.RestController\"\n ]]\n and not enclosingFunction is [Function:\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n (constructor or name matches \"init.*\")\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n or (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor])\n /* EXCEPTION: org.springframework.beans.factory.InitializingBean.afterPropertiesSet is only call once*/\n or (name == \"afterPropertiesSet\" and enclosingClass.supers contains [Class ibean: name == \"org.springframework.beans.factory.InitializingBean\"])\n /* EXCEPTION: org.springframework.beans.factory.DisposableBean.destroy is only call once */\n or (name == \"destroy\" and enclosingClass.supers contains [Class dbean: name == \"org.springframework.beans.factory.DisposableBean\"])\n /* EXCEPTION: @PostConstruct and @PreDestroy methods are only called once */\n or (annotations contains [type.name matches \"javax.annotation.(PostConstruct|PreDestroy)\"])\n /* EXCEPTION: enclosing function is only reachable from a method that is only called once */\n or (\n callers.length != 0\n and not callers contains [Function:\n not constructor\n and not name == \"init^\"\n and not annotations contains [Annotation:\n type.name matches \"javax.annotation.(PostConstruct|PreDestroy)\"\n ]\n and not name matches \"init.*\"\n ]\n )]\n and enclosingFunction.callers.length > 1\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Struts", - "vuln_subcategory": "Erroneous validate() Method", - "predicate": "\n Function: name == \"validate\" and enclosingClass.supers contains [name == \"org.apache.struts.validator.ValidatorForm\"] and not (callees contains [Function: reaches [Function: name == \"validate\" and enclosingClass.supers contains [name == \"org.apache.struts.validator.ValidatorForm\"]]])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Erroneous String Compare", - "predicate": "\n Operation: ((op == \"==\") or (op == \"!=\")) and\n (lhs.type.name == \"java.lang.String\" and\n rhs.type.name == \"java.lang.String\")\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Unsafe Mobile Code", - "vuln_subcategory": "Access Violation", - "predicate": "\n ReturnStatement rs: enclosingFunction is [public or protected] and\n expression.location is [FieldAccess: field is\n [private or package or (protected and rs.enclosingFunction.public)] and\n field.type.arrayDimensions > arrayIndices.length]\n and enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Unsafe Mobile Code", - "vuln_subcategory": "Public finalize() Method", - "predicate": "\n Function: name == \"finalize\" and parameterTypes.length == 0 and public\n and enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Unsafe Mobile Code", - "vuln_subcategory": "Inner Class", - "predicate": "\n Class: in [Class:]\n and enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Unsafe Mobile Code", - "vuln_subcategory": "Unsafe Array Declaration", - "predicate": "\n Field: (public or protected) and static and final and type.arrayDimensions > 0\n and enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Unsafe Mobile Code", - "vuln_subcategory": "Unsafe Public Field", - "predicate": "\n Field var: public and not final\n and enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Unsafe Mobile Code", - "vuln_subcategory": "Unsafe Public Field", - "predicate": "\n Field: public and not final\n and enclosingClass reachedBy [supers contains [name == \"java.applet.Applet\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Static Database Connection", - "predicate": "\n Field: static and type.name == \"java.sql.Connection\" and not private\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "EJB Bad Practices", - "vuln_subcategory": "Use of Class Loader", - "predicate": "\n FunctionCall: enclosingClass.supers contains [name == \"javax.ejb.EnterpriseBean\"]\n and function reaches [enclosingClass.supers contains [name == \"java.lang.ClassLoader\"]]*\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "EJB Bad Practices", - "vuln_subcategory": "Use of Sockets", - "predicate": "\n FunctionCall: enclosingClass.supers contains [name == \"javax.ejb.EnterpriseBean\"]\n and function reaches [enclosingClass.supers contains [name == \"java.net.Socket\"]]*\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "EJB Bad Practices", - "vuln_subcategory": "Use of java.io", - "predicate": "\n FunctionCall: enclosingClass.supers contains [name == \"javax.ejb.EnterpriseBean\"]\n and function reaches [enclosingClass.name matches \"^java\\.io\\..*File.*\"]*\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "EJB Bad Practices", - "vuln_subcategory": "Use of AWT/Swing", - "predicate": "\n FunctionCall: enclosingClass.supers contains [name == \"javax.ejb.EnterpriseBean\"]\n and function reaches\n [enclosingClass.name startsWith \"java.awt.\" or enclosingClass.name startsWith \"javax.swing.\"]*\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "EJB Bad Practices", - "vuln_subcategory": "Use of Synchronization Primitives", - "predicate": "\n FunctionCall: enclosingClass.supers contains [name == \"javax.ejb.EnterpriseBean\"]\n and function reaches\n [name == \"notify\" and parameterTypes.length == 0 or\n name == \"notifyAll\" and parameterTypes.length == 0 or\n name == \"wait\" and parameterTypes.length == 0 or\n name == \"wait\" and parameterTypes.length == 1 and parameterTypes[0].name == \"long\" or\n name == \"wait\" and parameterTypes.length == 2 and parameterTypes[0].name == \"long\" and parameterTypes[1].name == \"int\"]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Confusing Naming", - "predicate": "\n Declaration dec:\n dec in [Class: name == dec.name]\n and not is [Function: constructor]\n and not synthetic\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Identifier Contains Dollar Symbol ($)", - "predicate": "\n Declaration:\n name contains \"$\"\n and not (\n is [Class: in [Class:]]\n or is [Function: constructor and in [Class: in [Class:]]]\n or is [Class: name matches \".*\\$[0-9].*|.*@(lambda|ref)([0-9])+\"]\n or name == \"MODULE$\"\n or name matches \".*\\$anonfun\\$.*\"\n or synthetic\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Poor Style", - "vuln_subcategory": "Explicit Call to finalize()", - "predicate": "\n FunctionCall: function is [name == \"finalize\" and parameterTypes.length == 0]\n and not (enclosingFunction is [name == \"finalize\" and parameterTypes.length == 0]\n and enclosingClass.supers contains function.enclosingClass\n and function.enclosingClass != enclosingClass)\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Empty Synchronized Block", - "predicate": "\n SynchronizedBlock: empty\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Poor Logging Practice", - "vuln_subcategory": "Logger Not Declared Static Final", - "predicate": "\n Field f: not (static and final) and type.definition.supers contains\n [Class: name == \"java.util.logging.Logger\" or name == \"org.apache.log4j.Logger\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Poor Logging Practice", - "vuln_subcategory": "Multiple Loggers", - "predicate": "\n Field f: type.definition.supers contains [Class: name == \"java.util.logging.Logger\" or name == \"org.apache.log4j.Logger\"]\n and enclosingClass contains\n [Field: type.definition.supers contains [Class: name == \"java.util.logging.Logger\" or name == \"org.apache.log4j.Logger\" ] and != f]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Return Inside Finally", - "predicate": "\n ReturnStatement: in [FinallyBlock:]\n " - }, - { - "language": "java", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Program Catches NonePointerException", - "predicate": "\n CatchBlock: exception.type.name == \"java.lang.NonePointerException\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Object Model Violation", - "vuln_subcategory": "Just one of restoreState() and saveState() Defined", - "predicate": "\n Function: name == \"restoreState\" and parameterTypes.length == 2 and\n parameterTypes[0].name matches \"javax\\.faces\\.context\\.FacesContext(Wrapper)?\" and\n parameterTypes[1] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and not enclosingClass contains\n [Function: name == \"saveState\" and parameterTypes.length == 1 and\n parameterTypes[0].name matches \"javax\\.faces\\.context\\.FacesContext(Wrapper)?\"]\n and enclosingClass.supers contains [Class: name == \"javax.faces.component.StateHolder\"] or\n name == \"saveState\" and parameterTypes.length == 1 and\n parameterTypes[0].name matches \"javax\\.faces\\.context\\.FacesContext(Wrapper)?\"\n and not enclosingClass contains\n [Function: name == \"restoreSave\" and parameterTypes.length == 2 and\n parameterTypes[0].name matches \"javax\\.faces\\.context\\.FacesContext(Wrapper)?\" and\n parameterTypes[1] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]]\n and enclosingClass.supers contains [Class: name matches \"javax\\.faces\\.context\\.FacesContext(Wrapper)?\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Object Model Violation", - "vuln_subcategory": "Just one of equals() and hashCode() Defined", - "predicate": "\n Function: \n (\n name == \"equals\" \n and public \n and parameterTypes.length == 1 \n and parameterTypes[0] is [Type: \n name == \"java.lang.Object\"\n or name == \"kotlin.Any\"\n ]\n and not enclosingClass contains [Function: \n name == \"hashCode\" \n and public \n and parameterTypes.length == 0\n ]\n and not enclosingClass.supers contains [Class: \n name == \"java.util.Comparator\"\n ] \n )\n or \n (\n name == \"hashCode\" \n and public \n and parameterTypes.length == 0\n and not enclosingClass contains [Function: \n name == \"equals\" \n and public \n and parameterTypes.length == 1 \n and parameterTypes[0] is [Type: \n name == \"java.lang.Object\"\n or name == \"kotlin.Any\"\n ]\n ]\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Object Model Violation", - "vuln_subcategory": "Erroneous clone() Method", - "predicate": "\n Function: name == \"clone\" and parameterTypes.length == 0 and not abstract and not contains\n [FunctionCall: function is [name == \"clone\" and parameterTypes.length == 0] and\n enclosingClass.supers contains function.enclosingClass and enclosingClass != function.enclosingClass] and\n not enclosingClass.final\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "J2EE Bad Practices", - "vuln_subcategory": "Leftover Debug Code", - "predicate": "\n Function: \n name == \"main\" \n /* synthetic is used to detect scala companion objects */\n and (static or enclosingClass.modifiers contains \"synthetic\")\n and returnType.name == \"void\"\n and parameterTypes.length == 1 \n and parameterTypes[0] is [name == \"java.lang.String\" and arrayDimensions == 1]\n /* Exclude SpringBoot applications */\n and enclosingClass is [Class:\n not annotations contains [Annotation:\n type.name == \"org.springframework.boot.autoconfigure.SpringBootApplication\"\n or type.name == \"org.springframework.boot.autoconfigure.EnableAutoConfiguration\"\n ]\n ]\n and not contains [FunctionCall: \n function is [Function: \n name == \"run\"\n and enclosingClass.name == \"org.springframework.boot.SpringApplication\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "J2EE Bad Practices", - "vuln_subcategory": "Leftover Debug Code", - "predicate": "\n Function: \n name == \"main\" \n and public\n /* synthetic is used to detect scala companion objects */\n and (static or enclosingClass.modifiers contains \"synthetic\")\n and returnType.name == \"void\"\n and parameterTypes.length == 1 \n and parameterTypes[0] is [name == \"java.lang.String\" and arrayDimensions == 1]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Class Does Not Implement Cloneable", - "predicate": "\n Function: name == \"clone\" and parameterTypes.length == 0 and\n not (enclosingClass.supers contains [Class: name == \"java.lang.Cloneable\"] or\n exceptionTypes contains\n [Type: name == \"java.lang.CloneNotSupportedException\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "None Argument To Equivalence Method", - "predicate": "\n FunctionCall: function.name == \"equals\" and arguments.length == 1 and\n (arguments[0] is [NoneLiteral:] or arguments[0].constantValue is [None: ])\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Misleading Method Signature", - "predicate": "\n Function:\n /* the function is actually called */\n callers.length == 0 \n /* do not match on synthetic (generated) functions */\n and not synthetic\n and (\n ( /* equals */\n (\n name == \"equal\"\n or (\n name == \"equals\" \n and (\n /* equals function parameter is not correct */\n parameterTypes.length != 1 \n or not parameterTypes[0] is [Type: \n name == \"java.lang.Object\"\n or name == \"kotlin.Any\"\n ]\n\n ) \n and not static\n )\n ) \n and\n /* make sure we're not just matching an overload */\n (\n not enclosingClass contains [Function: \n name == \"equals\" \n and parameterTypes.length == 1\n and parameterTypes[0] is [Type: \n name == \"java.lang.Object\"\n or name == \"kotlin.Any\"\n ]\n ]\n )\n ) or\n /* hashCode */\n (\n (\n name == \"hashcode\" \n or (\n name == \"hashCode\" \n and parameterTypes.length != 0\n )\n ) \n /* make sure we're not just matching a separate function/overload */\n and (\n not enclosingClass contains [Function: \n name == \"hashCode\" \n and parameterTypes.length == 0\n ]\n )\n ) \n /* toString */\n or (\n name == \"tostring\" \n /* and not matching a different function */\n and not enclosingClass contains [Function: \n name == \"toString\"\n ]\n ) \n /* finalize */\n or (\n name == \"finalize\" \n and parameterTypes.length != 0 \n /* enclosing class doesn't contain finalize function with expected signature */\n and not enclosingClass contains [Function: \n name == \"finalize\" \n and parameterTypes.length == 0\n ]\n )\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Erroneous finalize() Method", - "predicate": "\n Function: name == \"finalize\" and parameterTypes.length == 0 and not contains\n [FunctionCall: function is [name == \"finalize\" and parameterTypes.length == 0] and\n enclosingClass.supers contains function.enclosingClass and enclosingClass != function.enclosingClass]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Double-Checked Locking", - "predicate": "\n IfStatement ifInsideSyncBlock: in \n [SynchronizedBlock syncBlock: in\n [IfStatement ifOutsideSyncBlock: \n ifOutsideSyncBlock.expression == ifInsideSyncBlock.expression\n and not ifInsideSyncBlock contains [AssignmentStatement as:\t\n as.lhs is [FieldAccess fa: fa.field.volatile]\n ]\n and syncBlock.lock is [Expression this:\n ifInsideSyncBlock contains [FieldAccess fa1:\n ifOutsideSyncBlock contains [FieldAccess fa2:\n fa1.instance is this\n and fa2.instance is this\n and fa1 == fa2\n ]\n ]\n ]\n ]*\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Double-Checked Locking", - "predicate": "\n IfStatement ifs: in [SynchronizedBlock: in\n [IfStatement: expression == ifs.expression]*]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Confusing Naming", - "predicate": "\n Field f: not synthetic\n and type.name != \"boolean\"\n and type.name != \"java.lang.Boolean\"\n and type.name != \"kotlin.Boolean\"\n and enclosingClass contains [Function: name == f.name]*\n and not enclosingClass.supers contains [Class: name == \"java.lang.Record\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Confusing Naming", - "predicate": "\n Field f: type.name != \"boolean\" and type.name != \"java.lang.Boolean\" and enclosingClass contains [Function: name == f.name]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Poor Style", - "vuln_subcategory": "Confusing Naming", - "predicate": "\n Field f: type.name != \"boolean\" and type.name != \"java.lang.Boolean\" and enclosingClass contains [Function: name == f.name]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Poor Logging Practice", - "vuln_subcategory": "Use of a System Output Stream", - "predicate": "\n FunctionCall fc: fc.instance is [FieldAccess: field is [\n enclosingClass.name == \"java.lang.System\" \n and (name == \"out\" or name == \"err\")]]\n /* Not accessed within main() function */\n and not fc.enclosingFunction is [Function: \n name == \"main\" \n and public\n /* synthetic is used to detect scala companion objects */\n and (static or enclosingClass.modifiers contains \"synthetic\")\n and returnType.name == \"void\"\n and parameterTypes.length == 1 \n and parameterTypes[0] is [name == \"java.lang.String\" and arrayDimensions == 1]\n ] \n and not fc.enclosingFunction is [Function: \n name == \"main\"\n and returnType.name == \"kotlin.Unit\"\n ]\n /* Enclosing function is not called from main() function */\n and not fc.enclosingFunction reachedBy [Function: \n name == \"main\" \n and public\n /* synthetic is used to detect scala companion objects */\n and (static or enclosingClass.modifiers contains \"synthetic\")\n and returnType.name == \"void\"\n and parameterTypes.length == 1 \n and parameterTypes[0] is [name == \"java.lang.String\" and arrayDimensions == 1]\n ]\n and not fc.enclosingFunction reachedBy [Function:\n name == \"main\"\n and returnType.name == \"kotlin.Unit\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Overly Broad Throws", - "predicate": "\n Function f: exceptionTypes contains [Type e:\n (e.name == \"java.lang.Exception\" or e.name == \"java.lang.Throwable\")\n and not (f.name == \"finalize\" and f.parameterTypes.length == 0)\n and f.name != \"main\"\n and not (\n f.enclosingClass.supers contains\n // only report this on the top class in the hierarchy\n [Class c: c != f.enclosingClass and contains\n [ Function t: t.name == f.name and t.parameterTypes == f.parameterTypes\n and f.exceptionTypes contains e\n ]\n ]\n )\n ]\n // and not a Spring Security SecurityFilterChain configuration\n and not f.returnType is [Type: definition.supers contains [Class: \n name == \"org.springframework.security.web.SecurityFilterChain\"\n ]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Overly Broad Catch", - "predicate": "\n CatchBlock: (exception.type.name == \"java.lang.Exception\" or\n exception.type.name == \"java.lang.Throwable\" or\n exception.type.name == \"java.lang.Error\" or\n exception.type.name == \"java.lang.RuntimeException\") and\n not contains [ThrowStatement: ] and\n\n\n /* we're not inside main(), Runnable.run(), Servlet entrypoint methods,\n Servlet and struts init() method, or jasper init() and service() methods */\n not (enclosingFunction is [name == \"main\"] or\n (enclosingClass.supers contains [name == \"javax.servlet.http.HttpServlet\"]\n and enclosingFunction is\n [name == \"doDelete\" or name == \"doGet\" or name == \"doHead\" or\n name == \"doOptions\" or name == \"doPost\" or name == \"doPut\" or\n name == \"doTrace\" or name == \"service\"]\n )\n or\n (enclosingClass.supers contains [name == \"javax.servlet.Servlet\"]\n and enclosingFunction is [name == \"service\"]\n )\n or\n (enclosingClass.supers contains [name == \"java.lang.Runnable\"]\n and enclosingFunction is [name == \"run\"]\n )\n or\n (enclosingClass.supers contains [name == \"javax.servlet.Servlet\"]\n and enclosingFunction is [name == \"init\"]\n )\n or\n (enclosingClass.supers contains [name == \"org.apache.struts.action.PlugIn\"]\n and enclosingFunction is [name == \"init\"]\n )\n or\n (enclosingClass.supers contains [name == \"org.apache.jasper.runtime.HttpJspBase\"]\n and enclosingFunction is [name == \"init\" or name == \"service\" or\n name == \"jspInit\" or name == \"jspService\" or\n name == \"_jspInit\" or name == \"_jspService\"]\n\t\t\t )\n\t\t\t or\n (enclosingClass.annotations contains [Annotation: type == T\"org.springframework.stereotype.Controller\"])\n or\n (enclosingClass.annotations contains [Annotation: type == T\"org.springframework.web.bind.annotation.RestController\"])\t\n\t\t\t )\n " - }, - { - "language": "java", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Empty Catch Block", - "predicate": "\n CatchBlock: empty and\n not exception.type.name == \"java.lang.InterruptedException\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Call to System.gc()", - "predicate": "\n FunctionCall: function is [static and name == \"gc\" and\n enclosingClass.name == \"java.lang.System\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": "Incomplete Servlet Error Handling", - "predicate": "\n Function:\n /* We're in a Servlet: */\n (\n (enclosingClass.supers contains [name == \"javax.servlet.http.HttpServlet\"]\n and parameterTypes[0].name == \"javax.servlet.http.HttpServletRequest\"\n and parameterTypes[1].name == \"javax.servlet.http.HttpServletResponse\"\n and\n (name == \"doDelete\" or name == \"doGet\" or name == \"doHead\" or\n name == \"doOptions\" or name == \"doPost\" or name == \"doPut\" or\n name == \"doTrace\" or name == \"service\")\n )\n or\n ( enclosingClass.supers contains [name == \"javax.servlet.Servlet\"]\n and parameterTypes[0].name == \"javax.servlet.ServletRequest\"\n and parameterTypes[1].name == \"javax.servlet.ServletResponse\"\n and name == \"service\"\n )\n )\n\n /* The function we're in does not have a try block (containing at least one function call\n other than log functions) whose catch catches Throwable, and the function does not call\n any servlet entrypoint functions */\n and not contains [FunctionCall: (function.enclosingClass.supers contains\n [name == \"javax.servlet.http.HttpServlet\"] and\n function.parameterTypes[0].name == \"javax.servlet.http.HttpServletRequest\" and\n function.parameterTypes[1].name == \"javax.servlet.http.HttpServletResponse\" and\n (function.name == \"doDelete\" or function.name == \"doGet\" or\n function.name == \"doHead\" or function.name == \"doOptions\" or\n function.name == \"doPost\" or function.name == \"doPut\" or\n function.name == \"doTrace\" or function.name == \"service\")) or\n (function.enclosingClass.supers contains\n [name == \"javax.servlet.Servlet\"] and\n function.parameterTypes[0].name == \"javax.servlet.ServletRequest\" and\n function.parameterTypes[1].name == \"javax.servlet.ServletResponse\" and\n function.name == \"service\")]\n and contains [FunctionCall: not (function.name == \"error\" or function.name == \"fatal\" or\n function.name == \"info\" or function.name == \"trace\" or\n function.name == \"warn\" or function.name == \"debug\" or\n function.name == \"log\" or function.name == \"assertLog\" or\n function.name == \"l7dlog\" or function.name == \"logError\" or\n function.name == \"logInfo\" or function.name == \"logWarning\" or\n function.name == \"logDebug\" or function.name == \"logEvent\" or\n function.name == \"throwing\" or function.name == \"logp\" or\n function.name == \"logrb\" or function.name == \"exiting\" or\n function.name == \"entering\" or function.name == \"fine\" or\n function.name == \"finer\" or function.name == \"finest\") and\n not in [TryBlock : catchBlocks contains\n [CatchBlock: exception.type.definition.name == \"java.lang.Throwable\"]] and\n /* Exclude custom functions in catch or finally block, since they most likely are log sanitization utilities.\n Exception can still be thrown in catch or finally block, but they are probably rare and not good fit for this category\n 'Incomplete Servlet Error Handling' */\n not in [CatchBlock:] and\n not in [FinallyBlock:]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "J2EE Bad Practices", - "vuln_subcategory": "Non-Serializable Object Stored in Session", - "predicate": "\n FunctionCall: function is [Function: \n enclosingClass.name matches \"(javax|jakarta)\\.servlet\\.http\\.HttpSession\"\n and (name == \"putValue\" or name == \"setAttribute\")\n ]\n and not (\n arguments[1].type.definition.supers contains [name == \"java.io.Serializable\"]\n or arguments[1].type is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n or (\n arguments[1].type.name == \"java.util.Map\" \n and not arguments[1].reachingTypes contains [Type: \n name matches \"java\\.util\\.WeakHashMap|java\\.util\\.jar\\.Attributes|java\\.awt\\.RenderingHints|(javax|jakarta)\\.script\\.SimpleBindings\"\n ]\n )\n or arguments[1].type.name == \"java.util.Set\"\n or arguments[1].type.name == \"java.util.List\"\n or (\n arguments[1].type.name == \"java.util.Queue\" \n and not arguments[1].reachingTypes contains [Type: \n name == \"java.util.concurrent.DelayQueue\"\n ]\n )\n or arguments[1] is [NoneLiteral: ]\n /* arrays are serializable */\n or arguments[1].type.arrayDimensions > 0\n /* primitive types are serializable */\n or arguments[1].type.primitive\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "J2EE Bad Practices", - "vuln_subcategory": "Non-Serializable Object Stored in Session", - "predicate": "\n FunctionCall: function is\n [enclosingClass.name == \"javax.servlet.http.HttpSession\"\n and (name == \"putValue\" or name == \"setAttribute\")]\n and not (arguments[1].type.definition.supers contains [name == \"java.io.Serializable\"]\n or arguments[1].type is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n or arguments[1].type.name == \"java.util.Map\"\n or arguments[1].type.name == \"java.util.Set\"\n or arguments[1].type.name == \"java.util.List\"\n or arguments[1].type.name == \"java.util.Queue\"\n or arguments[1] is [NoneLiteral: ]\n /* arrays are serializable */\n or arguments[1].type.arrayDimensions > 0\n /* primitive types are serializable */\n or arguments[1].type.primitive)\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Call to Thread.run()", - "predicate": "\n FunctionCall: function is\n [name == \"run\" and parameterTypes.length == 0 and\n enclosingClass.supers contains [Class: name == \"java.lang.Thread\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*] and\n enclosingClass.supers contains [Class singletons: /* TEMPLATED */] and\n not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*\" or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"])\n ] and\n /* EXCEPTION: value assigned is immutable (final) */\n not rhs.location is [VariableAccess: variable.final] and\n not rhs.location is [FieldAccess: field.final]\n and enclosingFunction.callers.length > 1\n\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*] and\n enclosingClass.supers contains [Class singletons: /* TEMPLATED */ ] and\n not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*\" or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"])\n ] and\n /* EXCEPTION: value assigned is immutable (final) */\n not rhs.location is [VariableAccess: variable.final] and\n not rhs.location is [FieldAccess: field.final]\n\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*] and\n enclosingClass.supers contains [Class: name matches \"(javax|jakarta)\\.servlet\\.(Servlet|Filter)\"] and\n not enclosingClass.supers contains [Class: name matches \"(javax|jakarta)\\.servlet\\.SingleThreadModel\"] and\n not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*|destroy\" or\n /* EXCEPTION: enclosing function takes ServletConfig as one of its parameters */\n (parameterTypes.length > 0 and parameterTypes contains [name matches \"(javax|jakarta)\\.servlet\\.ServletConfig\"]) or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*|destroy\"])]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*] and\n enclosingClass.supers contains [Class: name matches \"(javax|jakarta)\\.faces\\.application\\.Application \" or\n name matches \"(javax|jakarta)\\.faces\\.lifecycle\\.Lifecycle\" or\n name matches \"(javax|jakarta)\\.faces\\.render\\.Renderer\"] and\n not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*\" or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"])]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*]\n and (enclosingClass.supers contains [Class:\n name == \"org.springframework.web.servlet.mvc.Controller\"\n or name == \"org.springframework.web.portlet.mvc.Controller\"\n ] or enclosingClass.supers contains [Class: annotations contains [Annotation:\n type.name == \"org.springframework.stereotype.Controller\"\n or type.name == \"org.springframework.web.bind.annotation.RestController\"\n ]]\n )\n and not enclosingClass.annotations contains [Annotation:\n type.name == \"org.springframework.context.annotation.Scope\"\n and elements contains [AnnotationElement:\n value matches \"(?i)request|prototype|session|globalsession\"\n ]\n ]\n and not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*\" or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"]) or\n /* EXCEPTION: org.springframework.beans.factory.InitializingBean.afterPropertiesSet is only call once */\n (name == \"afterPropertiesSet\" and enclosingClass.supers contains [Class ibean: name == \"org.springframework.beans.factory.InitializingBean\"]) or\n /* EXCEPTION: org.springframework.beans.factory.DisposableBean.destroy is only call once */\n (name == \"destroy\" and enclosingClass.supers contains [Class dbean: name == \"org.springframework.beans.factory.DisposableBean\"])]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*]\n and (enclosingClass.supers contains [Class:\n name == \"org.springframework.web.servlet.mvc.Controller\"\n or name == \"org.springframework.web.portlet.mvc.Controller\"\n ]\n ) and not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*\" or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"]) or\n /* EXCEPTION: org.springframework.beans.factory.InitializingBean.afterPropertiesSet is only call once */\n (name == \"afterPropertiesSet\" and enclosingClass.supers contains [Class ibean: name == \"org.springframework.beans.factory.InitializingBean\"]) or\n /* EXCEPTION: org.springframework.beans.factory.DisposableBean.destroy is only call once */\n (name == \"destroy\" and enclosingClass.supers contains [Class dbean: name == \"org.springframework.beans.factory.DisposableBean\"])]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*] and\n enclosingClass.supers contains [Class: name matches \"(javax|jakarta)\\.servlet\\.(Servlet|Filter)\" or\n name == \"org.apache.struts.action.Action\"] and\n not enclosingClass.supers contains [Class: name matches \"(javax|jakarta)\\.servlet\\.SingleThreadModel\"] and\n not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*|destroy\" or\n /* EXCEPTION: enclosing function takes ServletConfig as one of its parameters */\n (parameterTypes.length > 0 and parameterTypes contains [name matches \"(javax|jakarta)\\.servlet\\.ServletConfig\"]) or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*|destroy\"])]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*] and\n enclosingClass.supers contains [Class: name matches \"(javax|jakarta)\\.faces\\.application\\.Application \" or\n name matches \"(javax|jakarta)\\.faces\\.lifecycle\\.Lifecycle\" or\n name matches \"(javax|jakarta)\\.faces\\.render\\.Renderer\"] and\n not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*\" or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"])]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec:]*] and\n enclosingClass.supers contains [Class: name == \"javax.servlet.Servlet\" or\n name == \"org.apache.struts.action.Action\" or\n name == \"org.springframework.web.servlet.mvc.Controller\" or\n name == \"org.springframework.web.portlet.mvc.Controller\"] and\n not enclosingClass.supers contains [Class: name == \"javax.servlet.SingleThreadModel\"] and\n not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*\" or\n /* EXCEPTION: enclosing function takes ServletConfig as one of its parameters */\n (parameterTypes.length > 0 and parameterTypes contains [name == \"javax.servlet.ServletConfig\"]) or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"])]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Format Flaw", - "predicate": "\n FunctionCall fc:\n ( fc.function.name == \"format\" or fc.function.name == \"parse\" ) and\n fc.function.enclosingClass.supers contains [Class: name == \"java.text.Format\"] and\n not fc.function.enclosingClass.supers contains [Class: name matches \"org\\.apache\\.commons\\.lang(3)?\\.time\\.FastDateFormat\"] and\n ( not enclosingFunction.synchronized and\n not in [SynchronizedBlock:] )\n and ( instance.location is [VariableAccess va: va.variable.enclosingFunction.name != fc.enclosingFunction.name] or\n instance.location is [FieldAccess fa:]\n )\n /* EXCEPTION: MessageFormat's static format() method implicitly creates new instance */\n and not (instance.None and function.enclosingClass.supers contains [Class: name == \"java.text.MessageFormat\"])\n " - }, - { - "language": "java", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Unhandled SSL Exception", - "predicate": "\n FunctionCall fc: (function.exceptionTypes contains [Type: name == \"javax.net.ssl.SSLHandshakeException\"] and\n not fc in [TryBlock: catchBlocks contains\n [CatchBlock: exception.type.definition.name == \"javax.net.ssl.SSLHandshakeException\"]]) or\n (function.exceptionTypes contains [Type: name == \"javax.net.ssl.SSLKeyException\"] and\n not fc in [TryBlock: catchBlocks contains\n [CatchBlock: exception.type.definition.name == \"javax.net.ssl.SSLKeyException\"]]) or\n (function.exceptionTypes contains [Type: name == \"javax.net.ssl.SSLPeerUnverifiedException\"] and\n not fc in [TryBlock: catchBlocks contains\n [CatchBlock: exception.type.definition.name == \"javax.net.ssl.SSLPeerUnverifiedException\"]])\n\n " - }, - { - "language": "java", - "vuln_kingdom": "Errors", - "vuln_category": "Poor Error Handling", - "vuln_subcategory": "Unhandled SSL Exception", - "predicate": "\n FunctionCall fc: (function.exceptionTypes contains [Type: name == \"javax.net.ssl.SSLHandshakeException\"] and\n not fc in [TryBlock: catchBlocks contains\n [CatchBlock: exception.type.definition.name == \"javax.net.ssl.SSLHandshakeException\"]]) or\n (function.exceptionTypes contains [Type: name == \"javax.net.ssl.SSLKeyException\"] and\n not fc in [TryBlock: catchBlocks contains\n [CatchBlock: exception.type.definition.name == \"javax.net.ssl.SSLKeyException\"]]) or\n (function.exceptionTypes contains [Type: name == \"javax.net.ssl.SSLPeerUnverifiedException\"] and\n not fc in [TryBlock: catchBlocks contains\n [CatchBlock: exception.type.definition.name == \"javax.net.ssl.SSLPeerUnverifiedException\"]])\n\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Unsafe Mobile Code", - "vuln_subcategory": "Database Access", - "predicate": "\n Function: enclosingClass.supers contains\n [\n name == \"java.applet.Applet\"\n ]\n and callees contains\n [\n Function: enclosingClass.supers contains\n [\n name matches \"java(x)?\\.sql\\..*\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Unsafe Mobile Code", - "vuln_subcategory": "Database Access", - "predicate": "\n Function: enclosingClass.supers contains\n [\n name == \"java.applet.Applet\"\n ]\n and callees contains\n [\n Function: enclosingClass.supers contains\n [\n name matches \"java(x)?\\.sql\\..*\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Class Does Not Implement Equivalence Method", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name == \"equals\" ]\n /* exclude calls to equals() within generated methods */\n and not call.enclosingFunction.synthetic\n and call.arguments.length == 1\n and call.instance is [Expression:\n type.definition is [Class:\n (\n (\n interface\n or abstract\n )\n /* don't match anything in kotlin stdlibs as produces a lot of noise */\n and not name matches \"kotlin\\..*\" \n )\n /* and the supers does not specify an equals function */\n and not supers contains\n [\n Class c: c.functions contains [name == \"equals\"]\n /* all supers will contain Object, which contains an equals function */\n and c.name != \"java.lang.Object\"\n /* and same for kotlin.Any in kotlin */\n and c.name != \"kotlin.Any\"\n ]\n ]\n and (\n /* has at least one unknown underlying type */\n reachingTypes.length == 0\n /* or one of the underlying types does not have an equals function */\n or reachingTypes contains [Type:\n not definition.supers contains\n [\n Class: functions contains [name == \"equals\"]\n /* all supers will contain Object, which contains an equals function */\n and name != \"java.lang.Object\"\n /* and same for kotlin.Any in kotlin */\n and name != \"kotlin.Any\"\n ]\n and definition is [Class: ]*\n ]\n )\n and not is [StringLiteral: ]\n and type is [Type:\n not primitive\n and arrayDimensions == 0\n and definition is [Class cc:]*\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Class Does Not Implement Equivalence Method", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name == \"equals\" ]\n and call.arguments.length == 1 \n /* exception for java.lang.Class */\n and not call.instance.type.definition is [Class: \n supers contains [Class: \n name == \"java.lang.Class\"\n ]\n /* exception for java.lang.Object. Note: MUST NOT CHECK SUPERS */\n or name == \"java.lang.Object\" \n /* \n * exceptions for kotlin classes - \n * primitive-like types in kotlin are handled strangely by the language, causing FPs\n * discussed with SCA, and it seemed like a change in SCA to remove these \n * would cause more problems than it would solve, so mitigating in the rule\n *\n * match only types in \"kotlin\" package, not sub-packages (so don't check for a period -- I don't think there are any inner classes)\n * kotlin.Any is included in this exception. Note: MUST NOT CHECK SUPERS \n */\n or name matches \"kotlin\\.[A-z]+\"\n /* and not an interface - handled by separate rule */\n or interface\n /* and not abstract class - handled by separate rule */\n or abstract\n ]\n /* and the type does not contain an implementation */\n and not call.instance.type.definition.supers contains\n [\n Class c: c.functions contains [name == \"equals\"]\n /* all supers will contain Object, which contains an equals function */\n and c.name != \"java.lang.Object\"\n /* and same for kotlin.Any in kotlin */\n and c.name != \"kotlin.Any\"\n ] \n and call.instance is [Expression: \n not is [StringLiteral: ]\n and type is [Type: \n not primitive\n and arrayDimensions == 0 \n and definition is [Class cc:]*\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "Class Does Not Implement Equivalence Method", - "predicate": "\n FunctionCall call: call.function is [Function f: f.name == \"equals\"] \n and call.arguments.length == 1 \n /* and the type does not contain an implementation */\n and not call.instance.type.definition.supers contains\n [\n Class c: c.functions contains [name == \"equals\"]\n /* all supers will contain Object, which contains an equals function */\n and c.name != \"java.lang.Object\"\n /* and same for kotlin.Any in kotlin */\n and c.name != \"kotlin.Any\"\n ] \n and call.instance.type.definition is [Class cc:]*\n and (\n call.instance.type.arrayDimensions == 0\n or call.arguments[0].type.arrayDimensions == 0\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "ToString on Array", - "predicate": "\n FunctionCall call: call.function is [Function f:name == \"toString\"]\n and\n call.instance.type.arrayDimensions > 0\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Code Correctness", - "vuln_subcategory": "ToString on Array", - "predicate": "\n FunctionCall call: call.function is [Function f:name == \"toString\"]\n and\n call.instance.type.arrayDimensions > 0\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": "External", - "predicate": "\n ReturnStatement:\n enclosingFunction.returnType.name == \"org.springframework.web.socket.config.WebSocketMessageBrokerStats\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n FunctionCall fc: function is [Function:\n name == \"setAllowedOrigins\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.web\\.socket\\.config\\.annotation\\.(StompWebSocketEndpoint|WebSocketHandler)Registration\"\n ]\n ] and arguments[0].constantValue == \"*\"\n\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"set\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.http.HttpHeaders\"\n ]\n ]\n and arguments[0].constantValue == \"Authorization\"\n and arguments[1] is [Expression e:\n e.constantValue matches \"Basic.*\"\n or e is [Operation:\n op == \"+\"\n and lhs.constantValue matches \"Basic.*\"\n and (\n /* \"Basic \" + new String(base64.encode(\"secret\".getBytes())) */\n rhs is [Allocation:\n constructor is [FunctionCall stringInit:\n function is [Function:\n constructor\n and enclosingClass.name == \"java.lang.String\"\n ]\n and stringInit.arguments[0] is [FunctionCall encode:\n possibleTargets contains [Function:\n name matches \"encode(Base64)?\"\n and enclosingClass.supers contains [Class:\n name == \"org.apache.commons.codec.binary.BaseNCodec\"\n ]\n ]\n and encode.arguments[0] is [FunctionCall:\n function.name == \"getBytes\"\n and instance is [Expression:\n not constantValue.None\n ]*\n ]\n ]\n ]\n ]\n /* \"Basic \" + b64.encodeAsString(\"secret\".getBytes()) */\n or rhs is [FunctionCall:\n possibleTargets contains [Function:\n name matches \"encode(As|To)String\"\n and enclosingClass.supers contains [Class:\n name == \"org.apache.commons.codec.binary.BaseNCodec\"\n ]\n ]\n and arguments[0] is [FunctionCall:\n function.name == \"getBytes\"\n and instance is [Expression:\n not constantValue.None\n ]*\n ]\n ]\n )\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Environment", - "vuln_category": "Web Server Misconfiguration", - "vuln_subcategory": "HTTP Basic Authentication", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"set\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.http.HttpHeaders\"\n ]\n ]\n and arguments[0].constantValue == \"Authorization\"\n and arguments[1] is [Expression e:\n e.constantValue matches \"Basic.*\"\n or e is [Operation:\n op == \"+\"\n and lhs.constantValue matches \"Basic.*\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Session Puzzling", - "vuln_subcategory": "Spring", - "predicate": "\n Variable p:\n enclosingFunction is [Function cmethod:\n parameters contains p\n and annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ]\n ]\n and enclosingClass is [Class controller:\n annotations contains [Annotation:\n type.name == \"org.springframework.stereotype.Controller\"\n or type.name == \"org.springframework.web.bind.annotation.RestController\"\n ]\n and annotations contains [Annotation:\n type.name == \"org.springframework.web.bind.annotation.SessionAttributes\"\n and elements contains [AnnotationElement a:\n p.annotations contains [Annotation:\n type.name == \"org.springframework.web.bind.annotation.ModelAttribute\"\n and elements contains [AnnotationElement:\n a.value != value\n ]\n ]\n ]\n ]\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Session Puzzling", - "vuln_subcategory": "Spring", - "predicate": "\n Variable p:\n enclosingFunction is [Function cmethod:\n parameters contains p\n and annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ]\n ]\n and enclosingClass is [Class controller:\n annotations contains [Annotation:\n type.name == \"org.springframework.stereotype.Controller\"\n or type.name == \"org.springframework.web.bind.annotation.RestController\"\n ]\n and annotations contains [Annotation:\n type.name == \"org.springframework.web.bind.annotation.SessionAttributes\"\n ]\n ]*\n and annotations contains [Annotation:\n type.name == \"org.springframework.web.bind.annotation.ModelAttribute\"\n and elements.length == 0\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Session Puzzling", - "vuln_subcategory": "Spring", - "predicate": "\n Variable p:\n enclosingFunction is [Function cmethod:\n parameters contains p\n and annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ]\n ]\n and enclosingClass is [Class controller:\n annotations contains [Annotation:\n type.name == \"org.springframework.stereotype.Controller\"\n or type.name == \"org.springframework.web.bind.annotation.RestController\"\n ]\n and annotations contains [Annotation:\n type.name == \"org.springframework.web.bind.annotation.SessionAttributes\"\n and elements contains [AnnotationElement a:\n p.annotations contains [Annotation:\n type.name == \"org.springframework.web.bind.annotation.ModelAttribute\"\n and elements contains [AnnotationElement:\n a.value == value\n ]\n ]\n ]\n ]\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Request Parameters Bound into Persisted Objects", - "predicate": "\n Class : (annotations contains [Annotation:\n type == T\"javax.persistence.Entity\"\n or type == T\"org.hibernate.annotations.Entity\"\n ] or labels contains \"hibernateEntity\")\n and labels contains [String s:\n s == \"commandClass\"\n or s == \"spring2CommandObject\"\n or s == \"spring3CommandObject\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n Function: enclosingClass.annotations contains\n [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n and\n parameterTypes contains [Type : name == \"org.springframework.web.multipart.MultipartFile\" ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n Function: enclosingClass.annotations contains\n [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n and (\n parameterTypes contains [Type : name == \"org.springframework.web.multipart.MultipartFile\" ]\n or contains [FunctionCall: function.enclosingClass.supers contains [Class:\n name == \"org.springframework.web.multipart.MultipartRequest\"]\n and function.name == \"getFile\"\n ]*\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Sensitive Field Exposure", - "predicate": "\n Field f: f.labels contains [String s: s == \"exposedWebflowFormField\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Class c:\n directSupers contains [Class:\n name == \"org.springframework.webflow.action.FormAction\"\n ]\n and not functions contains [Function:\n (\n name == \"initBinder\"\n or name == \"doBind\"\n or annotations contains [Annotation:\n type.name == \"org.springframework.web.bind.annotation.InitBinder\"\n and not elements contains [AnnotationElement: ]\n ]\n )\n and contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class:\n name == \"org.springframework.validation.DataBinder\"\n ]\n ]\n ]\n and not functions contains [Function:\n annotations contains [Annotation:\n type.name == \"org.springframework.web.bind.annotation.InitBinder\"\n and elements contains [AnnotationElement:\n key == \"value\"\n and not value is [None:]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe Deserialization", - "predicate": "\n ReturnStatement: expression.reachingTypes contains [Type:\n definition.name == \"org.springframework.remoting.rmi.RmiServiceExporter\"\n or definition.name == \"org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter\"\n or definition.name == \"org.springframework.jms.remoting.JmsInvokerServiceExporter\"\n ] and enclosingFunction is [Function:\n annotations contains [Annotation: type.name == \"org.springframework.context.annotation.Bean\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n FunctionCall fc: function is [Function:\n name matches \"allowedOrigin(Pattern)?s\"\n and enclosingClass.supers contains [Class: name == \"org.springframework.web.servlet.config.annotation.CorsRegistration\"]\n ] and arguments contains [Expression e: constantValue == \"*\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n Class c: annotations contains [Annotation:\n type.definition.supers contains [Class: name == \"org.springframework.web.bind.annotation.CrossOrigin\"]\n and elements contains [AnnotationElement:\n key matches \"value|origins\"\n and value is [String s: s == \"*\"]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n Function f: annotations contains [Annotation:\n type.definition.supers contains [Class: name == \"org.springframework.web.bind.annotation.CrossOrigin\"]\n and elements contains [AnnotationElement:\n key matches \"value|origins\"\n and value is [String s: s == \"*\"]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe Deserialization", - "predicate": "\n FunctionCall: function is [Function:\n name == \"deserialize\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.util.SerializationUtils\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Missing SameSite Attribute", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function: name == \"sameSite\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.http.ResponseCookie.ResponseCookieBuilder\"\n ]\n ]\n and fc.arguments[0].constantValue is [String s0:\n s0 == \"None\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Permissive SameSite Attribute", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function: name == \"sameSite\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.http.ResponseCookie.ResponseCookieBuilder\"\n ]\n ]\n and fc.arguments[0].constantValue is [String s0:\n s0 == \"Lax\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Security Misconfiguration", - "vuln_subcategory": "Incorrect Request Matcher Type", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name matches \"(ant|regex)Matcher(s)?\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.builders.HttpSecurity\" \n or name == \"org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry\"\n ]\n ]\n and arguments contains [Expression:\n type.name == \"java.lang.String\"\n and constantValue matches \"^.*/[^.*/]+$\"\n ]\n and not enclosingFunction contains [FunctionCall:\n function is [Function:\n (name == \"permitAll\" or name == \"anonymous\")\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.ExpressionUrlAuthorizationConfigurer(\\.|\\$)AuthorizedUrl\"\n ]\n ]\n and instance is fc\n ] and not enclosingFunction contains [FunctionCall:\n function is [Function:\n (name == \"denyAll\" or name == \"authenticated\")\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.ExpressionUrlAuthorizationConfigurer(\\.|\\$)AuthorizedUrl\"\n ]\n ]\n and instance is [FunctionCall:\n name == \"anyRequest\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry\"\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Missing Framing Protection", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"disable\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\.|\\$)FrameOptionsConfig\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n FunctionCall fc: \n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.header.writers.StaticHeadersWriter\"\n or name == \"org.springframework.security.web.header.Header\"\n ]\n ] \n and arguments[0] is [Expression: \n constantValue matches \"(?i)(X-)?Content-Security-Policy|X-WebKit-CSP\"\n ]\n and arguments contains [Expression e: \n (constantValue matches \"(?i).*unsafe.*\"\n or constantValue matches \"(?i).*src\\s+\\*[\\s;$]*.*\"\n or constantValue matches \"(?i).*sandbox\\s+allow-\\*.*\")\n and not e is fc.arguments[0]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n FunctionCall:\n function is [Function:\n (name == \"init^\" or name == \"setPolicyDirectives\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter\"\n ]\n ]\n and (\n arguments[0].constantValue matches \"(?i).*unsafe.*\"\n or arguments[0].constantValue matches \"(?i).*src\\s+\\*[\\s;$]*.*\"\n or arguments[0].constantValue matches \"(?i).*sandbox\\s+allow-\\*.*\"\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"policyDirectives\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\$|\\.)ContentSecurityPolicyConfig\"\n ]\n ]\n and (\n arguments[0].constantValue matches \"(?i).*unsafe.*\"\n or arguments[0].constantValue matches \"(?i).*src\\s+\\*[\\s;$]*.*\"\n or arguments[0].constantValue matches \"(?i).*sandbox\\s+allow-\\*.*\"\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Content Security Policy", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"contentSecurityPolicy\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configurers.HeadersConfigurer\"\n ]\n ]\n and (\n arguments[0].constantValue matches \"(?i).*unsafe.*\"\n or arguments[0].constantValue matches \"(?i).*src\\s+\\*[\\s;$]*.*\"\n or arguments[0].constantValue matches \"(?i).*sandbox\\s+allow-\\*.*\"\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Unenforced Content Security Policy", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"setReportOnly\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter\"\n ]\n ]\n and arguments[0].constantValue is true\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Unenforced Content Security Policy", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"reportOnly\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\.|\\$)ContentSecurityPolicyConfig\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Missing Content Security Policy", - "predicate": "\n Function:\n returnType.name == \"org.springframework.security.web.SecurityFilterChain\"\n and parameters[0].type.name == \"org.springframework.security.config.annotation.web.builders.HttpSecurity\"\n and not reaches [Function:\n contains [FunctionCall:\n function is [Function:\n name == \"contentSecurityPolicy\"\n ]\n ]\n ] \n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Missing Content Security Policy", - "predicate": "\n Function:\n name == \"configure\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter\"\n ]\n and parameters[0].type.name == \"org.springframework.security.config.annotation.web.builders.HttpSecurity\" \n and not reaches [Function:\n contains [FunctionCall:\n function is [Function:\n name == \"contentSecurityPolicy\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configurers.HeadersConfigurer\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Security Misconfiguration", - "vuln_subcategory": "Lack of Fallback Check", - "predicate": "\n Function:\n returnType.name == \"org.springframework.security.web.SecurityFilterChain\"\n and annotations contains [Annotation: type.name == \"org.springframework.context.annotation.Bean\"]\n and parameters[0].type.name == \"org.springframework.security.config.annotation.web.builders.HttpSecurity\"\n and not reaches [Function: \n contains [FunctionCall:\n function is [Function:\n name == \"anyRequest\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Security Misconfiguration", - "vuln_subcategory": "Lack of Fallback Check", - "predicate": "\n Function:\n name == \"configure\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter\"\n ]\n and parameters[0].type.name == \"org.springframework.security.config.annotation.web.builders.HttpSecurity\" \n and not reaches [Function: \n contains [FunctionCall:\n function is [Function:\n name == \"anyRequest\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry\"\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Security Misconfiguration", - "vuln_subcategory": "Default Permit", - "predicate": "\n FunctionCall:\n function is [Function:\n name is \"permitAll\"\n and \n (\n enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.ExpressionUrlAuthorizationConfigurer(\\$|\\.)AuthorizedUrl\"\n ]\n or enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.AuthorizeHttpRequestsConfigurer(\\$|\\.)AuthorizedUrl\"\n ]\n )\n ]\n and instance is [FunctionCall:\n function is [Function:\n name == \"anyRequest\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry\"\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "HSTS Does Not Include Subdomains", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"includeSubDomains\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\.|\\$)HstsConfig\"\n ]\n ]\n and arguments[0].constantValue is false\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "HSTS Does Not Include Subdomains", - "predicate": "\n FunctionCall fc: \n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.header.writers.StaticHeadersWriter\"\n or name == \"org.springframework.security.web.header.Header\"\n ]\n ] \n and arguments[0] is [Expression: \n constantValue matches \"(?i)(X-)?Strict-Transport-Security\"\n ]\n and arguments contains [Expression e: \n not constantValue matches \"(?i).*includeSubDomains.*\"\n and not e is fc.arguments[0]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Insufficient HSTS Expiration Time", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"maxAgeInSeconds\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\.|\\$)HstsConfig\"\n ]\n ]\n and arguments[0] is [Expression:\n /* 30 days */\n constantValue is [Number n1: n1 < 2592000]\n and constantValue is [Number n2: n2 > 0]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "HSTS not Set", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"disable\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\.|\\$)HstsConfig\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Referrer-Policy", - "predicate": "\n FunctionCall fc:\n function is [Function:\n (name == \"init^\" or name == \"setPolicy\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter\"\n ]\n ]\n and arguments[0] is [FieldAccess:\n field.name == \"UNSAFE_URL\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Referrer-Policy", - "predicate": "\n FunctionCall fc: \n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.header.writers.StaticHeadersWriter\"\n or name == \"org.springframework.security.web.header.Header\"\n ]\n ] \n and arguments[0] is [Expression: \n constantValue matches \"(?i)Referrer-Policy\"\n ]\n and arguments contains [Expression e: \n constantValue matches \"(?i).*unsafe-url.*\"\n and not e is fc.arguments[0]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Referrer-Policy", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"policy\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\$|\\.)ReferrerPolicyConfig\"\n ]\n ]\n and arguments[0] is [FieldAccess:\n field.name == \"UNSAFE_URL\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive Referrer-Policy", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"referrerPolicy\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configurers.HeadersConfigurer\"\n ]\n ]\n and arguments[0] is [FieldAccess:\n field.name == \"UNSAFE_URL\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Environment", - "vuln_category": "HTML5", - "vuln_subcategory": "MIME Sniffing", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"disable\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\.|\\$)ContentTypeOptionsConfig\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "HTML5", - "vuln_subcategory": "Cross-Site Scripting Protection", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"setEnabled\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.header.writers.XXssProtectionHeaderWriter\"\n ]\n ]\n and fc.arguments[0].constantValue is false\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "HTML5", - "vuln_subcategory": "Cross-Site Scripting Protection", - "predicate": "\n FunctionCall fc: \n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.header.writers.StaticHeadersWriter\"\n or name == \"org.springframework.security.web.header.Header\"\n ]\n ] \n and arguments[0] is [Expression: \n constantValue matches \"(?i)(X-)?XSS-Protection\"\n ]\n and arguments contains [Expression e: \n constantValue matches \"^\\s*0(;.*|$)\"\n and not e is fc.arguments[0]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "HTML5", - "vuln_subcategory": "Cross-Site Scripting Protection", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"xssProtectionEnabled\" \n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\.|\\$)XXssConfig\"\n ]\n ]\n and arguments[0].constantValue is false\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "HTML5", - "vuln_subcategory": "Cross-Site Scripting Protection", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"disable\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.HeadersConfigurer(\\.|\\$)XXssConfig\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Security Misconfiguration", - "vuln_subcategory": "Disabled Security Headers", - "predicate": "\n FunctionCall:\n function is [Function:\n name is \"defaultsDisabled\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers(\\$|\\.)HeadersConfigurer\"\n ]\n ] \n\t\t\t" - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Security Misconfiguration", - "vuln_subcategory": "Disabled Security Headers", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"disable\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer\"\n ]\n ]\n and instance.possibleTypes contains [Type:\n definition.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configurers.HeadersConfigurer\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"disable\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer\"\n ]\n ]\n and instance.possibleTypes contains [Type:\n definition.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configurers.CsrfConfigurer\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Weak Cryptography", - "predicate": "\n FunctionCall:\n function is [Function:\n (name == \"getInstance\" or name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.crypto.password.LdapShaPasswordEncoder\"\n or name == \"org.springframework.security.crypto.password.Md4PasswordEncoder\"\n or name == \"org.springframework.security.crypto.password.MessageDigestPasswordEncoder\"\n or name == \"org.springframework.security.crypto.password.NoOpPasswordEncoder\"\n or name == \"org.springframework.security.crypto.password.StandardPasswordEncoder\"\n or name == \"org.springframework.security.authentication.encoding.PlaintextPasswordEncoder\"\n or name == \"org.springframework.security.authentication.encoding.Md4PasswordEncoder\"\n or name == \"org.springframework.security.authentication.encoding.Md5PasswordEncoder\"\n or name == \"org.springframework.security.authentication.encoding.MessageDigestPasswordEncoder\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n FunctionCall fc: \n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.header.writers.StaticHeadersWriter\"\n or name == \"org.springframework.security.web.header.Header\"\n ]\n ] \n and arguments[0] is [Expression: \n constantValue matches \"(?i)Access-Control-Allow-Origin\"\n ]\n and arguments contains [Expression e: \n constantValue is \"*\"\n and not e is fc.arguments[0]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n FunctionCall:\n function is [Function:\n name matches \"addAllowedOrigin(Pattern)?\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.web.cors.CorsConfiguration\"\n ]\n ]\n and arguments[0].constantValue == \"*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Session Fixation", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n function is [Function:\n (\n name == \"invalidateHttpSession\"\n or name == \"clearAuthentication\"\n )\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.config.annotation.web.configurers.LogoutConfigurer\"\n ]\n ]\n and fc.arguments[0].constantValue is false\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Session Fixation", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"none\"\n and enclosingClass.supers contains [Class:\n name matches \"org\\.springframework\\.security\\.config\\.annotation\\.web\\.configurers\\.SessionManagementConfigurer(\\.|\\$)SessionFixationConfigurer\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Security Misconfiguration", - "vuln_subcategory": "Overly Permissive Firewall Policy", - "predicate": "\n FunctionCall:\n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.firewall.DefaultHttpFirewall\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Security Misconfiguration", - "vuln_subcategory": "Overly Permissive Firewall Policy", - "predicate": "\n FunctionCall:\n function is [Function:\n name matches \"setAllow.*\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.web.firewall.StrictHttpFirewall\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n (constructor or name == \"init^\" or name == \"Pbkdf2\")\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.security.crypto.password.Pbkdf2PasswordEncoder\"\n ]\n ]\n and fc.arguments[3].constantValue is [EnumValue:\n name is [String: == \"PBKDF2WithHmacSHA1\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe XStream Deserialization", - "predicate": "\n Function f: f.enclosingClass.annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n and f.annotations contains [Annotation a2:\n a2.type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and f.parameters contains [Variable v:\n v.annotations contains [Annotation a3: a3.type.name == \"org.springframework.web.bind.annotation.RequestBody\"]\n and v.type.definition is [Class x: x.labels contains [String l: l == \"XStreamAlias\"]]*\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"processCancel|processFinish|processFormSubmission|renderCancel|renderFinish|renderFormSubmission\"\n and callback.parameterTypes[2] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.AbstractWizardFormController\"]\n and callback.parameters[2].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"getInitialPage|getPageCount|onBindAndValidate|postProcessPage|referenceData\"\n and callback.parameterTypes[1] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.AbstractWizardFormController\"]\n and callback.parameters[1].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name == \"validatePage\"\n and callback.parameterTypes[0] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.AbstractWizardFormController\"]\n and callback.parameters[0].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"onFormChange|onSubmitAction|onSubmitRender|processFormSubmission|renderFormSubmission\"\n and callback.parameterTypes[2] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.SimpleFormController\"]\n and callback.parameters[2].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name == \"referenceData\"\n and callback.parameterTypes[1] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.SimpleFormController\"]\n and callback.parameters[1].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"doSubmitAction|onSubmitAction|onSubmitRender\"\n and callback.parameterTypes[0] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.SimpleFormController\"]\n and callback.parameters[0].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"processFormSubmission|renderFormSubmission\"\n and callback.parameterTypes[2] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.AbstractFormController\"]\n and callback.parameters[2].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"onBindOnNewForm|referenceData\"\n and callback.parameterTypes[1] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.AbstractFormController\"]\n and callback.parameters[1].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"handleAction|handleRequest\"\n and callback.parameterTypes[2] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.AbstractCommandController\"]\n and callback.parameters[2].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"bindAndValidate|createBinder|onBind|onBindAndValidate|setRenderCommandAndErrors\"\n and callback.parameterTypes[1] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.BaseCommandController\"]\n and callback.parameters[1].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name == \"checkCommand\"\n and callback.parameterTypes[0] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.portlet.mvc.BaseCommandController\"]\n and callback.parameters[0].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name == \"handle\"\n and callback.parameterTypes[2] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.servlet.mvc.AbstractCommandController\"]\n and callback.parameters[2].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"bindAndValidate|createBinder|onBindAndValidate|onBind\"\n and callback.parameterTypes[1] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name == \"org.springframework.web.servlet.mvc.BaseCommandController\"]\n and callback.parameters[1].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name == \"onBindOnNewForm\"\n and callback.parameterTypes[1] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name is \"org.springframework.web.servlet.mvc.AbstractFormController\"]\n and callback.parameters[1].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name matches \"onSubmit|onFormChange\"\n and callback.parameterTypes[2] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name == \"org.springframework.web.servlet.mvc.SimpleFormController\"]\n and callback.parameters[2].uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function callback: callback.name == \"onSubmit\"\n and callback.parameterTypes[0] is [Type: name == \"java.lang.Object\" or name == \"kotlin.Any\"]\n and callback.enclosingClass.supers contains [Class controller:\n controller.name == \"org.springframework.web.servlet.mvc.SimpleFormController\"]\n and callback.parameters[0] is [Variable p:\n p.uses contains [VariableAccess commandObject:\n commandObject in [AssignmentStatement cast:\n commandObject is cast.rhs\n and cast.lhs is [VariableAccess commandVariable:\n variable.type.definition is [Class commandClass: ]*\n ] ]\n ] ]\n and not callback.enclosingClass contains [Function f:\n f contains [FunctionCall fc:\n fc.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ] ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n FunctionCall fc: fc.name == \"setCommandClass\"\n and fc.arguments[0] is [Literal l: image is [String i:]]\n and fc.enclosingFunction.enclosingClass is [Class commandClass:\n commandClass.supers contains [Class c: c.name matches \"org\\.springframework\\.web\\.(portlet|servlet)\\.mvc\\.BaseCommandController\"]\n and (commandClass contains [Function binder:\n name == \"initBinder\"\n and not binder contains [FunctionCall fc2:\n fc2.function.name matches \"setAllowedFields|setDisallowedFields\"\n and fc2.function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]*\n or not commandClass contains [Function: name == \"initBinder\"])\n ]*\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n p.uses.length > 0\n and ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\"])\n and p.type.definition is [Class commandClass:\n /* Ignoring Jackson or JAXB annotated classes since we have specifi rules for them */\n not annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*|(javax|jakarta)\\.xml\\.bind\\.annotation\\..*\"]\n and not fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]]\n ]*\n and not p.type.definition is [Class: name matches \"(jakarta|(kotlin|java)(x)?)\\..*\"\n or name matches \"org\\.springframework\\..*\"\n ]\n and not p.type.definition is [Class: supers contains [Class: name == \"java.lang.Enum\"]]\n and not p.type.primitive\n and not p.annotations contains [Annotation: type.name == \"javax.validation.Valid\"]\n and not p.uses contains [VariableAccess va:\n va.realReads contains [VariableAccess va1:\n va1 in [FunctionCall fc:\n fc.name == \"validate\"\n and fc.function.enclosingClass.supers contains [Class c: c.name == \"org.springframework.validation.Validator\"]\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n p.uses.length > 0\n and not ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\" or type.name == \"javax.validation.Valid\"])\n and p.type.definition is [Class commandClass:\n /* Ignoring Jackson or JAXB annotated classes since we have specifi rules for them */\n not annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\..*|(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]\n and not fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]]\n ]*\n and not p.type.definition is [Class: name matches \"(jakarta|(kotlin|java)(x)?)\\..*\"\n or name matches \"org\\.springframework\\..*\"\n or name matches \"jakarta\\..*\"\n ]\n and not p.uses contains [VariableAccess va:\n va.realReads contains [VariableAccess va1:\n va1 in [FunctionCall fc:\n fc.name == \"validate\"\n and fc.function.enclosingClass.supers contains [Class c: c.name == \"org.springframework.validation.Validator\"]\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n p.uses.length > 0\n and ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\"])\n and p.type.definition is [Class commandClass:\n /* user-controlled type */\n functions contains [Function: isBodyAvailable]\n /* Class is annotated with JAXB annotations */\n and annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\..*\"]\n /* check that bound class is not annotated with jaxb annotations to control binding */\n and not annotations contains [Annotation:\n type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\.XmlAccessorType\"\n and elements contains [AnnotationElement: value matches \".*NONE.*\"]\n ]\n ]*\n and not p.type.definition is [Class: supers contains [Class: name == \"java.lang.Enum\"]]\n and not p.type.primitive\n and not p.annotations contains [Annotation: type.name == \"javax.validation.Valid\"]\n and not p.uses contains [VariableAccess va:\n va.realReads contains [VariableAccess va1:\n va1 in [FunctionCall fc:\n fc.name == \"validate\"\n and fc.function.enclosingClass.supers contains [Class c: c.name == \"org.springframework.validation.Validator\"]\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\"])\n and p.type.definition is [Class commandClass:\n /* Class is annotated with JAXB annotations */\n annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\..*\"]\n /* check that bound class is not annotated with jaxb annotations to control binding */\n and not annotations contains [Annotation:\n type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\.XmlAccessorType\"\n and elements contains [AnnotationElement: value matches \".*NONE.*\"]\n ]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not p.type.primitive\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n p.uses.length > 0\n and not ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\" or type.name == \"javax.validation.Valid\"])\n and p.type.definition is [Class commandClass:\n /* user-controlled type */\n functions contains [Function: isBodyAvailable]\n /* Class is annotated with JAXB annotations */\n and annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\..*\"]\n /* check that bound class is not annotated with jaxb annotations to control binding */\n and not annotations contains [Annotation:\n type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\.XmlAccessorType\"\n and elements contains [AnnotationElement: value matches \".*NONE.*\"]\n ]\n ]*\n and not p.type.definition is [Class: supers contains [Class: name == \"java.lang.Enum\"]]\n and not p.type.primitive\n and not p.uses contains [VariableAccess va:\n va.realReads contains [VariableAccess va1:\n va1 in [FunctionCall fc:\n fc.name == \"validate\"\n and fc.function.enclosingClass.supers contains [Class c: c.name == \"org.springframework.validation.Validator\"]\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n not ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\"])\n and p.type.definition is [Class commandClass:\n /* Class is annotated with JAXB annotations */\n annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\..*\"]\n /* check that bound class is not annotated with jaxb annotations to control binding */\n and not annotations contains [Annotation:\n type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\.XmlAccessorType\"\n and elements contains [AnnotationElement: value matches \".*NONE.*\"]\n ]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not p.type.primitive\n and not p.type.definition is [Class: name matches \"(jakarta|(kotlin|java)(x)?)\\..*\"\n or name matches \"org\\.springframework\\..*\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n p.uses.length > 0\n and ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\"])\n and p.type.definition is [Class commandClass:\n /* user-controlled type */\n functions contains [Function: isBodyAvailable]\n /* Class or class fields are annotated with Jackson annotations */\n and (\n annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]\n or\n fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]]\n\n )\n /* check that bound class is not annotated with jackson annotations to control binding */\n and not annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonIgnoreProperties|JsonIgnoreType)\"]\n and not fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonInclude|JsonIgnore)\"]]\n ]*\n and not p.type.definition is [Class: supers contains [Class: name == \"java.lang.Enum\"]]\n and not p.type.primitive\n and not p.annotations contains [Annotation: type.name == \"javax.validation.Valid\"]\n and not p.uses contains [VariableAccess va:\n va.realReads contains [VariableAccess va1:\n va1 in [FunctionCall fc:\n fc.name == \"validate\"\n and fc.function.enclosingClass.supers contains [Class c: c.name == \"org.springframework.validation.Validator\"]\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\"])\n and p.type.definition is [Class commandClass:\n /* Class or class fields are annotated with Jackson annotations */\n (\n annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]\n or\n fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]]\n\n )\n /* check that bound class is not annotated with jackson annotations to control binding */\n and not annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonIgnoreProperties|JsonIgnoreType)\"]\n and not fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonInclude|JsonIgnore)\"]]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not p.type.primitive\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n p.uses.length > 0\n and not ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\" or type.name == \"javax.validation.Valid\"])\n and p.type.definition is [Class commandClass:\n /* user-controlled type */\n functions contains [Function: isBodyAvailable]\n /* Class or class fields are annotated with Jackson annotations */\n and (\n annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]\n or\n fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]]\n\n )\n /* check that bound class is not annotated with jackson annotations to control binding */\n and not annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonIgnoreProperties|JsonIgnoreType)\"]\n and not fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonInclude|JsonIgnore)\"]]\n ]*\n and not p.type.definition is [Class: supers contains [Class: name == \"java.lang.Enum\"]]\n and not p.type.primitive\n and not p.uses contains [VariableAccess va:\n va.realReads contains [VariableAccess va1:\n va1 in [FunctionCall fc:\n fc.name == \"validate\"\n and fc.function.enclosingClass.supers contains [Class c: c.name == \"org.springframework.validation.Validator\"]\n ]\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Function f: annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and enclosingClass is [Class:\n annotations contains [Annotation: type.name == \"org.springframework.stereotype.Controller\" or type.name == \"org.springframework.web.bind.annotation.RestController\"]\n ] and not enclosingClass.supers contains [Class p2:\n p2.functions contains [Function binder:\n (binder.supers contains [Function: annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"] ]\n or annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.InitBinder\"])\n and binder reaches [Function: contains [FunctionCall:\n function.name matches \"setAllowedFields|setDisallowedFields\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.validation.DataBinder\"]\n ]\n ]\n ]\n ]\n and f.parameters contains [Variable p:\n not ( p.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestPart)\"])\n and p.type.definition is [Class commandClass:\n /* Class or class fields are annotated with Jackson annotations */\n (\n annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]\n or\n fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]]\n\n )\n /* check that bound class is not annotated with jackson annotations to control binding */\n and not annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonIgnoreProperties|JsonIgnoreType)\"]\n and not fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonInclude|JsonIgnore)\"]]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not p.type.primitive\n and not p.type.definition is [Class: name matches \"(jakarta|(kotlin|java)(x)?)\\..*\"\n or name matches \"org\\.springframework\\..*\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: function.name == \"setProtocol\"\n and function.enclosingClass.name == \"org.springframework.mail.javamail.JavaMailSenderImpl\"\n and arguments[0].constantValue == \"smtp\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe Deserialization", - "predicate": "\n Class c: (labels contains [String: == \"JMXBean\"]\n or annotations contains [Annotation: type.name == \"org.springframework.jmx.export.annotation.ManagedResource\"])\n and functions contains [Function: \n parameterTypes.length > 0\n and parameterTypes contains [Type:\n not primitive\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe Deserialization", - "predicate": "\n Function: (annotations contains [Annotation: type.name == \"org.springframework.jms.annotation.JmsListener\"] or labels contains [String: == \"SpringJmsListenerMethod\"])\n and parameters contains [Variable:\n type is [Type:\n not primitive\n and not definition.supers contains [Class: name matches \"java\\.lang\\.(Boolean|String|Number)\" or name == \"javax.jms.Message\"]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: name matches \"(Imap|Pop3)MailReceiver\"\n and function.enclosingClass.name matches \"org\\.springframework\\.integration\\.mail\\.(Imap|Pop3)MailReceiver\"\n and arguments.length == 1\n and arguments[0].constantValue matches \"^(imap|pop3)\\:.*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe Deserialization", - "predicate": "\n FunctionCall fc:\n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class: name == \"org.springframework.data.redis.core.RedisTemplate\"]\n ]\n and enclosingFunction is [Function f:\n /* Not all serializers are set */\n not (\n f contains [FunctionCall:\n function.name == \"setKeySerializer\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.data.redis.core.RedisTemplate\"]\n ]\n and f contains [FunctionCall:\n function.name == \"setValueSerializer\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.data.redis.core.RedisTemplate\"]\n ]\n and f contains [FunctionCall:\n function.name == \"setHashValueSerializer\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.data.redis.core.RedisTemplate\"]\n ]\n and f contains [FunctionCall:\n function.name == \"setHashKeySerializer\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.data.redis.core.RedisTemplate\"]\n ]\n )\n /* default serializer is changed */\n and not f contains [FunctionCall:\n function.name == \"setDefaultSerializer\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.data.redis.core.RedisTemplate\"]\n ]\n /* default serializer is disabled */\n and not f contains [FunctionCall:\n function.name == \"setEnableDefaultSerializer\"\n and function.enclosingClass.supers contains [Class: name == \"org.springframework.data.redis.core.RedisTemplate\"]\n and arguments[0].constantValue == false\n ]\n ]*\n\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Boot Misconfiguration", - "vuln_subcategory": "Actuator Endpoint Security Disabled", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"setSensitive\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.boot.actuate.endpoint.mvc.AbstractMvcEndpoint\"\n or name == \"org.springframework.boot.actuate.endpoint.AbstractEndpoint\"\n ]\n ]\n and arguments[0] is [Expression:\n constantValue is [Boolean: is false]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Boot Misconfiguration", - "vuln_subcategory": "Actuator Endpoint Security Disabled", - "predicate": "\n FunctionCall:\n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.boot.actuate.endpoint.mvc.AbstractMvcEndpoint\"\n or name == \"org.springframework.boot.actuate.endpoint.AbstractEndpoint\"\n ]\n ]\n and arguments[1] is [Expression:\n constantValue is [Boolean: is false]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Spring Boot Misconfiguration", - "vuln_subcategory": "Actuator Endpoint Security Disabled", - "predicate": "\n ReturnStatement rs:\n enclosingFunction is [Function:\n name == \"isSensitive\"\n and enclosingClass.supers contains [Class:\n name == \"org.springframework.boot.actuate.endpoint.Endpoint\"\n or name == \"org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint\"\n ]\n ] and expression is [Expression e:\n constantValue is [Boolean: is false]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Session Puzzling", - "vuln_subcategory": "Spring", - "predicate": "\n Function cmethod:\n annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s: s == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ]\n and enclosingClass is [Class:\n annotations contains [Annotation:\n type.name == \"org.springframework.stereotype.Controller\"\n or type.name == \"org.springframework.web.bind.annotation.RestController\"\n ]\n and annotations contains [Annotation:\n type.name == \"org.springframework.web.bind.annotation.SessionAttributes\"\n ]\n ]*\n and parameters contains [Variable p:\n not p.annotations contains [Annotation: type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.(PathVariable|MatrixVariable|RequestParam|RequestHeader|RequestBody|RequestMethod|RequestPart|CookieValue|SessionAttribute|RequestAttribute)\"]\n /* These args are labeled in a different rule */\n and not p.annotations contains [Annotation: type.name == \"org.springframework.web.bind.annotation.ModelAttribute\"]\n and not p.type.definition.supers contains [Class:\n name matches \"org\\.springframework\\.web\\.context\\.request\\.(Native)?WebRequest\" or\n name matches \"javax\\.servlet\\.Servlet(Request|Response)\" or\n name matches \"javax\\.servlet\\.http\\.HttpServlet(Request|Response)\" or\n name matches \"javax\\.portlet\\.Portlet(Request|Session)\" or\n name matches \"java\\.io\\.(OutputStream|Writer)\" or\n name matches \"org\\.springframework\\.ui\\.Model(Map)?\" or\n name matches \"org\\.springframework\\.http\\.Http(Method|Entity)\" or\n name matches \"org\\.springframework\\.validation\\.(Errors|BindingResult)\" or\n name matches \"java\\.util\\.(Map|Locale|TimeZone|UUID)\" or\n name == \"java.time.ZoneId\" or\n name == \"java.security.Principal\" or\n name == \"javax.servlet.http.HttpSession\" or\n name == \"org.springframework.web.bind.support.SessionStatus\" or\n name == \"org.springframework.web.servlet.mvc.support.RedirectAttributes\" or\n name == \"org.springframework.web.util.UriComponentsBuilder\" or\n name == \"org.springframework.web.reactive.function.ServerRequest\" or\n name == \"org.springframework.web.reactive.function.ServerResponse\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "XML External Entity Injection", - "vuln_subcategory": None, - "predicate": "\n Function f:\n f.annotations contains [Annotation:\n type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.((Request|Get|Post|Delete|Put|Patch)Mapping|ExceptionHandler)\"\n or type.definition.labels contains [String s1: s1 == \"SPRINGMVC_REQUESTMAPPING_CLASS\"]\n ] and\n f.parameters contains [Variable v:\n not v.annotations contains [Annotation: type.name matches \"org\\.springframework\\.web\\.bind\\.annotation\\.ModelAttribute\"] and\n not v.type == T\"java.lang.String\"\n and v.type.definition is [Class m: m.labels contains [String s: s == \"XMLMapped\"] ]*\n ] and\n f.enclosingClass is [Class c: c.annotations contains [Annotation: type.name matches \"org\\.springframework\\.stereotype\\.Controller\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Portability Flaw", - "vuln_subcategory": "Native SQL", - "predicate": "\n FunctionCall fc: function.name matches \"prepareNative(Call|Statement)\"\n and fc.function.enclosingClass.supers contains [Class: name == \"com.sap.sql.NativeSQLAccess\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "XML Entity Expansion Injection", - "vuln_subcategory": None, - "predicate": "\n Function f: f.annotations contains [Annotation a:\n a.type.name matches \"org\\.restlet(\\.client)?\\.resource.(Get|Post|Put|Delete)\"\n and a.elements contains [AnnotationElement ae:\n ae.value matches \".*xml.*\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: name == \"add\"\n and function.enclosingClass.supers contains [Class:\n name == \"org.restlet.util.ServerList\"]\n and arguments[0].location is [FieldAccess f:\n f.type.name matches \"org\\.restlet(\\.client)?\\.data\\.Protocol\"\n and ((f.field.name == \"HTTP\")\n or (f.field.name == \"FTP\")\n or (f.field.name == \"SMTP\")\n or (f.field.name == \"POP\")\n or (f.field.name == \"SIP\"))]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: name == \"add\"\n and function.enclosingClass.supers contains [Class:\n name == \"org.restlet.util.ServerList\"]\n and arguments[0].location is [FieldAccess f:\n f.type.name matches \"org\\.restlet(\\.client)?\\.data\\.Protocol\"\n and ((f.field.name == \"HTTP\")\n or (f.field.name == \"FTP\")\n or (f.field.name == \"SMTP\")\n or (f.field.name == \"POP\")\n or (f.field.name == \"SIP\"))]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: (function.constructor or function.name == \"init^\")\n and function.enclosingClass.supers contains [Class: name == \"org.restlet.Server\"]\n and arguments[1].location is [FieldAccess f: f.type.name matches \"org\\.restlet(\\.client)?\\.data\\.Protocol\"\n and ((f.field.name == \"HTTP\") or (f.field.name == \"FTP\") or (f.field.name == \"SMTP\") or (f.field.name == \"POP\") or (f.field.name == \"SIP\"))]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: (function.constructor or function.name == \"init^\")\n and function.enclosingClass.supers contains [Class: name == \"org.restlet.Server\"]\n and arguments[1].location is [FieldAccess f: f.type.name matches \"org\\.restlet(\\.client)?\\.data\\.Protocol\"\n and ((f.field.name == \"HTTP\") or (f.field.name == \"FTP\") or (f.field.name == \"SMTP\") or (f.field.name == \"POP\") or (f.field.name == \"SIP\"))]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: (function.constructor or function.name == \"init^\")\n and function.enclosingClass.supers contains [Class: name == \"org.restlet.Server\"]\n and arguments[0].location is [FieldAccess f: f.type.name matches \"org\\.restlet(\\.client)?\\.data\\.Protocol\"\n and ((f.field.name == \"HTTP\") or (f.field.name == \"FTP\") or (f.field.name == \"SMTP\") or (f.field.name == \"POP\") or (f.field.name == \"SIP\"))]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: (function.constructor or function.name == \"init^\")\n and function.enclosingClass.supers contains [Class: name == \"org.restlet.Server\"]\n and arguments[0].location is [FieldAccess f: f.type.name matches \"org\\.restlet(\\.client)?\\.data\\.Protocol\"\n and ((f.field.name == \"HTTP\") or (f.field.name == \"FTP\") or (f.field.name == \"SMTP\") or (f.field.name == \"POP\") or (f.field.name == \"SIP\"))]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"org\\.restlet(\\.client)?\\.resource\\.(Post|Put)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* user-controlled type */\n functions contains [Function: isBodyAvailable]\n /* Command Class is not annotated at all */\n and not annotations contains [Annotation: ]\n and not fields contains [Field: annotations contains [Annotation: ]]\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"org\\.restlet(\\.client)?\\.resource\\.(Post|Put)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* Command Class is not annotated at all */\n not annotations contains [Annotation: ]\n and not fields contains [Field: annotations contains [Annotation: ]]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"org\\.restlet(\\.client)?\\.resource\\.(Post|Put)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* user-controlled type */\n functions contains [Function: isBodyAvailable]\n /* Class is annotated with JAXB annotations */\n and annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\..*\"]\n /* check that bound class is not annotated with jaxb annotations to control binding */\n and not annotations contains [Annotation:\n type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\.XmlAccessorType\"\n and elements contains [AnnotationElement: value matches \".*NONE.*\"]\n ]\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"org\\.restlet(\\.client)?\\.resource\\.(Post|Put)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* Class is annotated with JAXB annotations */\n annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\..*\"]\n /* check that bound class is not annotated with jaxb annotations to control binding */\n and not annotations contains [Annotation:\n type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\.XmlAccessorType\"\n and elements contains [AnnotationElement: value matches \".*NONE.*\"]\n ]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"org\\.restlet(\\.client)?\\.resource\\.(Post|Put)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* Class or class fields are annotated with Jackson annotations */\n (\n annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]\n or\n fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]]\n\n )\n /* check that bound class is not annotated with jackson annotations to control binding */\n and not annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonIgnoreProperties|JsonIgnoreType)\"]\n and not fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonInclude|JsonIgnore)\"]]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Sensitive Field Exposure", - "predicate": "\n Field f: f.labels contains [String s: s == \"exposedRESTField\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Insecure Storage", - "vuln_subcategory": "Missing Database Encryption", - "predicate": "\n FunctionCall fc:\n function is [Function:\n name == \"getDefaultInstance\"\n and enclosingClass.supers contains [Class:\n name matches \"io\\.realm\\.(Base)?Realm\"\n ]\n ]\n and not enclosingFunction reachedBy [Function:\n labels contains \"REALM_OVERRIDDEN_CONFIGURATION\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Insecure Sanitizer Policy", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.function is [Function f: f.name == \"allowElements\"\n and f.enclosingClass.supers contains [Class s: name == \"org.owasp.html.HtmlPolicyBuilder\"]]\n and fc.arguments contains [Expression exp: exp.constantValue matches \"(?i)script|style\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Password Management", - "vuln_subcategory": "Weak Redundancy", - "predicate": "\n FunctionCall fc:( fc.function is [Function fun:\n ((fun.enclosingClass.supers contains [Class c: c.name == \"org.owasp.esapi.User\"] and fun.name == \"changePassword\")or\n (fun.enclosingClass.supers contains [Class c1: c1.name == \"org.owasp.esapi.Authenticator\"] and fun.name == \"createUser\"))] and\n (fc.arguments[1] is [FieldAccess fa1: fa1.instance is [VariableAccess var1:\n fc.arguments[2] is [FieldAccess fa2: fa2.instance is [VariableAccess var2: var1.variable.name == var2.variable.name ]]]] or\n fc.arguments[1] is [VariableAccess va1: fc.arguments[2] is [VariableAccess va2: va1.variable.name == va2.variable.name]])\n )or\n ( (fc.function is [Function fun1: fun1.enclosingClass.supers contains [Class c2: c2.name == \"org.owasp.esapi.Authenticator\"] and fun1.name == \"changePassword\"]) and\n (fc.arguments[2] is [FieldAccess fa3: fa3.instance is [VariableAccess var3:\n fc.arguments[3] is [FieldAccess fa4: fa4.instance is [VariableAccess var4: var3.variable.name == var4.variable.name ]]]] or\n fc.arguments[2] is [VariableAccess va3: fc.arguments[3] is [VariableAccess va4: va3.variable.name == va4.variable.name]])\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall: function.name == \"generateSecretKey\"\n and function.enclosingClass.supers contains [ Class: name == \"org.owasp.esapi.crypto.CryptoHelper\"]\n and arguments[0].constantValue is [String s: s matches \"DESede(.*)\"]\n and arguments[1].constantValue is [Number: < 168]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall: function.name == \"generateSecretKey\"\n and function.enclosingClass.supers contains [ Class: name == \"org.owasp.esapi.crypto.CryptoHelper\"]\n and arguments[0].constantValue is [String s: s matches \"AES(.*)\"]\n and arguments[1].constantValue is [Number: < 128]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall: function.name == \"generateSecretKey\"\n and function.enclosingClass.supers contains [Class: name == \"org.owasp.esapi.crypto.CryptoHelper\"]\n and arguments[0].constantValue is [String s: s matches \"RSA(.*)\"]\n and arguments[1].constantValue is [Number: < 2048]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall: ( function.constructor or function.name == \"init^\" )\n and function.enclosingClass.supers contains [Class: name == \"org.owasp.esapi.crypto.CipherSpec\"]\n and arguments[0].constantValue is [String s: s matches \"DESede(.*)\"]\n and arguments[1].constantValue is [Number: < 168]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall: ( function.constructor or function.name == \"init^\" )\n and function.enclosingClass.supers contains [Class: name == \"org.owasp.esapi.crypto.CipherSpec\"]\n and arguments[0].constantValue is [String s: s matches \"AES(.*)\"]\n and arguments[1].constantValue is [Number: < 128]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insufficient Key Size", - "predicate": "\n FunctionCall: ( function.constructor or function.name == \"init^\" )\n and function.enclosingClass.supers contains [Class: name == \"org.owasp.esapi.crypto.CipherSpec\"]\n and arguments[0].constantValue is [String s: s matches \"RSA(.*)\"]\n and arguments[1].constantValue is [Number: < 2048]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Unauthenticated Service", - "vuln_subcategory": "MongoDB", - "predicate": "\n FunctionCall fc:\n function is [Function:\n (name == \"init^\" or constructor)\n and enclosingClass.supers contains [Class:\n name == \"com.mongodb.MongoClientURI\"\n ]\n ]\n and not arguments[0].constantValue matches \"mongodb://.*:.*@.*\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "XML External Entity Injection", - "vuln_subcategory": None, - "predicate": "\n Function f: annotations contains [Annotation a: type == T\"javax.ws.rs.Consumes\"\n and elements contains [AnnotationElement e: key == \"value\" and\n (value is [String s: s matches \".*xml.*\"])\n or\n (value is [ConstantArray c: values contains [String s2: s2 matches \".*xml.*\"]])\n ]\n ]\n and f.parameters contains [Variable v:\n not v.type == T\"java.lang.String\"\n and v.type.definition is [Class m: m.annotations contains [Annotation: type.name == \"javax.xml.bind.annotation.XmlRootElement\"]]*\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"javax\\.ws\\.rs\\.(POST|PUT)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* user-controlled type */\n functions contains [Function: isBodyAvailable]\n /* Command Class is not annotated at all */\n and not annotations contains [Annotation: ]\n and not fields contains [Field: annotations contains [Annotation: ]]\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"javax\\.ws\\.rs\\.(POST|PUT)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* Command Class is not annotated at all */\n not annotations contains [Annotation: ]\n and not fields contains [Field: annotations contains [Annotation: ]]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.ws\\.rs\\.(POST|PUT)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* user-controlled type */\n functions contains [Function: isBodyAvailable]\n /* Class is annotated with JAXB annotations */\n and annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\..*\"]\n /* check that bound class is not annotated with jaxb annotations to control binding */\n and not annotations contains [Annotation:\n type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\.XmlAccessorType\"\n and elements contains [AnnotationElement: value matches \".*NONE.*\"]\n ]\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.ws\\.rs\\.(POST|PUT)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* Class is annotated with JAXB annotations */\n annotations contains [Annotation: type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\..*\"]\n /* check that bound class is not annotated with jaxb annotations to control binding */\n and not annotations contains [Annotation:\n type.name matches \"(javax|jakarta)\\.xml\\.bind\\.annotation\\.XmlAccessorType\"\n and elements contains [AnnotationElement: value matches \".*NONE.*\"]\n ]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"javax\\.ws\\.rs\\.(POST|PUT)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* user-controlled type */\n functions contains [Function: isBodyAvailable]\n /* Class or class fields are annotated with Jackson annotations */\n and (\n annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]\n or\n fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]]\n\n )\n /* check that bound class is not annotated with jackson annotations to control binding */\n and not annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonIgnoreProperties|JsonIgnoreType)\"]\n and not fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonInclude|JsonIgnore)\"]]\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Insecure Binder Configuration", - "predicate": "\n Variable v: v.enclosingFunction is [Function f: f.parameters contains v\n and f.annotations contains [Annotation: type.name matches \"javax\\.ws\\.rs\\.(POST|PUT)\"]\n ]\n and v.type.definition is [Class commandClass:\n /* Class or class fields are annotated with Jackson annotations */\n (\n annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]\n or\n fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\..*\"]]\n\n )\n /* check that bound class is not annotated with jackson annotations to control binding */\n and not annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonIgnoreProperties|JsonIgnoreType)\"]\n and not fields contains [Field: annotations contains [Annotation: type.name matches \"(com\\.fasterxml\\.jackson\\.annotation|org\\.codehaus\\.jackson\\.annotate)\\.(JsonInclude|JsonIgnore)\"]]\n and not name matches \"(org\\.restlet|(jakarta|(kotlin|java)(x)?))\\..*\"\n ]*\n and not v.type.primitive\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set", - "predicate": "\n FunctionCall: function is [Function: (constructor or name == \"init^\") and enclosingClass.supers contains [Class: name == \"javax.ws.rs.core.NewCookie\"]]\n and (\n (arguments.length == 1 or arguments.length == 2 or arguments.length == 4 or arguments.length == 7)\n or (arguments.length == 6 and arguments[5] is [BooleanLiteral: not value is true])\n or (arguments.length == 8 and arguments[7] is [BooleanLiteral: not value is true] and arguments[6].type.name == \"boolean\")\n or (arguments.length == 8 and arguments[6].type.name == \"int\")\n or (arguments.length == 10 and arguments[9] is [BooleanLiteral: not value is true])\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Persistent Session Cookie", - "predicate": "\n FunctionCall: function is [Function: \n name == \"setMaxAge\"\n and enclosingClass.supers contains [Class: name matches \"(javax|jakarta)\\.servlet\\.SessionCookieConfig\"]\n ]\n and arguments[0] is [Expression: constantValue is [Number: > 0]]\n " - }, - { - "language": "java", - "vuln_kingdom": "Environment", - "vuln_category": "J2EE Misconfiguration", - "vuln_subcategory": "Excessive Session Timeout", - "predicate": "\n FunctionCall: function is [Function:\n name == \"setSessionTimeout\"\n and enclosingClass.supers contains [Class c: c.name == \"jakarta.servlet.ServletContext\"]\n ]\n and arguments[0].partialConstantValues contains [Number n: n > 30 or n < 0]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "J2EE Bad Practices", - "vuln_subcategory": "Insufficient Session Expiration", - "predicate": "\n FunctionCall: function is\n [name == \"setMaxInactiveInterval\"\n and enclosingClass.supers contains [Class c: c.type.name matches \"(javax|jakarta)\\.servlet\\.http\\.HttpSession\"]]\n and arguments[0].partialConstantValues contains [Number: < 0]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe Deserialization", - "predicate": "\n FunctionCall: function is [Function:\n name == \"getObject\"\n and enclosingClass.supers contains [Class: name matches \"(javax|jakarta)\\.jms\\.ObjectMessage\"]\n and not enclosingClass.supers contains [Class: name == \"org.apache.activemq.command.ActiveMQObjectMessage\"]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Signature", - "vuln_subcategory": "XML Signature Secure Validation Disabled", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"setProperty\"\n and enclosingClass.supers contains [Class:\n name == \"javax.xml.crypto.XMLCryptoContext\"\n ]\n ]\n and arguments[0].constantValue == \"org.jcp.xml.dsig.secureValidation\"\n and arguments[1].constantValue != true\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: (function.constructor or function.name == \"init^\")\n and function.enclosingClass.supers contains [Class: name == \"com.sun.mail.smtp.SMTPTransport\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: name == \"POP3Store\"\n and function.enclosingClass.name == \"com.sun.mail.pop3.POP3Store\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: name == \"IMAPStore\"\n and function.enclosingClass.name == \"com.sun.mail.imap.IMAPStore\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: name == \"URLName\"\n and function.enclosingClass.name == \"jakarta.mail.URLName\"\n and (\n (arguments.length == 6 and not arguments[0].constantValue.None and arguments[0].constantValue matches \"imap|pop3|smtp\")\n or (arguments.length == 1 and arguments[0].constantValue matches \"^(imap|pop3|smtp)\\:.*\")\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: name == \"URLName\"\n and function.enclosingClass.name == \"javax.mail.URLName\"\n and (\n (arguments.length == 6 and not arguments[0].constantValue.None and arguments[0].constantValue matches \"imap|pop3|smtp\")\n or (arguments.length == 1 and arguments[0].constantValue matches \"^(imap|pop3|smtp)\\:.*\")\n )\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: name == \"Provider\"\n and function.enclosingClass.name == \"jakarta.mail.Provider\"\n and arguments[1].constantValue matches \"imap|pop3\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: name == \"Provider\"\n and function.enclosingClass.name == \"javax.mail.Provider\"\n and arguments[1].constantValue matches \"imap|pop3\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: function.name == \"getStore\"\n and function.enclosingClass.name == \"jakarta.mail.Session\"\n and arguments[0].constantValue matches \"imap|pop3\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: function.name == \"getStore\"\n and function.enclosingClass.name == \"javax.mail.Session\"\n and arguments[0].constantValue matches \"imap|pop3\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Overly Broad Certificate Trust", - "predicate": "\n FunctionCall call: call.function.name == \"trustManager\"\n and call.function.enclosingClass.name == \"io.grpc.TlsChannelCredentials$Builder\"\n and arguments contains [Expression e:\n type.definition.supers contains [Class: name == \"javax.net.ssl.X509TrustManager\"]\n and type.definition contains [Function: name == \"getAcceptedIssuers\" and contains [ReturnStatement: expression is [NoneLiteral: ]]]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Overly Broad Certificate Trust", - "predicate": "\n FunctionCall call: call.function.name == \"trustManager\" and\n call.function.enclosingClass.name == \"io.netty.handler.ssl.SslContextBuilder\" and\n call.arguments.length == 1 and\n call.arguments[0] is [FieldAccess fa: fa.name == \"INSTANCE\" and\n fa.field.enclosingClass.name == \"io.netty.handler.ssl.util.InsecureTrustManagerFactory\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Access Control", - "vuln_subcategory": "gRPC Fail Open", - "predicate": "\n ReturnStatement r: in [\n CatchBlock: (enclosingClass.supers contains [name == \"io.grpc.ServerInterceptor\"] and\n enclosingFunction.name == \"interceptCall\" and\n enclosingFunction.parameters contains [Variable p:\n p.type.definition is [Class: name == \"io.grpc.Metadata\"]\n and p.uses.length > 0\n and p.uses contains [VariableAccess va: va.realReads.length > 1]\n ] and\n exception.type.name == \"java.lang.Exception\" or\n exception.type.name == \"java.lang.Throwable\" or\n exception.type.name == \"java.lang.Error\" or\n exception.type.name == \"java.lang.RuntimeException\") and\n not contains [ThrowStatement: ]\n ]\n /*\n return next.startCall(call, metadata);\n */\n and r.expression is [FunctionCall fc: fc.name == \"startCall\"\n and fc.arguments.length == 2\n and fc.arguments[0] is [VariableAccess var1: var1.variable.type.definition.supers contains [Class: name == \"io.grpc.ServerCall\"]]\n and fc.arguments[1] is [VariableAccess var2: var2.variable.type.definition.supers contains [Class: name == \"io.grpc.Metadata\"]]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement:\n lhs is [FieldAccess:\n instance is [VariableAccess: this]\n and field is [Field dec:\n /* We assume that a static or singleton file is meant to be shared by design */\n not static\n and not type.definition.labels contains [String s: s matches \".*SingletonBean$\"]\n ]*\n ]*\n and enclosingClass.labels contains \"EJBSingletonBean\"\n and not enclosingFunction is [Function:\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n (constructor or name matches \"init.*\")\n /* EXCEPTION: @PostConstruct and @PreDestroy methods are only called once */\n or (annotations contains [type.name matches \"javax.annotation.(PostConstruct|PreDestroy)\"])\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n or (not public and not protected and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor])\n /* EXCEPTION: enclosing function is only reachable from a method that is only called once */\n or (\n callers.length != 0\n and not callers contains [Function:\n not constructor\n and not name == \"init^\"\n and not annotations contains [Annotation:\n type.name matches \"javax.annotation.(PostConstruct|PreDestroy)\"\n ]\n and not name matches \"init.*\"\n ]\n )\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"allowedOrigins\"\n and enclosingClass.supers contains [Class:\n name matches \"software\\.amazon\\.awssdk\\.services\\.s3\\.model\\.CORSRule(\\.|\\$)Builder\"\n ]\n ] \n and arguments contains [Expression:\n constantValue == \"*\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Insecure Storage", - "vuln_subcategory": "S3 Read Anonymous Access", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"acl\"\n and enclosingClass.supers contains [Class:\n name matches \"software\\.amazon\\.awssdk\\.services\\.s3\\.model\\..*Builder\"\n ]\n ] \n and arguments[0] is [FieldAccess:\n field is [Field:\n (name == \"PUBLIC_READ\" or name == \"AUTHENTICATED_READ\")\n and enclosingClass.supers contains [Class:\n name == \"software.amazon.awssdk.services.s3.model.BucketCannedACL\"\n or name == \"software.amazon.awssdk.services.s3.model.ObjectCannedACL\"\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Insecure Storage", - "vuln_subcategory": "S3 Full Anonymous Access", - "predicate": "\n FunctionCall:\n function is [Function:\n name == \"acl\"\n and enclosingClass.supers contains [Class:\n name matches \"software\\.amazon\\.awssdk\\.services\\.s3\\.model\\..*Builder\"\n ]\n ] \n and arguments[0] is [FieldAccess:\n field is [Field:\n name == \"PUBLIC_READ_WRITE\"\n and enclosingClass.supers contains [Class:\n name == \"software.amazon.awssdk.services.s3.model.BucketCannedACL\"\n or name == \"software.amazon.awssdk.services.s3.model.ObjectCannedACL\"\n ]\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "HTML5", - "vuln_subcategory": "Overly Permissive CORS Policy", - "predicate": "\n FunctionCall fc: \n function is [Function:\n name == \"setAllowedOrigins\"\n and enclosingClass.supers contains [Class:\n name == \"com.amazonaws.services.s3.model.CORSRule\"\n ]\n ] \n and arguments contains [Expression:\n constantValue == \"*\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Insecure Storage", - "vuln_subcategory": "S3 Read Anonymous Access", - "predicate": "\n FieldAccess fa: \n field is [Field:\n name matches \"AuthenticatedRead|PublicRead\"\n and enclosingClass.supers contains [Class:\n name == \"com.amazonaws.services.s3.model.CannedAccessControlList\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Insecure Storage", - "vuln_subcategory": "S3 Full Anonymous Access", - "predicate": "\n FieldAccess fa: \n field is [Field:\n name == \"PublicReadWrite\"\n and enclosingClass.supers contains [Class:\n name == \"com.amazonaws.services.s3.model.CannedAccessControlList\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Struts 2 Bad Practices", - "vuln_subcategory": "Dynamic Method Invocation", - "predicate": "\n Function f: name == \"_FORTIFY_NON_EXISTENT_\" /* TEMPLATED */\n and f.public and f.parameterTypes.length == 0 and f.supers.length == 0 and not f.constructor and not f.initializer and not f.destructor and not f.name matches \"|execute|clinit\\^|init\\^\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Struts 2 Bad Practices", - "vuln_subcategory": "Session Map Tampering", - "predicate": "\n Class action: directSupers contains [Class s: name == \"org.apache.struts2.interceptor.SessionAware\"]\n and functions contains [Function setter: public and name == \"setSession\" ]*\n and not (directSupers contains [Class p: name == \"com.opensymphony.xwork2.interceptor.ParameterNameAware\"])\n and not (functions contains [Function f: name == \"acceptableParameterName\" ])\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Struts 2 Bad Practices", - "vuln_subcategory": "Application Map Tampering", - "predicate": "\n Class action: directSupers contains [Class s: name == \"org.apache.struts2.interceptor.ApplicationAware\"]\n and functions contains [Function setter: public and name == \"setApplication\" ]*\n and not (directSupers contains [Class p: name == \"com.opensymphony.xwork2.interceptor.ParameterNameAware\"])\n and not (functions contains [Function f: name == \"acceptableParameterName\" ])\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Struts 2 Bad Practices", - "vuln_subcategory": "Request Map Tampering", - "predicate": "\n Class action: directSupers contains [Class s: name == \"org.apache.struts2.interceptor.RequestAware\"]\n and functions contains [Function setter: public and name == \"setRequest\" ]*\n and not (directSupers contains [Class p: name == \"com.opensymphony.xwork2.interceptor.ParameterNameAware\"])\n and not (functions contains [Function f: name == \"acceptableParameterName\" ])\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Struts 2", - "vuln_subcategory": "Action Field Without Validator", - "predicate": "\n // anything that passes validation. Always replaced entirely or removed.\n Field f: name == \"_FORTIFY_NON_EXISTENT_\" /* TEMPLATED */\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Struts 2", - "vuln_subcategory": "Duplicate Validation Files", - "predicate": "\n // anything that passes validation. Always replaced entirely or deleted;\n Class duplicateActions: name == \"_FORTIFY_NON_EXISTENT_\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Struts 2", - "vuln_subcategory": "Unvalidated Action", - "predicate": "\n Class actions: name == \"_FORTIFY_NON_EXISTENT_\" /* TEMPLATED */ \n and not contains [Function f: f.name == \"validate\" and not f.enclosingClass is [Class cl: cl.name == \"com.opensymphony.xwork2.ActionSupport\"]]\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n Function: enclosingClass.supers contains\n [\n name == \"com.opensymphony.xwork2.ActionSupport\"\n ]\n and name matches \"set.*\"\n and parameterTypes[0].name == \"java.io.File\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n Function: enclosingClass.supers contains\n [\n name == \"com.opensymphony.xwork2.ActionSupport\"\n ]\n and name matches \"set.*\"\n and parameterTypes[0].name == \"java.io.File\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n Function: enclosingClass.supers contains\n [\n name == \"com.opensymphony.xwork2.ActionSupport\"\n ]\n and name matches \"set.*\"\n and parameterTypes[0].name == \"java.io.File\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Code Quality", - "vuln_category": "Fortify Internal", - "vuln_subcategory": None, - "predicate": "\n Function:\n annotations contains [Annotation:\n type.name startsWith \"org.apache.struts2.convention.annotation\"\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Struts", - "vuln_subcategory": "Form Field Without Validator", - "predicate": "\n // something that passes validation. Will always be removed or replaced entirely.\n FieldAccess fa: name == \"_FORTIFY_NON_EXISTENT_\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n Function: enclosingClass.supers contains\n [\n name == \"org.apache.struts.action.ActionForm\"\n ]\n and name matches \"set.*\"\n and parameterTypes[0].name == \"org.apache.struts.upload.FormFile\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n Function: enclosingClass.supers contains\n [\n name == \"org.apache.struts.action.ActionForm\"\n ]\n and name matches \"set.*\"\n and parameterTypes[0].name == \"org.apache.struts.upload.FormFile\"\n " - }, - { - "language": "java", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "File Upload", - "predicate": "\n Function: enclosingClass.supers contains\n [\n name == \"org.apache.struts.action.ActionForm\"\n ]\n and name matches \"set.*\"\n and parameterTypes[0].name == \"org.apache.struts.upload.FormFile\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Mass Assignment", - "vuln_subcategory": "Sensitive Field Exposure", - "predicate": "\n Field f: f.labels contains [String s: s == \"exposedActionFormField\"]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.function.name matches \"set(Long|Int|Double|Boolean)?Parameter\"\n and fc.function.enclosingClass is [Class c:\n c.supers contains [Class:\n name == \"org.apache.http.params.HttpParams\"]\n ]\n and fc.arguments[0] is [FieldAccess fa:\n fa.field is [Field f:\n f.static\n and\n (\n (\n f.enclosingClass.name == \"org.apache.http.conn.params.ConnManagerPNames\"\n and\n (\n f.name == \"MAX_TOTAL_CONNECTIONS\"\n or f.name == \"TIMEOUT\"\n )\n )\n or\n (\n f.enclosingClass.name == \"org.apache.http.params.CoreConnectionPNames\"\n and\n (\n f.name == \"CONNECTION_TIMEOUT\"\n or f.name == \"SO_TIMEOUT\"\n )\n )\n )\n ] ]\n and fc.arguments[1].constantValue == \"0\"\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: function.enclosingClass.supers contains [Class: name == \"org.apache.commons.net.pop3.POP3Client\"]\n and (function.constructor or function.name == \"init^\")\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: function.enclosingClass.supers contains [Class: name == \"org.apache.commons.net.imap.IMAPClient\"]\n and (function.constructor or function.name == \"init^\")\n " - }, - { - "language": "java", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Mail Transmission", - "predicate": "\n FunctionCall fc: function.enclosingClass.supers contains [Class: name == \"org.apache.commons.net.smtp.SMTPClient\"]\n and (function.constructor or function.name == \"init^\")\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Dynamic Code Evaluation", - "vuln_subcategory": "Unsafe Deserialization", - "predicate": "\n FunctionCall: function is [Function:\n name matches \"clone|deserialize\"\n and enclosingClass.supers contains [Class:\n name == \"org.apache.commons.lang3.SerializationUtils\"\n or name == \"org.apache.commons.lang.SerializationUtils\"\n ]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n Function f: f.labels contains [String s: s == \"GWTEntryMethod\"]\n and not f.constructor\n and not f.name == \"init^\"\n and not f.initializer\n and not f.destructor\n " - }, - { - "language": "java", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n Function f: f.enclosingClass.supers contains [Class iface: interface and supers contains [Class: name == \"com.google.gwt.user.client.rpc.RemoteService\"]\n and functions contains [Function f2: f2 in f.supers]\n ]\n and not f.enclosingClass.supers contains [Class XSRFiface: interface and supers contains [Class: name == \"com.google.gwt.user.client.rpc.XsrfProtectedService\"]\n and functions contains [Function f3: f3 in f.supers]\n ]\n and not f.annotations contains [Annotation: type.name matches \"com\\.google\\.gwt\\.user\\.server\\.rpc\\.(No?)XsrfProtect\"]\n and not f.supers contains [Function: annotations contains [Annotation: type.name matches \"com\\.google\\.gwt\\.user\\.server\\.rpc\\.(No)?XsrfProtect\"]]\n and not f.enclosingClass.supers contains [Class annXSRFiface: interface and annotations contains [Annotation: type.name matches \"com\\.google\\.gwt\\.user\\.server\\.rpc\\.(No)?XsrfProtect\"]\n and functions contains [Function f4: f4 in f.supers]\n ]\n " - }, - { - "language": "java", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Unsafe JSNI", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: function is [Function:\n modifiers contains \"native\"\n /* uses of native on GWT applications are JSNI, not JNI */\n and \n (\n (\n enclosingClass.supers contains [Class: name matches \"com\\.google\\.gwt\\..*\"]\n /* but not directly in a GWT class */\n and not enclosingClass.name matches \"com\\.google\\.gwt\\..*\"\n )\n or enclosingClass.functions contains [Function:\n parameters contains [Variable:\n type.definition.enclosingClass.supers contains [Class: name matches \"com\\.google\\.gwt\\..*\"]\n ]\n or contains [FunctionCall:\n function.enclosingClass.supers contains [Class: name matches \"com\\.google\\.gwt\\..*\"]\n ]\n ]\n )\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Path Manipulation", - "vuln_subcategory": "Zip Entry Overwrite", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name == \"Extract\"\n and possibleHeapPaths contains \"unzipper\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name == \"exec\"]\n and environment is [FieldAccess:\n instance.possibleTypes contains [Type:\n name == \"ExecFunction\"\n ]\n ]\n and arguments[0] is [Expression:\n /* not a constant */\n constantValue.None\n /* is constant, and contains environment variables */\n or constantValue matches \".*\\$.*|.*%.*%.*\"\n /* is constant, and doesn't contain a full path */\n or not (\n constantValue matches \".+:(/|\\\\).*\"\n or constantValue matches \"(/|\\\\).*\"\n )\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name == \"exec\"]\n and environment is [FieldAccess:\n instance.possibleTypes contains [Type:\n name == \"ExecFunction\"\n ]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall call: possibleTargets contains [Function: name == \"Sequelize\"]\n and not call.arguments[2].constantValue.None\n and call.arguments[2].constantValue == \"\"\n and call.arguments.length == 3\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall call: possibleTargets contains [Function: name == \"Sequelize\"]\n and not call.arguments[2].constantValue.None\n and not call.arguments[2].constantValue is [None:]\n and not call.arguments[2].constantValue == \"\"\n and call.arguments.length == 3\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall call: possibleTargets contains [Function: name == \"Sequelize\"]\n and not call.arguments[2].constantValue.None\n and call.arguments[2].constantValue is [None:]\n and call.arguments.length == 3\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: possibleTargets contains [Function: name == \"query\"\n and (\n enclosingClass.supers contains [Class: name == \"Sequelize\"]\n or fc.instance.possibleTypes contains [Type: name == \"Sequelize\"]\n )\n ]\n and arguments[0] is [Expression arg: arg.constantValue.None]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "API Abuse", - "vuln_category": "React Bad Practices", - "vuln_subcategory": "Dangerously Set InnerHTML", - "predicate": "\n FieldAccess fa: fa.enclosingStatement is [AssignmentStatement as: as.lhs is [FieldAccess: name == \"dangerouslySetInnerHTML\"] and as.rhs is [Expression ex:]]\n and fa.name == \"dangerouslySetInnerHTML\"\n /* double check fa is non-constant, valid value is object with _html key */\n and fa.constantValue.None\n /* double check fa is not function definition which is considered as closure in sca */\n and not fa.isClosure\n /* exclude javascript object by ensuring there are possibleTypes */\n and fa.possibleTypes.length > 0\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"writeHeapSnapshot\"\n and namespace.name == \"v8\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Poor Logging Practice", - "vuln_subcategory": "Use of a System Output Stream", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name == \"write\"]\n and instance is [FieldAccess:\n name matches \"stdout|stderr\"\n and instance is [VariableAccess: name == \"process\"]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Poor Logging Practice", - "vuln_subcategory": "Use of a System Output Stream", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: name == \"write\"\n and f.possibleHeapPaths contains [String str: str matches \"process\\.(stdout|stderr)\"]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Poor Logging Practice", - "vuln_subcategory": "Use of a System Output Stream", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: name == \"write\"\n and f.possibleHeapPaths contains [String str: str matches \"process\\.(stdout|stderr)\"]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f: \n f.name == \"connect\"\n and f.namespace.name == \"tls\"\n ]\n and fc.arguments contains [Expression e:\n e.possibleTypes contains [Type: definition.fields contains\n /* try to verify a settings object */\n [Field: name matches \"host|port|socket|path|pfx|key|passphrase|cert|ca|ciphers|rejectUnauthorized|NPNProtocols|ALPNProtocols|servername|minDHSize\"]\n and not definition.fields contains\n [Field: name matches \"secureProtocol|minVersion\"]]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f: f.name == \"connect\"\n and f.possibleHeapPaths contains [String str: str == \"tls\"]]\n and fc.arguments contains [Expression e:\n e.possibleTypes contains [Type: definition.fields contains\n /* try to verify a settings object */\n [Field: name matches \"host|port|socket|path|pfx|key|passphrase|cert|ca|ciphers|rejectUnauthorized|NPNProtocols|ALPNProtocols|servername|minDHSize\"]\n and not definition.fields contains\n [Field: name == \"secureProtocol\"]]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f: f.name == \"connect\"\n and f.possibleHeapPaths contains [String str: str == \"tls\"]]\n and fc.arguments contains [Expression e:\n e.possibleTypes contains [Type: definition.fields contains\n /* try to verify a settings object */\n [Field: name matches \"host|port|socket|path|pfx|key|passphrase|cert|ca|ciphers|rejectUnauthorized|NPNProtocols|ALPNProtocols|servername|minDHSize\"]\n and not definition.fields contains\n [Field: name == \"secureProtocol\"]]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n f.name == \"createServer\"\n and namespace.name matches \"tls|https\"\n ]\n and fc.arguments[0] is [Expression e:\n e.possibleTypes contains [Type:\n not definition.fields contains [Field: name matches \"secureProtocol|minVersion\"]\n ]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n f.name == \"createServer\"\n and f.possibleHeapPaths contains [String str:\n str matches \"tls|https\"]\n ]\n and fc.arguments[0] is [Expression e:\n e.possibleTypes contains [Type:\n not definition.fields contains [Field: name == \"secureProtocol\"]\n ]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n f.name == \"createServer\"\n and f.possibleHeapPaths contains [String str:\n str matches \"tls|https\"]\n ]\n and fc.arguments[0] is [Expression e:\n e.possibleTypes contains [Type:\n not definition.fields contains [Field: name == \"secureProtocol\"]\n ]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n AssignmentStatement:\n lhs is [FieldAccess:\n name matches \"DEFAULT_(MIN|MAX)_VERSION\"\n and (\n field.namespace.name == \"tls\"\n or field.enclosingClass.sourceLocation.filename == \"tls.d.ts\"\n )\n ]\n and rhs.constantValue matches \"TLSv1(\\.1)?\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Weak SSL Protocol", - "predicate": "\n AssignmentStatement: lhs is [FieldAccess: field.name matches \"DEFAULT_(MIN|MAX)_VERSION\"\n and instance is [Expression:\n possibleHeapPaths contains [String str: str == \"tls\"]\n ]\n ]\n and rhs is [Expression: constantValue matches \"TLSv1(\\.1)?\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"connect|create(Connection|Server)|request|get\"\n and namespace.name matches \"http|net\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name matches \"connect|create(Connection|Server)|request|get\"\n and f.possibleHeapPaths contains [String str:\n str matches \"http|net\"]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name matches \"connect|create(Connection|Server)|request|get\"\n and f.possibleHeapPaths contains [String str:\n str matches \"http|net\"]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: \n f.name == \"createServer\"\n and f.namespace.name matches \"tls|https\"\n ]\n and fc.arguments[0] is [Expression e: e.possibleTypes contains [Type:\n definition is [Class:\n (\n fields contains [Field certRequest1: name == \"requestCert\"]\n and not fields contains [Field rejectUnauthed1: name == \"rejectUnauthorized\"]\n )\n or\n (\n fields contains [Field rejectUnauthed2: name == \"rejectUnauthorized\"]\n and not fields contains [Field certRequest2: name == \"requestCert\"]\n )]]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: f.name == \"createServer\"\n and f.possibleHeapPaths contains [String str: str matches \"tls|https\"]]\n and fc.arguments[0] is [Expression e: e.possibleTypes contains [Type:\n definition is [Class:\n (\n fields contains [Field certRequest1: name == \"requestCert\"]\n and not fields contains [Field rejectUnauthed1: name == \"rejectUnauthorized\"]\n )\n or\n (\n fields contains [Field rejectUnauthed2: name == \"rejectUnauthorized\"]\n and not fields contains [Field certRequest2: name == \"requestCert\"]\n )]]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: f.name == \"createServer\"\n and f.possibleHeapPaths contains [String str: str matches \"tls|https\"]]\n and fc.arguments[0] is [Expression e: e.possibleTypes contains [Type:\n definition is [Class:\n (\n fields contains [Field certRequest1: name == \"requestCert\"]\n and not fields contains [Field rejectUnauthed1: name == \"rejectUnauthorized\"]\n )\n or\n (\n fields contains [Field rejectUnauthed2: name == \"rejectUnauthorized\"]\n and not fields contains [Field certRequest2: name == \"requestCert\"]\n )]]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"createSecurePair\"\n and f.namespace.name == \"tls\"\n ]\n and fc.arguments.length > 3\n /* only counts if isServer set to true */\n and fc.arguments[1].constantValue == true\n /* only counts if requestCert is set to true */\n and fc.arguments[2].constantValue == true\n /* rejectUnauthorized set to false */\n and fc.arguments[3] is [Expression: constantValue == false]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"createSecurePair\"\n and f.possibleHeapPaths contains [String str:\n str == \"tls\"]\n ]\n and fc.arguments.length > 3\n /* only counts if isServer set to true */\n and fc.arguments[1].constantValue == true\n /* only counts if requestCert is set to true */\n and fc.arguments[2].constantValue == true\n /* rejectUnauthorized set to false */\n and fc.arguments[3] is [Expression: constantValue == false]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"createSecurePair\"\n and f.possibleHeapPaths contains [String str:\n str == \"tls\"]\n ]\n and fc.arguments.length > 3\n /* only counts if isServer set to true */\n and fc.arguments[1].constantValue == true\n /* only counts if requestCert is set to true */\n and fc.arguments[2].constantValue == true\n /* rejectUnauthorized set to false */\n and fc.arguments[3] is [Expression: constantValue == false]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"createSecurePair\"\n and f.namespace.name == \"tls\"\n ]\n and (\n (\n /* args length 1 or 2. If options includs isServer, rejectUnauthorized and requestCert must both be present, or flawed */\n fc.arguments.length < 3\n and fc.arguments contains [Expression:\n possibleTypes contains [Type:\n definition is [Class:\n fields contains [Field: name == \"isServer\"]\n and (\n (\n fields contains [Field: name == \"requestCert\"]\n and not fields contains [Field: name == \"rejectUnauthorized\"]\n )\n or\n (\n fields contains [Field: name == \"rejectUnauthorized\"]\n and not fields contains [Field: name == \"requestCert\"]\n )\n )]\n ]\n ]\n )\n or\n (\n /* args length 3. If isServer set to true, rejectUnauthorized and requestCert must both be present, or flawed */\n fc.arguments.length == 3\n and fc.arguments[1].constantValue == true\n and fc.arguments contains [Expression:\n possibleTypes contains [Type:\n definition is [Class:\n (\n fields contains [Field: name == \"requestCert\"]\n and not fields contains [Field: name == \"rejectUnauthorized\"]\n )\n or\n (\n fields contains [Field: name == \"rejectUnauthorized\"]\n and not fields contains [Field: name == \"requestCert\"]\n )\n ]\n ]\n ]\n )\n or\n (\n /* args length 4. If isServer and requestCert set to true, rejectUnauthorized must be present, or flawed */\n fc.arguments.length == 4\n and fc.arguments[1].constantValue == true\n and fc.arguments[2].constantValue == true\n and fc.arguments contains [Expression:\n possibleTypes contains [Type:\n definition is [Class:\n not fields contains [Field : name == \"rejectUnauthorized\"]\n ]\n ]\n ]\n )\n )\n\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"createSecurePair\"\n and f.possibleHeapPaths contains [String str:\n str == \"tls\"]\n ]\n\n and (\n (\n /* args length 1 or 2. If options includs isServer, rejectUnauthorized and requestCert must both be present, or flawed */\n fc.arguments.length < 3\n and fc.arguments contains [Expression:\n possibleTypes contains [Type:\n definition is [Class:\n fields contains [Field: name == \"isServer\"]\n and (\n (\n fields contains [Field: name == \"requestCert\"]\n and not fields contains [Field: name == \"rejectUnauthorized\"]\n )\n or\n (\n fields contains [Field: name == \"rejectUnauthorized\"]\n and not fields contains [Field: name == \"requestCert\"]\n )\n )]\n ]\n ]\n )\n or\n (\n /* args length 3. If isServer set to true, rejectUnauthorized and requestCert must both be present, or flawed */\n fc.arguments.length == 3\n and fc.arguments[1].constantValue == true\n and fc.arguments contains [Expression:\n possibleTypes contains [Type:\n definition is [Class:\n (\n fields contains [Field: name == \"requestCert\"]\n and not fields contains [Field: name == \"rejectUnauthorized\"]\n )\n or\n (\n fields contains [Field: name == \"rejectUnauthorized\"]\n and not fields contains [Field: name == \"requestCert\"]\n )\n ]\n ]\n ]\n )\n or\n (\n /* args length 4. If isServer and requestCert set to true, rejectUnauthorized must be present, or flawed */\n fc.arguments.length == 4\n and fc.arguments[1].constantValue == true\n and fc.arguments[2].constantValue == true\n and fc.arguments contains [Expression:\n possibleTypes contains [Type:\n definition is [Class:\n not fields contains [Field : name == \"rejectUnauthorized\"]\n ]\n ]\n ]\n )\n )\n\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"createSecurePair\"\n and f.possibleHeapPaths contains [String str:\n str == \"tls\"]\n ]\n\n and (\n (\n /* args length 1 or 2. If options includs isServer, rejectUnauthorized and requestCert must both be present, or flawed */\n fc.arguments.length < 3\n and fc.arguments contains [Expression:\n possibleTypes contains [Type:\n definition is [Class:\n fields contains [Field: name == \"isServer\"]\n and (\n (\n fields contains [Field: name == \"requestCert\"]\n and not fields contains [Field: name == \"rejectUnauthorized\"]\n )\n or\n (\n fields contains [Field: name == \"rejectUnauthorized\"]\n and not fields contains [Field: name == \"requestCert\"]\n )\n )]\n ]\n ]\n )\n or\n (\n /* args length 3. If isServer set to true, rejectUnauthorized and requestCert must both be present, or flawed */\n fc.arguments.length == 3\n and fc.arguments[1].constantValue == true\n and fc.arguments contains [Expression:\n possibleTypes contains [Type:\n definition is [Class:\n (\n fields contains [Field: name == \"requestCert\"]\n and not fields contains [Field: name == \"rejectUnauthorized\"]\n )\n or\n (\n fields contains [Field: name == \"rejectUnauthorized\"]\n and not fields contains [Field: name == \"requestCert\"]\n )\n ]\n ]\n ]\n )\n or\n (\n /* args length 4. If isServer and requestCert set to true, rejectUnauthorized must be present, or flawed */\n fc.arguments.length == 4\n and fc.arguments[1].constantValue == true\n and fc.arguments[2].constantValue == true\n and fc.arguments contains [Expression:\n possibleTypes contains [Type:\n definition is [Class:\n not fields contains [Field : name == \"rejectUnauthorized\"]\n ]\n ]\n ]\n )\n )\n\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function f: f.name matches \"renegotiate|TLSSocket\"]\n and fc.arguments contains [Expression options:\n options.possibleTypes contains [Type:\n definition is [Class:\n (\n fields contains [Field: name == \"requestCert\"]\n and not fields contains [Field: name == \"rejectUnauthorized\"]\n )\n or (\n fields contains [Field: name == \"rejectUnauthorized\"]\n and not fields contains [Field: name == \"requestCert\"]\n )\n ]\n ]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure SSL", - "vuln_subcategory": "Server Identity Verification Disabled", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name matches \"renegotiate|TLSSocket\"]\n and fc.arguments.length == 2\n and fc.arguments[1] is [Expression e:\n e.possibleTypes contains [Type:\n definition is [Class:\n ( fields contains [Field certRequest1:\n name == \"requestCert\"]\n and not fields contains [Field rejectUnauthed1:\n name == \"rejectUnauthorized\"] )\n or ( fields contains [Field rejectUnauthed2:\n name == \"rejectUnauthorized\"]\n and not fields contains [Field certRequest2:\n name == \"requestCert\"] )]\n ]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"l?statSync\"\n ]\n and (\n instance.possibleTypes contains [Type:\n definition is [Class:\n name == \"StatSyncFn\"\n and namespace.name == \"fs\"\n ]\n ]\n or environment is [FieldAccess:\n instance.possibleTypes contains [Type:\n definition is [Class:\n name == \"StatSyncFn\"\n and namespace.name == \"fs\"\n ]\n ]\n ]\n )\n and enclosingFunction is [Function: name == \"~file_function\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name matches \"(access|appendFile|close|copyFile|cp|exists|link|mkdir|mkdtemp|open|opendir|read|readdir|readFile|readlink|readv|realpath|rename|rm|rmdir|statfs|symlink|unlink|write|writeFile|writev)Sync\"\n and f.namespace.name == \"fs\"\n ]\n and fc.enclosingFunction is [Function: name == \"~file_function\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f: name matches \"(rename|link|symlink|readlink|realpath|unlink|rmdir|mkdir|readdir|close|open|fsync|write|read|readFile|writeFile|appendFile|exists|access)Sync\"\n and f.possibleHeapPaths contains [String str: str == \"fs\"]]\n and fc.enclosingFunction is [Function: name == \"~file_function\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f: name matches \"(rename|link|symlink|readlink|realpath|unlink|rmdir|mkdir|readdir|close|open|fsync|write|read|readFile|writeFile|appendFile|exists|access)Sync\"\n and f.possibleHeapPaths contains [String str: str == \"fs\"]]\n and fc.enclosingFunction is [Function: name == \"~file_function\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name matches \"(f|l)?(chmod|chown|datasync|stat|sync|truncate|utimes)Sync\"\n and not name matches \"l?statSync\"\n and f.namespace.name == \"fs\"\n ]\n and fc.enclosingFunction is [Function: name == \"~file_function\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name matches \"(f|l)?(truncate|chown|chmod|stat|utimes)Sync\"\n and f.possibleHeapPaths contains [String str:\n str == \"fs\"]\n ]\n and fc.enclosingFunction is [Function: name == \"~file_function\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Denial of Service", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: possibleTargets contains [Function f:\n name matches \"(f|l)?(truncate|chown|chmod|stat|utimes)Sync\"\n and f.possibleHeapPaths contains [String str:\n str == \"fs\"]\n ]\n and fc.enclosingFunction is [Function: name == \"~file_function\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name == \"unwrapKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[1] is [Expression:\n constantValue == \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name == \"unwrapKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[1] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Stream Cipher", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name matches \"(un)?wrapKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[3] is [Expression:\n constantValues contains [String: matches \"(?i).*\\bCTR\\b.*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name matches \"(un)?wrapKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[3] is [Expression:\n constantValues contains [String: matches \"(?i).*\\bCBC\\b.*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name matches \"(un)?wrapKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[3] is [Expression:\n constantValues contains [String: matches \"(?i).*\\bECB\\b.*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name matches \"(un)?wrapKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[3] is [Expression:\n constantValues contains [String: matches \"(?i)(des|3des|triple[-_]?des|tdea|rc2|rc4).*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Stream Cipher", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name matches \"encrypt|generateKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[0] is [Expression:\n constantValues contains [String: matches \"(?i).*\\bCTR\\b.*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name matches \"encrypt|generateKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[0] is [Expression:\n constantValues contains [String: matches \"(?i).*\\bCBC\\b.*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name matches \"encrypt|generateKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[0] is [Expression:\n constantValues contains [String: matches \"(?i).*\\bECB\\b.*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function: name matches \"encrypt|generateKey\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[0] is [Expression:\n constantValues contains [String: matches \"(?i)(des|3des|triple[-_]?des|tdea|rc2|rc4).*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function: name == \"digest\"]\n and possibleHeapPaths contains [String: matches \"(?i)(crypto(\\.webcrypto)?\\.)?subtle\"]\n and arguments[0] is [Expression alg:\n constantValues contains [String: matches \"(?i).*\\b(RIPEMD|RMD160|MD[245]|SHA[-_]?1).*\"]\n or (\n enclosingFunction contains [AssignmentStatement:\n lhs is [FieldAccess:\n name == \"name\"\n and instance is alg\n and sourceLocation.startLine <= fc.sourceLocation.startLine\n ]\n and rhs.constantValues contains [String:\n matches \"(?i).*\\b(RIPEMD|RMD160|MD[245]|SHA[-_]?1).*\"\n ]\n ]*\n )\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name == \"checkPrivateKey\"\n and (\n enclosingClass.supers contains [Class:\n name == \"X509Certificate\" and namespace.name == \"crypto\"\n ]\n or fc.instance.possibleTypes contains [Type:\n definition.supers contains [Class:\n name == \"X509Certificate\" and namespace.name == \"crypto\"\n ]\n ]\n )\n ]\n and arguments[0] is [Expression:\n constantValue == \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name == \"checkPrivateKey\"\n and (\n enclosingClass.supers contains [Class:\n name == \"X509Certificate\" and namespace.name == \"crypto\"\n ]\n or fc.instance.possibleTypes contains [Type:\n definition.supers contains [Class:\n name == \"X509Certificate\" and namespace.name == \"crypto\"\n ]\n ]\n )\n ]\n and arguments[0] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name == \"sign\"\n and (\n enclosingClass.supers contains [Class:\n name == \"Sign\" and namespace.name == \"crypto\"\n ]\n or fc.instance.possibleTypes contains [Type:\n definition.supers contains [Class:\n name == \"Sign\" and namespace.name == \"crypto\"\n ]\n ]\n )\n ]\n and arguments[0] is [Expression:\n constantValue == \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name == \"sign\"\n and (\n enclosingClass.supers contains [Class:\n name == \"Sign\" and namespace.name == \"crypto\"\n ]\n or fc.instance.possibleTypes contains [Type:\n definition.supers contains [Class:\n name == \"Sign\" and namespace.name == \"crypto\"\n ]\n ]\n )\n ]\n and arguments[0] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Insufficient Diffie Hellman Strength", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"createDiffieHellmanGroup|getDiffieHellman\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression group:\n constantValues contains [String: matches \"modp[125]\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": "Insufficient Diffie Hellman Strength", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"createDiffieHellman\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression length:\n constantValues contains [Number: < 2048]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"sign|verify\"\n and enclosingClass.None\n and namespace.name == \"crypto\"\n ]\n and arguments[2] is [Expression: constantValue == \"\"]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"sign|verify\"\n and enclosingClass.None\n and namespace.name == \"crypto\"\n ]\n and arguments[2] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"(private|public)(En|De)crypt\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression: constantValue == \"\"]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"(private|public)(En|De)crypt\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Insecure PBE Iteration Count", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"pbkdf2(Sync)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments[2].constantValue is [Number: >=1000 and <100000]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Insecure PBE Iteration Count", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"pbkdf2(Sync)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments[2].constantValue is [Number: <1000]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Predictable Salt", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"(pbkdf2|scrypt)(Sync)?\"\n and namespace.name == \"crypto\"\n ]\n and (\n (\n arguments[0].constantValue.None\n and arguments[0] == arguments[1]\n ) or (\n not arguments[0].constantValue.None\n and arguments[0].constantValue == arguments[1].constantValue\n )\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Empty PBE Salt", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"(pbkdf2|scrypt)(Sync)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments[1] is [Expression: constantValue == \"\"]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": "Hardcoded PBE Salt", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"(pbkdf2|scrypt)(Sync)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments[1] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty PBE Password", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"(pbkdf2|scrypt)(Sync)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression: constantValue == \"\"]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded PBE Password", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"(pbkdf2|scrypt)(Sync)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name matches \"hkdf(Sync)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments contains [Expression arg:\n (arg is fc.arguments[1] or arg is fc.arguments[3])\n and arg.constantValue == \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name matches \"hkdf(Sync)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments contains [Expression arg:\n (arg is fc.arguments[1] or arg is fc.arguments[3])\n and not arg.constantValue.None\n and not arg.constantValue is [None:]\n and arg.constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"create(Private|Secret)Key\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression: constantValue == \"\"]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"create(Private|Secret)Key\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty HMAC Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"createHmac\"\n and namespace.name == \"crypto\"\n ]\n and arguments[1] is [Expression: constantValue == \"\"]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded HMAC Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"createHmac\"\n and namespace.name == \"crypto\"\n ]\n and arguments[1] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and constantValue != \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"create(Hash|Hmac|Sign|Verify)|sign|verify\"\n ]\n and arguments[0] is [Expression:\n constantValues contains [String: matches \"(?i).*\\b(RIPEMD|RMD160|MD[245]|SHA[-_]?1).*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Cryptographic Hash", - "vuln_subcategory": None, - "predicate": "\n FunctionCall: possibleTargets contains [Function: name == \"createHash\"] and\n arguments[0].constantValues contains [String: matches \"(?i).*(MD2|MD4|MD5).*|.*SHA((-)?1(WithRSAEncryption)?)?$\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"create(Cipher|Decipher)(iv)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments[1] is [Expression: constantValue == \"\"]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"create(Cipher|Decipher)(iv)?\"\n and namespace.name == \"crypto\"\n ]\n and arguments[1] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n and not constantValue == \"\"\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Initialization Vector", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"createCipheriv\"\n and namespace.name == \"crypto\"\n ]\n and arguments[2] is [Expression:\n not constantValue.None\n and not constantValue is [None:]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Stream Cipher", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"createCipheriv\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression:\n constantValues contains [String: matches \"(?i).*\\bCTR\\b.*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"createCipheriv\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression:\n constantValues contains [String: matches \"(?i).*\\bCBC\\b.*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": "Insecure Mode of Operation", - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"createCipheriv\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression:\n constantValues contains [String: matches \"(?i).*\\bECB\\b.*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"createCipheriv\"\n and namespace.name == \"crypto\"\n ]\n and arguments[0] is [Expression:\n constantValues contains [String: matches \"(?i)(des|3des|triple[-_]?des|tdea|rc2|rc4).*\"]\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Weak Encryption", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"createCipher\"\n and namespace.name == \"crypto\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f:\n f.name matches \"(exec(File)?|spawn)(Sync)?\"\n and f.namespace.name == \"child_process\"\n ]\n and call.arguments[0] is [Expression e:\n /* not a constant */\n (constantValue.None or\n /* constant that uses environment variable */\n constantValue matches \"(?i).*\\$.*|.*%.*%.*\" or\n /* not hardcoded full path */\n (not constantValue.None and not\n (\n constantValue matches \"(?i)^.+:(/|\\\\).*\" or\n constantValue matches \"(?i)^(/|\\\\).*\"\n )\n )\n )\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f:\n f.name matches \"(exec(File)?|spawn)(Sync)?\"\n and f.possibleHeapPaths contains [String str:\n str == \"child_process\"]\n ]\n and not call.instance is [Expression:\n possibleTypes contains [Type: name matches \"(X)?RegExp\"]\n // or looks like a RegExp literal\n or constantValue matches \"^/.*/(d|g|i|m|s|u|y)*$\"\n ]\n and call.arguments[0] is [Expression e:\n /* not a constant */\n (constantValue.None or\n /* constant that uses environment variable */\n constantValue matches \"(?i).*\\$.*|.*%.*%.*\" or\n /* not hardcoded full path */\n (not constantValue.None and not\n (\n constantValue matches \"(?i)^.+:(/|\\\\).*\" or\n constantValue matches \"(?i)^(/|\\\\).*\"\n )\n )\n )\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f:\n f.name matches \"(exec(File)?|spawn)(Sync)?\"\n and f.possibleHeapPaths contains [String str:\n str == \"child_process\"]\n ]\n and not call.instance is [Expression:\n possibleTypes contains [Type: name matches \"(X)?RegExp\"]\n // or looks like a RegExp literal\n or constantValue matches \"^/.*/(d|g|i|m|s|u|y)*$\"\n ]\n and call.arguments[0] is [Expression e:\n /* not a constant */\n (constantValue.None or\n /* constant that uses environment variable */\n constantValue matches \"(?i).*\\$.*|.*%.*%.*\" or\n /* not hardcoded full path */\n (not constantValue.None and not\n (\n constantValue matches \"(?i)^.+:(/|\\\\).*\" or\n constantValue matches \"(?i)^(/|\\\\).*\"\n )\n )\n )\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f:\n f.name matches \"(exec(File)?|spawn)(Sync)?\"\n and f.namespace.name == \"child_process\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f:\n f.name matches \"(exec(File)?|spawn)(Sync)?\"\n and f.possibleHeapPaths contains [String str:\n str == \"child_process\"]\n ]\n and not call.instance is [Expression:\n possibleTypes contains [Type: name matches \"(X)?RegExp\"]\n // or looks like a RegExp literal\n or constantValue matches \"^/.*/(d|g|i|m|s|u|y)*$\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f:\n f.name matches \"(exec(File)?|spawn)(Sync)?\"\n and f.possibleHeapPaths contains [String str:\n str == \"child_process\"]\n ]\n and not call.instance is [Expression:\n possibleTypes contains [Type: name matches \"(X)?RegExp\"]\n // or looks like a RegExp literal\n or constantValue matches \"^/.*/(d|g|i|m|s|u|y)*$\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": None, - "predicate": "\n /* find a lambda that calls a function that assigns a value to a field */\n FunctionCall fc: fc.possibleTargets contains [Function: (\n (\n name matches \"send|bind|createSocket|createServer|get|request|addListener|once|resolve(4|6|Cname|Mx|Ns|Soa|Srv|Txt)?|lookup(Service)?|reverse|exec(File)?\"\n and possibleHeapPaths contains [String str: str matches \"dgram(\\.Socket)?|http(s)?|net|tls|dns|child_process\"]\n )\n or\n (\n name == \"on\"\n and not possibleHeapPaths contains [String str2: str2 matches \"HTML[A-z]*Element.*|(\\$)?window|(\\$)?document\"]\n and not fc.instance is [FunctionCall:\n possibleTargets contains [Function: name matches \"jQuery|\\$\" or\n (name == \"constructor\" and possibleHeapPaths contains [String: matches \"(jQuery|\\$)\\.(prototype|fn)\"])\n /* account for jQuery selector filters */\n or name matches \"eq|filter|first|has|is|last|map|not|slice|children|closest|find|((next|prev)(All|Until)?)|offsetParent|parent|parents|parentsUntil|siblings|add|addBack|andSelf|end|not|contents|each\"\n ]\n ]\n and not fc.instance.possibleHeapPaths contains \"angular.element\"\n and fc.arguments.length == 2\n )\n )]\n and fc.arguments contains [Expression e:\n possibleFunctionTargets contains [Function: contains [FunctionCall: function is [Function lambda:\n /* lambda isn't recursive */\n not lambda contains [FunctionCall recursiveFC: recursiveFC == fc or recursiveFC.function contains [FunctionCall: == fc]]\n and lambda contains [Location loc: loc.type.arrayDimensions == 0\n and loc in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === loc.transitiveBase]]\n /* isn't ~parent field that seems to be specified around lambdas */\n and not loc.sourceLocation.None\n /* isn't length field in NST */\n and loc.name != \"length\"\n /* isn't 'this' */\n and loc.name != \"this\"\n and not loc.name startsWith \"~\"\n and fc.enclosingFunction contains [Location loc2: loc2.type.arrayDimensions == 0\n and loc2.name == loc.name\n /* the underlying declaration is the same i.e. the field being accessed is the same field */\n and (\n loc2 is [FieldAccess fa2: loc is [FieldAccess fa:\n not fa2.field.sourceLocation.None\n and not fa.field.sourceLocation.None\n and fa2.field.sourceLocation.startLine == fa.field.sourceLocation.startLine\n and fa.field is [Field:\n /* do not match against the lambda generated fields */\n name != \"~environment\"\n and name != \"~method\"\n and name != \"prototype\"\n ]*\n ]]\n or loc2 is [VariableAccess va2: loc is [VariableAccess va:\n not va2.variable.sourceLocation.None\n and not va.variable.sourceLocation.None\n and va2.variable.sourceLocation.startLine == va.variable.sourceLocation.startLine\n and not va.this\n and not va2.this\n and va.variable is [Variable: not isTemp ]*\n ]]\n )\n /* FieldAccess outside of lambda that isn't another assignment */\n and not loc2 in [AssignmentStatement: lhs.location is [Location: transitiveBase === loc2.transitiveBase]]\n and not loc2.sourceLocation.None\n and not fc.sourceLocation.None\n and loc2.sourceLocation.startLine > fc.sourceLocation.startLine\n ]*\n\n ]*\n ]]*]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": None, - "predicate": "\n /* find a lambda that calls a function that assigns a value to a field */\n FunctionCall fc: fc.possibleTargets contains [Function: (\n (\n name matches \"send|bind|createSocket|createServer|get|request|addListener|once|resolve(4|6|Cname|Mx|Ns|Soa|Srv|Txt)?|lookup(Service)?|reverse|exec(File)?\"\n and possibleHeapPaths contains [String str: str matches \"dgram(\\.Socket)?|http(s)?|net|tls|dns|child_process\"]\n )\n or\n (\n name == \"on\"\n and not possibleHeapPaths contains [String str2: str2 matches \"HTML[A-z]*Element.*|(\\$)?window|(\\$)?document\"]\n and not fc.instance is [FunctionCall:\n possibleTargets contains [Function: name matches \"jQuery|\\$\" or\n (name == \"constructor\" and possibleHeapPaths contains [String: matches \"(jQuery|\\$)\\.(prototype|fn)\"])\n /* account for jQuery selector filters */\n or name matches \"eq|filter|first|has|is|last|map|not|slice|children|closest|find|((next|prev)(All|Until)?)|offsetParent|parent|parents|parentsUntil|siblings|add|addBack|andSelf|end|not|contents|each\"\n ]\n ]\n and not fc.instance.possibleHeapPaths contains \"angular.element\"\n and fc.arguments.length == 2\n )\n )]\n and fc.arguments contains [Expression e:\n possibleFunctionTargets contains [Function: contains [FunctionCall: function is [Function lambda:\n /* lambda isn't recursive */\n not lambda contains [FunctionCall recursiveFC: recursiveFC == fc or recursiveFC.function contains [FunctionCall: == fc]]\n and lambda contains [FieldAccess fa: fa.type.arrayDimensions == 0\n and fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]]\n /* isn't ~parent field that seems to be specified around lambdas */\n and fa.field is [Field f:\n not fa.sourceLocation.None\n and not f.sourceLocation.None\n and fa.sourceLocation.startLine != f.sourceLocation.startLine\n /* isn't length field in NST */\n and f.name != \"length\"\n and fc.enclosingFunction contains [FieldAccess fa2: fa2.type.arrayDimensions == 0\n and fa2.field is f\n /* FieldAccess outside of lambda that isn't another assignment */\n and not fa2 in [AssignmentStatement: lhs.location is [Location: transitiveBase === fa2.transitiveBase]]\n and not fa2.sourceLocation.None\n and not fc.sourceLocation.None\n and fa2.sourceLocation.startLine > fc.sourceLocation.startLine\n ]*\n ]\n ]*\n ]]*]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": None, - "predicate": "\n /* find a lambda that calls a function that assigns a value to a field */\n FunctionCall fc: fc.possibleTargets contains [Function:\n (\n name matches \"send|bind|createSocket|createServer|get|request|addListener|once|resolve(4|6|Cname|Mx|Ns|Soa|Srv|Txt)?|lookup(Service)?|reverse|exec(File)?\"\n and possibleHeapPaths contains [String str: str matches \"dgram(\\.Socket)?|http(s)?|net|tls|dns|child_process\"]\n )\n or\n (\n name == \"on\"\n and not possibleHeapPaths contains [String str2: str2 matches \"HTML[A-z]*Element.*|(\\$)?window|(\\$)?document\"]\n and not fc.instance is [FunctionCall:\n possibleTargets contains [Function: name matches \"jQuery|\\$\" or\n (name == \"constructor\" and possibleHeapPaths contains [String: matches \"(jQuery|\\$)\\.(prototype|fn)\"])\n /* account for jQuery selector filters */\n or name matches \"eq|filter|first|has|is|last|map|not|slice|children|closest|find|((next|prev)(All|Until)?)|offsetParent|parent|parents|parentsUntil|siblings|add|addBack|andSelf|end|not|contents|each\"\n ]\n ]\n and not fc.instance.possibleHeapPaths contains \"angular.element\"\n and fc.arguments.length == 2\n )\n ]\n and fc.arguments contains [Expression e:\n possibleFunctionTargets contains [Function: contains [FunctionCall: function is [Function lambda:\n /* lambda isn't recursive */\n not lambda contains [FunctionCall recursiveFC: recursiveFC == fc or recursiveFC.function contains [FunctionCall: == fc]]\n and lambda contains [Location loc: loc.type.arrayDimensions == 0\n and loc in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === loc.transitiveBase]]\n /* isn't ~parent field that seems to be specified around lambdas */\n and not loc.sourceLocation.None\n /* isn't length field in NST */\n and loc.name != \"length\"\n /* isn't 'this' */\n and loc.name != \"this\"\n /* a separate function is called that reads the field */\n and fc.enclosingFunction contains [FunctionCall fc2: function is [Function func:\n /* function isn't recursive with original function */\n not func contains [FunctionCall recursiveFC2: recursiveFC2 == fc or recursiveFC2.function contains [FunctionCall: == fc]]\n /* the function called isn't called via a lambda */\n and not fc.enclosingFunction contains [FunctionCall: arguments contains [Expression: possibleFunctionTargets contains func]]\n and contains [Location loc2: loc2.type.arrayDimensions == 0\n and loc2.name == loc.name\n /* the underlying declaration is the same i.e. the field being accessed is the same field */\n and (\n loc2 is [FieldAccess fa2: loc is [FieldAccess fa:\n not fa2.field.sourceLocation.None\n and not fa.field.sourceLocation.None\n and fa2.field.sourceLocation.startLine == fa.field.sourceLocation.startLine\n and fa.field is [Field:\n /* do not match against the lambda generated fields */\n name != \"~environment\"\n and name != \"~method\"\n and name != \"prototype\"\n ]*\n ]]\n or loc2 is [VariableAccess va2: loc is [VariableAccess va:\n not va2.variable.sourceLocation.None\n and not va.variable.sourceLocation.None\n and va2.variable.sourceLocation.startLine == va.variable.sourceLocation.startLine\n and not va.this\n and not va2.this\n and va.variable is [Variable: not isTemp ]*\n ]]\n )\n /* not another assignment to the field */\n and not loc2 in [AssignmentStatement: lhs.location is [Location: transitiveBase === loc2.transitiveBase]]\n /* second function call (which includes FieldAccess read) occurs after first function calls lambda (which contains a function call with a FieldAccess write) */\n and not fc2.sourceLocation.None\n and not fc.sourceLocation.None\n and fc2.sourceLocation.startLine > fc.sourceLocation.startLine\n ]*\n ]]*\n ]*\n ]]*]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": None, - "predicate": "\n /* find a lambda that calls a function that assigns a value to a field */\n FunctionCall fc: fc.possibleTargets contains [Function: (\n (\n name matches \"send|bind|createSocket|createServer|get|request|addListener|once|resolve(4|6|Cname|Mx|Ns|Soa|Srv|Txt)?|lookup(Service)?|reverse|exec(File)?\"\n and possibleHeapPaths contains [String str: str matches \"dgram(\\.Socket)?|http(s)?|net|tls|dns|child_process\"]\n )\n or\n (\n name == \"on\"\n and not possibleHeapPaths contains [String str2: str2 matches \"HTML[A-z]*Element.*|(\\$)?window|(\\$)?document\"]\n and not fc.instance is [FunctionCall:\n possibleTargets contains [Function: name matches \"jQuery|\\$\" or\n (name == \"constructor\" and possibleHeapPaths contains [String: matches \"(jQuery|\\$)\\.(prototype|fn)\"])\n /* account for jQuery selector filters */\n or name matches \"eq|filter|first|has|is|last|map|not|slice|children|closest|find|((next|prev)(All|Until)?)|offsetParent|parent|parents|parentsUntil|siblings|add|addBack|andSelf|end|not|contents|each\"\n ]\n ]\n and not fc.instance.possibleHeapPaths contains \"angular.element\"\n and fc.arguments.length == 2\n )\n )]\n and fc.arguments contains [Expression e:\n possibleFunctionTargets contains [Function: contains [FunctionCall: function is [Function lambda:\n /* lambda isn't recursive */\n not lambda contains [FunctionCall recursiveFC: recursiveFC == fc or recursiveFC.function contains [FunctionCall: == fc]]\n and lambda contains [FieldAccess fa: fa.type.arrayDimensions == 0\n and fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]]\n /* isn't ~parent field that seems to be specified around lambdas */\n and fa.field is [Field f:\n not fa.sourceLocation.None\n and not f.sourceLocation.None\n and fa.sourceLocation.startLine != f.sourceLocation.startLine\n /* isn't length field in NST */\n and f.name != \"length\"\n /* a separate function is called that reads the field */\n and fc.enclosingFunction contains [FunctionCall fc2: function is [Function func:\n /* function isn't recursive with original function */\n not func contains [FunctionCall recursiveFC2: recursiveFC2 == fc or recursiveFC2.function contains [FunctionCall: == fc]]\n /* the function called isn't called via a lambda */\n and not fc.enclosingFunction contains [FunctionCall: arguments contains [Expression: possibleFunctionTargets contains func]]\n and contains [FieldAccess fa2: fa2.type.arrayDimensions == 0\n and fa2.field is f\n /* not another assignment to the field */\n and not fa2 in [AssignmentStatement: lhs.location is [Location: transitiveBase === fa2.transitiveBase]]\n /* second function call (which includes FieldAccess read) occurs after first function calls lambda (which contains a function call with a FieldAccess write) */\n and not fc2.sourceLocation.None\n and not fc.sourceLocation.None\n and fc2.sourceLocation.startLine > fc.sourceLocation.startLine\n ]*]]*\n ]\n ]*\n ]]*]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": None, - "predicate": "\n /* find a lambda that assigns a value to a field */\n FunctionCall fc: fc.possibleTargets contains [Function:\n (\n name matches \"send|bind|createSocket|createServer|get|request|addListener|once|resolve(4|6|Cname|Mx|Ns|Soa|Srv|Txt)?|lookup(Service)?|reverse|exec(File)?\"\n and possibleHeapPaths contains [String str: str matches \"dgram(\\.Socket)?|http(s)?|net|tls|dns|child_process\"]\n )\n or\n (\n name == \"on\"\n and not possibleHeapPaths contains [String str2: str2 matches \"HTML[A-z]*Element.*|(\\$)?window|(\\$)?document\"]\n and not fc.instance is [FunctionCall:\n possibleTargets contains [Function: name matches \"jQuery|\\$\" or\n (\n name == \"constructor\" and possibleHeapPaths contains [String: matches \"(jQuery|\\$)\\.(prototype|fn)\"]\n )\n /* account for jQuery selector filters */\n or name matches \"eq|filter|first|has|is|last|map|not|slice|children|closest|find|((next|prev)(All|Until)?)|offsetParent|parent|parents|parentsUntil|siblings|add|addBack|andSelf|end|not|contents|each\"\n ]\n ]\n and not fc.instance.possibleHeapPaths contains \"angular.element\"\n and fc.arguments.length == 2\n )\n ]\n and fc.arguments contains [Expression e: possibleFunctionTargets contains [Function lambda:\n /* lambda isn't recursive */\n not lambda contains [FunctionCall recursiveFC: recursiveFC == fc or recursiveFC.function contains [FunctionCall: == fc]]\n and lambda contains [Location loc: type.arrayDimensions == 0\n and loc in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === loc.transitiveBase]]\n /* isn't ~parent field that seems to be specified around lambdas */\n and not loc.sourceLocation.None\n /* isn't length field in NST */\n and loc.name != \"length\"\n /* isn't 'this' */\n and loc.name != \"this\"\n and fc.enclosingFunction contains [Location loc2: loc2.type.arrayDimensions == 0\n and loc2.name == loc.name\n /* the underlying declaration is the same i.e. the field being accessed is the same field */\n and (\n loc2 is [FieldAccess fa2: loc is [FieldAccess fa:\n not fa2.field.sourceLocation.None\n and not fa.field.sourceLocation.None\n and fa2.field.sourceLocation.startLine == fa.field.sourceLocation.startLine\n and fa.field is [Field:\n /* do not match against the lambda generated fields */\n name != \"~environment\"\n and name != \"~method\"\n and name != \"prototype\"\n ]*\n ]]\n or loc2 is [VariableAccess va2: loc is [VariableAccess va:\n not va2.variable.sourceLocation.None\n and not va.variable.sourceLocation.None\n and va2.variable.sourceLocation.startLine == va.variable.sourceLocation.startLine\n and not va.this\n and not va2.this\n and va.variable is [Variable: not isTemp ]*\n ]]\n )\n /* FieldAccess outside of lambda that isn't another assignment */\n and not loc2 in [AssignmentStatement: lhs.location is [Location: transitiveBase === loc2.transitiveBase]]\n /* make sure occurs after initial lambda call */\n and not loc2.sourceLocation.None\n and not fc.sourceLocation.None\n and loc2.sourceLocation.startLine > fc.sourceLocation.startLine\n ]*\n ]*\n ]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": None, - "predicate": "\n /* find a lambda that assigns a value to a field */\n FunctionCall fc: fc.possibleTargets contains [Function: (\n (\n name matches \"send|bind|createSocket|createServer|get|request|addListener|once|resolve(4|6|Cname|Mx|Ns|Soa|Srv|Txt)?|lookup(Service)?|reverse|exec(File)?\"\n and possibleHeapPaths contains [String str: str matches \"dgram(\\.Socket)?|http(s)?|net|tls|dns|child_process\"]\n )\n or\n (\n name == \"on\"\n and not possibleHeapPaths contains [String str2: str2 matches \"HTML[A-z]*Element.*|(\\$)?window|(\\$)?document\"]\n and not fc.instance is [FunctionCall:\n possibleTargets contains [Function: name matches \"jQuery|\\$\" or\n (name == \"constructor\" and possibleHeapPaths contains [String: matches \"(jQuery|\\$)\\.(prototype|fn)\"])\n /* account for jQuery selector filters */\n or name matches \"eq|filter|first|has|is|last|map|not|slice|children|closest|find|((next|prev)(All|Until)?)|offsetParent|parent|parents|parentsUntil|siblings|add|addBack|andSelf|end|not|contents|each\"\n ]\n ]\n and not fc.instance.possibleHeapPaths contains \"angular.element\"\n and fc.arguments.length == 2\n )\n )]\n and fc.arguments contains [Expression e: possibleFunctionTargets contains\n [Function lambda:\n /* lambda isn't recursive */\n not lambda contains [FunctionCall recursiveFC: recursiveFC == fc or recursiveFC.function contains [FunctionCall: == fc]]\n and lambda contains [FieldAccess fa: type.arrayDimensions == 0\n and fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]]\n /* isn't ~parent field that seems to be specified around lambdas */\n and fa.field is [Field f:\n not fa.sourceLocation.None\n and not f.sourceLocation.None\n and fa.sourceLocation.startLine != f.sourceLocation.startLine\n /* isn't length field in NST */\n and f.name != \"length\"\n and fc.enclosingFunction contains [FieldAccess fa2: fa2.type.arrayDimensions == 0\n and fa2.field is f\n /* FieldAccess outside of lambda that isn't another assignment */\n and not fa2 in [AssignmentStatement: lhs.location is [Location: transitiveBase === fa2.transitiveBase]]\n /* make sure occurs after initial lambda call */\n and not fa2.sourceLocation.None\n and not fc.sourceLocation.None\n and fa2.sourceLocation.startLine > fc.sourceLocation.startLine\n ]*\n ]\n ]*]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": None, - "predicate": "\n /* find a lambda that assigns a value to a field */\n FunctionCall fc: fc.possibleTargets contains [Function:\n (\n name matches \"send|bind|createSocket|createServer|get|request|addListener|once|resolve(4|6|Cname|Mx|Ns|Soa|Srv|Txt)?|lookup(Service)?|reverse|exec(File)?\"\n and possibleHeapPaths contains [String str: str matches \"dgram(\\.Socket)?|http(s)?|net|tls|dns|child_process\"]\n )\n or\n (\n name == \"on\"\n and not possibleHeapPaths contains [String str2: str2 matches \"HTML[A-z]*Element.*|(\\$)?window|(\\$)?document\"]\n and not fc.instance is [FunctionCall:\n possibleTargets contains [Function: name matches \"jQuery|\\$\" or\n (name == \"constructor\" and possibleHeapPaths contains [String: matches \"(jQuery|\\$)\\.(prototype|fn)\"])\n /* account for jQuery selector filters */\n or name matches \"eq|filter|first|has|is|last|map|not|slice|children|closest|find|((next|prev)(All|Until)?)|offsetParent|parent|parents|parentsUntil|siblings|add|addBack|andSelf|end|not|contents|each\"\n ]\n ]\n and not fc.instance.possibleHeapPaths contains \"angular.element\"\n and fc.arguments.length == 2\n )\n ]\n and fc.arguments contains [Expression e: possibleFunctionTargets contains [Function lambda:\n /* lambda isn't recursive */\n not lambda contains [FunctionCall recursiveFC: recursiveFC == fc or recursiveFC.function contains [FunctionCall: == fc]]\n and lambda contains [Location loc: loc.type.arrayDimensions == 0\n and loc in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === loc.transitiveBase]]\n and not loc.sourceLocation.None\n and loc.name != \"length\"\n /* isn't 'this' */\n and loc.name != \"this\"\n and fc.enclosingFunction contains [FunctionCall fc2:\n function is [Function func:\n not func contains [FunctionCall recursiveFC2: recursiveFC2 == fc or recursiveFC2.function contains [FunctionCall: == fc]]\n and not fc.enclosingFunction contains [FunctionCall: arguments contains [Expression: possibleFunctionTargets contains func]]\n and contains [Location loc2: loc2.type.arrayDimensions == 0\n and loc2.name == loc.name\n /* the underlying declaration is the same i.e. the field being accessed is the same field */\n and (\n loc2 is [FieldAccess fa2: loc is [FieldAccess fa:\n not fa2.field.sourceLocation.None\n and not fa.field.sourceLocation.None\n and fa2.field.sourceLocation.startLine == fa.field.sourceLocation.startLine\n and fa.field is [Field:\n /* do not match against the lambda generated fields */\n name != \"~environment\"\n and name != \"~method\"\n and name != \"prototype\"\n ]*\n ]]\n or loc2 is [VariableAccess va2: loc is [VariableAccess va:\n not va2.variable.sourceLocation.None\n and not va.variable.sourceLocation.None\n and va2.variable.sourceLocation.startLine == va.variable.sourceLocation.startLine\n and not va.this\n and not va2.this\n and va.variable is [Variable: not isTemp ]*\n ]]\n )\n and not loc2 in [AssignmentStatement: lhs.location is [Location: transitiveBase === loc2.transitiveBase]]\n and not fc2.sourceLocation.None\n and not fc.sourceLocation.None\n and fc2.sourceLocation.startLine > fc.sourceLocation.startLine\n ]*\n ]\n ]*\n ]*\n ]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": None, - "predicate": "\n /* find a lambda that assigns a value to a field */\n FunctionCall fc: fc.possibleTargets contains [Function: (\n (\n name matches \"send|bind|createSocket|createServer|get|request|addListener|once|resolve(4|6|Cname|Mx|Ns|Soa|Srv|Txt)?|lookup(Service)?|reverse|exec(File)?\"\n and possibleHeapPaths contains [String str: str matches \"dgram(\\.Socket)?|http(s)?|net|tls|dns|child_process\"]\n )\n or\n (\n name == \"on\"\n and not possibleHeapPaths contains [String str2: str2 matches \"HTML[A-z]*Element.*|(\\$)?window|(\\$)?document\"]\n and not fc.instance is [FunctionCall:\n possibleTargets contains [Function: name matches \"jQuery|\\$\" or\n (name == \"constructor\" and possibleHeapPaths contains [String: matches \"(jQuery|\\$)\\.(prototype|fn)\"])\n /* account for jQuery selector filters */\n or name matches \"eq|filter|first|has|is|last|map|not|slice|children|closest|find|((next|prev)(All|Until)?)|offsetParent|parent|parents|parentsUntil|siblings|add|addBack|andSelf|end|not|contents|each\"\n ]\n ]\n and not fc.instance.possibleHeapPaths contains \"angular.element\"\n and fc.arguments.length == 2\n )\n )]\n and fc.arguments contains [Expression e: possibleFunctionTargets contains\n [Function lambda:\n /* lambda isn't recursive */\n not lambda contains [FunctionCall recursiveFC: recursiveFC == fc or recursiveFC.function contains [FunctionCall: == fc]]\n and lambda contains [FieldAccess fa: fa.type.arrayDimensions == 0\n and fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]]\n /* isn't ~parent field that seems to be specified around lambdas */\n and fa.field is [Field f:\n not fa.sourceLocation.None\n and not f.sourceLocation.None\n and fa.sourceLocation.startLine != f.sourceLocation.startLine\n /* isn't length field in NST */\n and f.name != \"length\"\n /* a separate function is called that reads the field */\n and fc.enclosingFunction contains [FunctionCall fc2: function is [Function func:\n /* function isn't recursive with original function */\n not func contains [FunctionCall recursiveFC2: recursiveFC2 == fc or recursiveFC2.function contains [FunctionCall: == fc]]\n /* the function called isn't called via a lambda */\n and not fc.enclosingFunction contains [FunctionCall: arguments contains [Expression: possibleFunctionTargets contains func]]\n and contains [FieldAccess fa2: fa2.type.arrayDimensions == 0\n and fa2.field is f\n /* not another assignment to the field */\n and not fa2 in [AssignmentStatement: lhs.location is [Location: transitiveBase === fa2.transitiveBase]]\n /* second function call (which includes FieldAccess read) occurs after first function calls lambda (which contains FieldAccess write) */\n and not fc2.sourceLocation.None\n and not fc.sourceLocation.None\n and fc2.sourceLocation.startLine > fc.sourceLocation.startLine\n ]*]]*\n ]\n ]*]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n\t\t\t\tFunctionCall call: possibleTargets contains [Function f: f.name matches \"query|execute|prepare\"]\n\t\t\t\t\tand call.instance.possibleHeapPaths contains [String s: s matches \"mysql2\\.create(Connection|Pool)\"]\n /* arg0 non-constant */\n\t\t\t\t\tand call.arguments[0] is [Expression e: constantValue.None]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n\t\t\t\t/* queryAsync is for bluebird, but we don't support bluebird yet */\n\t\t\t\tFunctionCall call: possibleTargets contains [Function f: f.name matches \"query(Async)?\"]\n\t\t\t\t\tand call.instance.possibleHeapPaths contains [String s: s matches \"mysql\\.create(Connection|Pool)\"]\n /* arg0 non-constant */\n\t\t\t\t\tand call.arguments[0] is [Expression e: constantValue.None ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name matches \"post|get|getJSON|getScript\" and\n call.instance is [Location l: l.name matches \"jQuery|\\$\"]\n and call.arguments.length > 0\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name matches \"post|get|getJSON|getScript\"] and\n call.instance is [Location l: l.name matches \"jQuery|\\$\"]\n and call.arguments.length > 0\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.possibleTargets contains [Function f: f.name matches \"post|get|getJSON|getScript\"] and\n call.instance is [FieldAccess fa: fa.field.name matches \"jQuery|\\$\"]\n and call.arguments.length > 0\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall call: call.name matches \"post|get|getJSON|getScript\" and\n call.instance is [FieldAccess fa: fa.field.name matches \"jQuery|\\$\"]\n and call.arguments.length > 0\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Handlebars Misconfiguration", - "vuln_subcategory": "Prototypes Allowed", - "predicate": "\n FieldAccess fa: fa.field.name matches \"allowProtoMethodsByDefault|allowProtoPropertiesByDefault\"\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ]\n and rhs.constantValue == true\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Handlebars Misconfiguration", - "vuln_subcategory": "Prototypes Allowed", - "predicate": "\n FieldAccess fa: fa.field.name matches \"allowedProtoProperties|allowedProtoMethods\"\n /* do not match against generated versions on a call to template compilation */\n and not fa.instance is [Location: name == \"tag~options\"]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ]\n and rhs is [Expression: type.definition is [Class: \n /* don't cause duplicates with DBCF5E6D-C7DC-49D4-8158-95F7AAE15614 */\n not fields contains [Field: \n not synthetic\n and name matches \"constructor|__defineGetter__|__defineSetter__|__lookupGetter__|__lookupSetter__|__proto__\"\n ]\n and fields contains [Field: not synthetic]*\n ]]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Handlebars Misconfiguration", - "vuln_subcategory": "Prototypes Allowed", - "predicate": "\n FieldAccess fa: fa.field.name matches \"allowedProtoProperties|allowedProtoMethods\"\n /* do not match against generated versions on a call to template compilation */\n and not fa.instance is [Location: name == \"tag~options\"]\n and fa in [AssignmentStatement:\n lhs.location is [Location l:\n l.transitiveBase === fa.transitiveBase\n ]\n and rhs is [Expression: type.definition is [Class: \n fields contains [Field: \n not synthetic\n and name matches \"constructor|__defineGetter__|__defineSetter__|__lookupGetter__|__lookupSetter__|__proto__\"\n ]*\n ]]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "GraphQL Bad Practices", - "vuln_subcategory": "Introspection Enabled", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function: name == \"graphqlHTTP\"]\n and fc.enclosingFunction is [Function:\n contains [FunctionCall:\n /* check if graphqlHTTP is argument of app.use() */\n possibleTargets contains [Function: name == \"use\"]\n and instance is [Expression inst:\n possibleHeapPaths contains [String str:\n str matches \"express(\\.express|\\.exports)?\"\n ]\n /* for NodeGoat and similar projects. Bug 54435 */\n or inst is [Location: name == \"app\"]\n ]\n and arguments contains fc\n ]\n ]\n /* case 1: object passed as argument to graphqlHTTP() */\n and not fc.arguments[0] is [Expression:\n possibleTypes contains [Type:\n definition.fields contains [Field f1:\n f1.name == \"validationRules\"\n and fc.enclosingFunction contains [AssignmentStatement:\n lhs is [FieldAccess:\n field is f1\n ]\n and rhs is [VariableAccess va1:\n fc.enclosingFunction contains [AssignmentStatement:\n rhs is [VariableAccess:\n name == \"NoSchemaIntrospectionCustomRule\"\n and possibleTypes contains [Type:\n definition.name matches \"NoSchemaIntrospectionCustomRule.*\"\n ]\n ]\n and lhs is [VariableAccess: is va1]\n ]\n ]\n ]\n ]\n ]\n ]\n /* case 2: lambda passed as argument to graphqlHTTP() */\n and not fc.arguments[0] is [Expression: \n possibleFunctionTargets contains [Function lambda:\n returnSlot is [Slot: \n type is [Type: \n definition.fields contains [Field f2:\n f2.name == \"validationRules\"\n and lambda contains [AssignmentStatement:\n lhs is [FieldAccess:\n field is f2\n ]\n and rhs is [VariableAccess va2:\n fc.enclosingFunction contains [AssignmentStatement:\n rhs is [VariableAccess:\n name == \"NoSchemaIntrospectionCustomRule\"\n and possibleTypes contains [Type:\n definition.name matches \"NoSchemaIntrospectionCustomRule.*\"\n ]\n ]\n and lhs is [VariableAccess: is va2]\n ]\n ]\n ]\n ]\n ]\n ]\n ]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "GraphQL Bad Practices", - "vuln_subcategory": "GraphiQL Enabled", - "predicate": "\n FunctionCall fc:\n fc.possibleTargets contains [Function: name == \"graphqlHTTP\"]\n and fc.enclosingFunction is [Function:\n contains [FunctionCall:\n /* check if graphqlHTTP is argument of app.use() */\n possibleTargets contains [Function: name == \"use\"]\n and instance is [Expression inst:\n possibleHeapPaths contains [String str:\n str matches \"express(\\.express|\\.exports)?\"\n ]\n /* for NodeGoat and similar projects. Bug 54435 */\n or inst is [Location: name == \"app\"]\n ]\n and arguments contains fc\n ]\n ]\n /* case 1: object passed as argument to graphqlHTTP() */\n and not fc.arguments[0] is [Expression:\n possibleTypes contains [Type:\n definition.fields contains [Field f1:\n f1.name == \"graphiql\"\n and fc.enclosingFunction contains [AssignmentStatement:\n lhs is [FieldAccess:\n field is f1\n ]\n and rhs is [Expression:\n constantValue is [Boolean: is false]\n or constantValue is [String: == \"false\"]\n ]\n ]\n ]\n ]\n ]\n /* case 2: lambda passed as argument to graphqlHTTP() */\n and not fc.arguments[0] is [Expression:\n possibleFunctionTargets contains [Function lambda:\n returnSlot is [Slot:\n type is [Type:\n definition.fields contains [Field f2:\n f2.name == \"graphiql\"\n and lambda contains [AssignmentStatement:\n lhs is [FieldAccess:\n field is f2\n ]\n and rhs is [Expression:\n constantValue is [Boolean: is false]\n or constantValue is [String: == \"false\"]\n ]\n ]\n ]\n ]\n ]\n ]\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name matches \"get|post|put|all|delete|head|patch|options\"\n ]\n and instance.possibleTypes contains [Type: definition is\n [Class: name == \"Express\"\n and interface == true\n and filepath matches \"(.*[/\\\\])?express-serve-static-core[/\\\\]index\\.d\\.ts\"\n ]\n ]\n and not fc.arguments contains [Expression inst1: inst1 is [FieldAccess: field.name matches \"(?i).*csrf.*\"]\n or inst1 is [VariableAccess: variable.name matches \"(?i).*csrf.*\"]\n ]\n and fc.arguments.length > 1\n\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name == \"listen\"\n and enclosingClass.name == \"Application\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"cookie\"]\n /* ewwwww */\n and fc.instance is [Expression this:\n /* Express JS has chainable vary and status fields */\n this.possibleFunctionTargets contains [Function:\n name matches \"vary|status\"\n ]\n or this is [Location:\n name matches \"res(p(onse)?)?\"\n ]\n ]\n and (\n fc.arguments.length == 2\n or\n fc.arguments[2] is [Expression:\n possibleTypes contains [Type: not definition.fields contains\n [Field: name == \"httpOnly\"]\n ]\n ]\n )\n\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "HTTPOnly not Set", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"cookie\"]\n /* ewwwww */\n and fc.instance is [Expression this:\n /* Express JS has chainable vary and status fields */\n this.possibleFunctionTargets contains [Function:\n name matches \"vary|status\"\n ]\n or this is [FieldAccess fa:\n fa.field.name matches \"res(p(onse)?)?\"\n ]\n ]\n and (\n fc.arguments.length == 2\n or\n fc.arguments[2] is [Expression:\n possibleTypes contains [Type: not definition.fields contains\n [Field: name == \"httpOnly\"]\n ]\n ]\n )\n\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"cookie\"]\n /* ewwwww */\n and fc.instance is [Expression this:\n /* Express JS has chainable vary and status fields */\n this.possibleFunctionTargets contains [Function:\n name matches \"vary|status\"\n ]\n or this is [Location:\n name matches \"res(p(onse)?)?\"\n ]\n ]\n and (\n fc.arguments.length == 2\n or\n fc.arguments[2] is [Expression:\n possibleTypes contains [Type: not definition.fields contains\n [Field: name == \"secure\"]\n ]\n ]\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"cookie\"]\n /* ewwwww */\n and fc.instance is [Expression this:\n /* Express JS has chainable vary and status fields */\n this.possibleFunctionTargets contains [Function:\n name matches \"vary|status\"\n ]\n or this is [FieldAccess fa:\n fa.field.name matches \"res(p(onse)?)?\"\n ]\n ]\n and (\n fc.arguments.length == 2\n or\n fc.arguments[2] is [Expression:\n possibleTypes contains [Type: not definition.fields contains\n [Field: name == \"secure\"]\n ]\n ]\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Missing SameSite Attribute", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"cookie\"]\n /* ewwwww */\n and fc.instance is [Expression this:\n /* Express JS has chainable vary and status fields */\n this.possibleFunctionTargets contains [Function:\n name matches \"vary|status\"\n ]\n or this is [Location:\n name matches \"res(p(onse)?)?\"\n ]\n ]\n and (\n fc.arguments.length == 2\n or\n fc.arguments[2] is [Expression:\n possibleTypes contains [Type: not definition.fields contains\n [Field: name == \"sameSite\"]\n ]\n ]\n )\n\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"exec(File)?|spawn\"\n and returnType.name == \"ChildProcessPromise\"\n ]\n and arguments[0] is [Expression:\n /* not a constant */\n constantValue.None\n /* is constant, and contains environment variables */\n or constantValue matches \".*\\$.*|.*%.*%.*\"\n /* is constant, and doesn't contain a full path */\n or not (\n constantValue matches \".+:(/|\\\\).*\"\n or constantValue matches \"(/|\\\\).*\"\n )\n ]*\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Command Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall:\n possibleTargets contains [Function:\n name matches \"exec(File)?|spawn\"\n and returnType.name == \"ChildProcessPromise\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: f.name == \"createTableService\"\n and f.possibleHeapPaths contains [String str: str == \"azure-storage\"]]\n and not fc.arguments[1].constantValue.None\n and not fc.arguments[1].constantValue is [None:]\n and not fc.arguments[1].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: f.name == \"createTableService\"\n and f.possibleHeapPaths contains [String str: str == \"azure-storage\"]]\n and not fc.arguments[1].constantValue.None\n and not fc.arguments[1].constantValue is [None:]\n and not fc.arguments[1].constantValue == \"\"\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Path", - "predicate": "\n AccessLocation al: accessName == \"path\" and\n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"/\"]\n and (al.accessInstance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (al.accessInstance is [AccessLocation: accessName == \"defaults\"\n and accessInstance is [Location: name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Path", - "predicate": "\n AccessLocation al: accessName == \"path\" and\n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"/\"]\n and (al.accessInstance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (al.accessInstance is [AccessLocation: accessName == \"defaults\"\n and accessInstance is [Location: name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Path", - "predicate": "\n FieldAccess fa: fa.field.name == \"path\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue == \"/\"]\n and (fa.instance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (fa.instance is [FieldAccess fa2: field.name == \"defaults\"\n and fa2.instance is [FieldAccess fa3: field.name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n AccessLocation al: al.accessName == \"domain\" and \n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None \n and rhs.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"]\n and (al.accessInstance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (al.accessInstance is [AccessLocation: accessName == \"defaults\"\n and accessInstance is [Location: name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n AccessLocation al: al.accessName == \"domain\" and\n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None \n and rhs.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.([a-z0-9\\-]+)$\"]\n and (al.accessInstance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (al.accessInstance is [AccessLocation: accessName == \"defaults\" \n and accessInstance is [Location: name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n AccessLocation al: al.accessName == \"domain\" and \n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None \n and rhs.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"]\n and (al.accessInstance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (al.accessInstance is [AccessLocation: accessName == \"defaults\"\n and accessInstance is [Location: name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n AccessLocation al: al.accessName == \"domain\" and\n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None \n and rhs.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.([a-z0-9\\-]+)$\"]\n and (al.accessInstance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (al.accessInstance is [AccessLocation: accessName == \"defaults\" \n and accessInstance is [Location: name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n FieldAccess fa: fa.field.name == \"domain\" and \n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None \n and rhs.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.[a-z]{1,3}\\.[a-z]{1,3}$\"]\n and (fa.instance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (fa.instance is [FieldAccess fa2: field.name == \"defaults\" \n and fa2.instance is [FieldAccess fa3: field.name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Overly Broad Domain", - "predicate": "\n FieldAccess fa: fa.field.name == \"domain\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None\n and rhs.constantValue matches \"(?i)^\\.?([a-z0-9\\-]+)\\.([a-z0-9\\-]+)$\"]\n and (fa.instance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (fa.instance is [FieldAccess fa2: field.name == \"defaults\"\n and fa2.instance is [FieldAccess fa3: field.name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n AccessLocation al: al.accessName == \"secure\" and\n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue != true]\n and (al.accessInstance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (al.accessInstance is [AccessLocation: name == \"defaults\"\n and accessInstance is [Location: name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n AccessLocation al: al.accessName == \"secure\" and\n al in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === al.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue != true]\n and (al.accessInstance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (al.accessInstance is [AccessLocation: name == \"defaults\"\n and accessInstance is [Location: name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n FieldAccess fa: fa.field.name == \"secure\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]\n and not rhs.constantValue.None and rhs.constantValue != true]\n and (fa.instance.possibleHeapPaths contains \"$cookiesProvider.defaults\"\n or\n (fa.instance is [FieldAccess fa2: field.name == \"defaults\"\n and fa2.instance is [FieldAccess fa3: field.name == \"$cookiesProvider\"]])\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function: name matches \"put(Object)?\"]\n /* possibleHeapPaths matching too broadly */\n and fc.instance is [Location: name == \"$cookies\"]\n and (\n fc.arguments.length < 3\n or fc.arguments[2] is [Expression:\n not possibleTypes contains [Type:\n definition.fields contains [Field: name == \"secure\"]\n ]\n ]\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Cookie Security", - "vuln_subcategory": "Cookie not Sent Over SSL", - "predicate": "\n FunctionCall fc: possibleTargets contains [Function: name matches \"put(Object)?\"]\n /* possibleHeapPaths matching too broadly */\n and fc.instance is [FieldAccess: field.name == \"$cookies\"]\n and (\n fc.arguments.length < 3\n or fc.arguments[2] is [Expression:\n not possibleTypes contains [Type:\n definition.fields contains [Field: name == \"secure\"]\n ]\n ]\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "AngularJS Misconfiguration", - "vuln_subcategory": "Strict Contextual Escaping Disabled", - "predicate": "\n FunctionCall: possibleTargets contains [Function: name == \"enabled\"\n and possibleHeapPaths contains \"$sceProvider\"]\n and (arguments[0].constantValue.None\n or arguments[0].constantValue == false\n or arguments[0].constantValue == 0\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "AngularJS Misconfiguration", - "vuln_subcategory": "Dangerous Protocol Allowed", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: f.name matches \"(imgSrc|aHref)SanitizationWhitelist\"\n and f.possibleHeapPaths contains [String str: str == \"$compileProvider\"]]\n and fc.arguments.length == 1\n and fc.arguments[0] is [Expression e: e.constantValue matches \"(?i).*javascript.*\" or e.partialConstantValues contains [String: matches \"(?i).*javascript.*\"]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"$http\"]\n and fc.arguments.length == 1\n /* configuration object doesn't contain xsrfCookieName or xsrfHeaderName setting */\n and not fc.arguments[0].type.definition.fields contains [Field:\n name matches \"xsrf(Cookie|Header)Name\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"$http\"]\n and fc.arguments.length == 1\n /* configuration object doesn't contain xsrfCookieName or xsrfHeaderName setting */\n and not fc.arguments[0].type.definition.fields contains [Field:\n name matches \"xsrf(Cookie|Header)Name\"]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"get\"\n ]\n /* possibleHeapPaths matching too broadly */\n and fc.instance is [Location: name == \"$http\"]\n and (\n /* no configuration object set */\n fc.arguments.length == 1\n /* or configuration object set, and doesn't contain xsrfCookieName or xsrfHeaderName setting */\n or not fc.arguments[1].type.definition.fields contains [Field: name matches \"xsrf(Cookie|Header)Name\"]\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n f.name == \"get\"\n ]\n /* possibleHeapPaths matching too broadly */\n and fc.instance is [FieldAccess: field.name == \"$http\"]\n and (\n /* no configuration object set */\n fc.arguments.length == 1\n /* or configuration object set, and doesn't contain xsrfCookieName or xsrfHeaderName setting */\n or not fc.arguments[1].type.definition.fields contains [Field: name matches \"xsrf(Cookie|Header)Name\"]\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "AngularJS Misconfiguration", - "vuln_subcategory": "Dangerous Protocol Allowed", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f: f.name matches \"(imgSrc|aHref)SanitizationWhitelist\"\n and f.possibleHeapPaths contains [String str: str == \"$compileProvider\"]]\n and fc.arguments.length == 1\n and fc.arguments[0] is [Expression e: e.constantValue matches \"(?i).*javascript.*\" or e.partialConstantValues contains [String: matches \"(?i).*javascript.*\"]]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "Mixing Template Languages", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function: name matches \"(start|end)Symbol\"\n and (\n possibleHeapPaths contains [String str: str == \"$interpolateProvider\"]\n or fc.instance is [Location: name == \"$interpolateProvider\"]\n /* matches against last function call in builder-style call $interpolateProvider.startSymbol('##').endSymbol('##'); */\n or fc.instance is [FunctionCall: possibleTargets contains [Function: name matches \"(start|end)Symbol\"]]\n )\n ]\n and fc.arguments.length == 1\n " - }, - { - "language": "javascript", - "vuln_kingdom": "API Abuse", - "vuln_category": "Often Misused", - "vuln_subcategory": "Mixing Template Languages", - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function: name matches \"(start|end)Symbol\"\n and (\n possibleHeapPaths contains [String str: str == \"$interpolateProvider\"]\n or fc.instance is [FieldAccess: field.name == \"$interpolateProvider\"]\n /* matches against last function call in builder-style call $interpolateProvider.startSymbol('##').endSymbol('##'); */\n or fc.instance is [FunctionCall: possibleTargets contains [Function: name matches \"(start|end)Symbol\"]]\n )\n ]\n and fc.arguments.length == 1\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "AngularJS Misconfiguration", - "vuln_subcategory": "Strict Contextual Escaping Disabled", - "predicate": "\n FunctionCall: possibleTargets contains [Function: name == \"enabled\"\n and possibleHeapPaths contains \"$sceProvider\"]\n and (arguments[0].constantValue.None\n or arguments[0].constantValue == false\n or arguments[0].constantValue == 0\n )\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n \n FunctionCall fc: fc.possibleTargets contains [Function : name == \"request\"]\n and instance.possibleTypes contains [Type: name == \"@angular/common/http.HttpClient\"]\n and fc.arguments[1] is [Expression: constantValue matches \"(?i)http://[^\\s/$.?#][^\\s]*\" ]\n\n \n " - }, - { - "language": "javascript", - "vuln_kingdom": "Security Features", - "vuln_category": "Insecure Transport", - "vuln_subcategory": None, - "predicate": "\n \n FunctionCall fc: fc.possibleTargets contains [Function : name matches \"get|head|jsonp|options|patch|post|put\"]\n and instance.possibleTypes contains [Type: name == \"@angular/common/http.HttpClient\"]\n and fc.arguments[0] is [Expression: constantValue matches \"(?i)http://[^\\s/$.?#][^\\s]*\" ]\n\n \n " - }, - { - "language": "javascript", - "vuln_kingdom": "Encapsulation", - "vuln_category": "Cross-Site Request Forgery", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: fc.possibleTargets contains [Function f:\n name == \"withNoXsrfProtection\"\n ]\n " - }, - { - "language": "javascript", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Path Manipulation", - "vuln_subcategory": "Zip Entry Overwrite", - "predicate": "\n FunctionCall fc:\n possibleTargets contains [Function:\n name == \"extractAllTo\"\n and possibleHeapPaths contains \"AdmZip\"\n ]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n StringLiteral:\n constantValue matches \".*\\\"(PUT_REGEX_HERE)\\\"\\s*:\\s*\\\"[^{$%]+\\\".*\"\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"PUT_REGEX_HERE\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"PUT_REGEX_HERE\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"PUT_REGEX_HERE\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"PUT_REGEX_HERE\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ))\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"PUT_REGEX_HERE\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"PUT_REGEX_HERE\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"PUT_REGEX_HERE\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"PUT_REGEX_HERE\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ))\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"(?i)pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"(?i)pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(?i)pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(?i)pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ))\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pass(wd|word)\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \".*\\b(PUT_REGEX_HERE)\\b.*\"\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Password in Comment", - "predicate": "\n Comment c: c.text matches \"(?i).*pass(wd|word|phrase).*\"\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pwd\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and va.variable.isTemp == false and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and va.variable.isTemp == false and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pwd\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and va.variable.isTemp == false and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and va.variable.isTemp == false and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"(?i).*pwd.*\" and not val.variable.name matches \"(?i)pwd\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"(?i).*pwd.*\" and not var.variable.name matches \"(?i)pwd\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(?i).*pwd.*\" and not fal.field.name matches \"(?i)pwd\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(?i).*pwd.*\" and not far.field.name matches \"(?i)pwd\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ))\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"(?i)pwd\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"(?i)pwd\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(?i)pwd\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(?i)pwd\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ))\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pwd.*\" and\n not fa.field.name matches \"(?i)pwd\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)pwd\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pwd.*\" and va.variable.isTemp == false and\n not va.variable.name matches \"(?i)pwd\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n Operation operation: (operation.op matches \"[!=><]=\" or operation.op matches \"[<>]\") and\n ((operation.lhs.location is\n [VariableAccess val: val.variable is [Variable vl: ]* and val.variable.name matches \"(?i).*pass(wd|word).*\" and not val.variable.name matches \"(?i)pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [VariableAccess var: var.variable is [Variable vr: ]* and var.variable.name matches \"(?i).*pass(wd|word).*\" and not var.variable.name matches \"(?i)pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ) or\n (operation.lhs.location is\n [FieldAccess fal: fal.field is [Field fl: ]* and fal.field.name matches \"(?i).*pass(wd|word).*\" and not fal.field.name matches \"(?i)pass(wd|word)\"] and\n not operation.rhs.constantValue.None and\n not operation.rhs.constantValue is [None:] and\n not operation.rhs.constantValue == \"\"\n ) or\n (operation.rhs.location is\n [FieldAccess far: far.field is [Field fr: ]* and far.field.name matches \"(?i).*pass(wd|word).*\" and not far.field.name matches \"(?i)pass(wd|word)\"] and\n not operation.lhs.constantValue.None and\n not operation.lhs.constantValue is [None:] and\n not operation.lhs.constantValue == \"\"\n ))\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*pass(wd|word).*\" and\n not fa.field.name matches \"(?i)pass(wd|word)\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*pass(wd|word).*\" and va.variable.isTemp == false and\n not va.variable.name matches \"(?i)pass(wd|word)\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"PUT_REGEX_HERE\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"PUT_REGEX_HERE\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and va.variable.isTemp == false and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue is [None:]\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "None Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and va.variable.isTemp == false and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue is [None:]\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Empty Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and va.variable.isTemp == false and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n FieldAccess fa: fa.field.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and\n not fa.field.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and fa.field is [Field f:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Key Management", - "vuln_subcategory": "Hardcoded Encryption Key", - "predicate": "\n VariableAccess va: va.variable.name matches \"(?i).*((enc|dec)(?!e|o|y)(ryption|rypt)?|crypto).*key.*|.*passphrase.*\" and va.variable.isTemp == false and\n not va.variable.name matches \"(?i)((enc|dec)(ryption|rypt)?|crypto)?(_)?key|passphrase\" and\n va in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === va.transitiveBase] and\n not rhs.constantValue.None and\n not rhs.constantValue is [None:] and\n not rhs.constantValue == \"\"\n ] and va.variable is [Variable v:]*\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "Spring Misconfiguration", - "vuln_subcategory": "HTML Escaping Disabled", - "predicate": "\n FunctionCall fc:\n function.name matches \"_jspService|execute\"\n and function.enclosingClass.name matches \"http://(www\\.)?springframework\\.org/tags/htmlEscape\"\n and namedParameters contains [\n NamedParameter: name matches \"jspContext|context\" and\n expression is [Expression context: ]\n ]\n and namedParameters contains [NamedParameter:\n name is \"defaultHtmlEscape\" and expression.constantValue == \"false\"\n ]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": "HTML Comment in JSP", - "predicate": "\n Comment: html and text matches \".*\" and\n /* added an exception for server-side includes -- bug 34067 */\n not text matches \".*#config.*|.*#echo.*|.*#elif.*|.*#else.*|.*#endif.*|.*#exec.*|.*#flastmod.*|.*#fsize.*|.*#if.*|.*#include.*|.*#printenv.*|.*#set.*\" and\n /* added an exception for conditional comments that work in IE -- bug 35756 */\n not text matches \".*\\[if(\\s)+(gt|gte|lt|lte|!)?(\\s)*IE.*|.* 0 and parameterTypes contains [name == \"javax.servlet.ServletConfig\"]) or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"])]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Time and State", - "vuln_category": "Race Condition", - "vuln_subcategory": "Singleton Member Field", - "predicate": "\n AssignmentStatement: lhs.location is\n [FieldAccess: instance.location is [VariableAccess: this] and field is [Field dec: not dec.name startsWith \"_jspx\"]*] and\n enclosingClass.supers contains [Class: name == \"javax.servlet.Servlet\"] and\n not enclosingClass.supers contains [Class: name == \"javax.servlet.SingleThreadModel\"] and\n not enclosingFunction is\n /* EXCEPTION: enclosing function is a constructor or its name starts with \"init\" */\n [constructor or name matches \"init.*\" or name == \"jspInit\" or\n /* EXCEPTION: enclosing function takes ServletConfig as one of its parameters */\n (parameterTypes.length > 0 and parameterTypes contains [name == \"javax.servlet.ServletConfig\"]) or\n /* EXCEPTION: enclosing function is only reachable from a constructor */\n (not public and (callers.length == 0 or callers contains [constructor]) and not callers contains [not constructor]) or\n /* EXCEPTION: enclosing function starts with \"set\" and is not reachable from any of the non-constructor functions */\n (name matches \"set.*\" and not callers contains [not constructor]) or\n /* EXCEPTION: callers of enclosing function do not contain any functions other than init() */\n (callers.length != 0 and not callers contains [Function: not name matches \"init.*\"])]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Encapsulation", - "vuln_category": "System Information Leak", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: function.name matches \"_jspService|execute\"\n and function.enclosingClass.name is \"http://jakarta.apache.org/taglibs/log-1.0/dump\"\n and namedParameters contains [\n NamedParameter: name matches \"jspBody|body\" and\n expression is [Expression body: ]\n ]\n and namedParameters contains [\n NamedParameter: name matches \"jspContext|context\" and\n expression is [Expression context: ]\n ]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Hardcoded Password", - "predicate": "\n FunctionCall fc: function.name matches \"_jspService|execute\"\n and function.enclosingClass.name matches \"http://(java.sun.com|xmlns.jcp.org)/(jsp/)?jstl/sql(_rt)?/setDataSource\"\n and namedParameters contains [\n NamedParameter: name matches \"jspBody|body\" and\n expression is [Expression body: ]\n ]\n and namedParameters contains [\n NamedParameter: name matches \"jspContext|context\" and\n expression is [Expression context: ]\n ]\n and namedParameters contains [\n NamedParameter: name is \"password\"\n and not expression.constantValue.None and not expression.constantValue == \"\" and not expression.constantValue is [None: ]\n ]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "Empty Password", - "predicate": "\n FunctionCall fc: function.name matches \"_jspService|execute\"\n and function.enclosingClass.name matches \"http://(java.sun.com|xmlns.jcp.org)/(jsp/)?jstl/sql(_rt)?/setDataSource\"\n and namedParameters contains [\n NamedParameter: name matches \"jspBody|body\" and\n expression is [Expression body: ]\n ]\n and namedParameters contains [\n NamedParameter: name matches \"jspContext|context\" and\n expression is [Expression context: ]\n ]\n and namedParameters contains [\n NamedParameter: name is \"password\"\n and not expression.constantValue.None and expression.constantValue == \"\"\n ]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Security Features", - "vuln_category": "Password Management", - "vuln_subcategory": "None Password", - "predicate": "\n FunctionCall fc: function.name matches \"_jspService|execute\"\n and function.enclosingClass.name matches \"http://(java.sun.com|xmlns.jcp.org)/(jsp/)?jstl/sql(_rt)?/setDataSource\"\n and namedParameters contains [\n NamedParameter: name matches \"jspBody|body\" and\n expression is [Expression body: ]\n ]\n and namedParameters contains [\n NamedParameter: name matches \"jspContext|context\" and\n expression is [Expression context: ]\n ]\n and namedParameters contains [\n NamedParameter: name is \"password\"\n and not expression.constantValue.None and expression.constantValue is [None: ]\n ]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: function.name matches \"_jspService|execute\"\n and function.enclosingClass.name matches \"http://(java.sun.com|xmlns.jcp.org)/(jsp/)?jstl/sql(_rt)?/update\"\n and namedParameters contains [\n NamedParameter: name matches \"jspBody|body\" and\n expression is [Expression body: ]\n ]\n and namedParameters contains [\n NamedParameter: name matches \"jspContext|context\" and\n expression is [Expression context: ]\n ]\n and namedParameters contains [\n NamedParameter: name is \"sql\"\n and (expression.constantValue.None or expression.constantValue is [None: ])\n ]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "SQL Injection", - "vuln_subcategory": None, - "predicate": "\n FunctionCall fc: function.name matches \"_jspService|execute\"\n and function.enclosingClass.name matches \"http://(java.sun.com|xmlns.jcp.org)/(jsp/)?jstl/sql(_rt)?/query\"\n and namedParameters contains [\n NamedParameter: name matches \"jspBody|body\" and\n expression is [Expression body: ]\n ]\n and namedParameters contains [\n NamedParameter: name matches \"jspContext|context\" and\n expression is [Expression context: ]\n ]\n and namedParameters contains [\n NamedParameter: name is \"sql\"\n and (expression.constantValue.None or expression.constantValue is [None: ])\n ]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "API Abuse", - "vuln_category": "ADF Faces Bad Practices", - "vuln_subcategory": "unsecure Attribute", - "predicate": "\n FunctionCall fc: function.name matches \"_jspService|execute\"\n and function.enclosingClass.name matches \"http://xmlns\\.oracle\\.com/adf/faces/rich/(activeCommandToolbarButton|calendar|carousel|carouselItem|chooseColor|chooseDate|commandButton|commandImageLink|commandLink|commandScript|commandMenuItem|commandNavigationItem|commandToolbarButton|dialog|goButton|goImageLink|goLink|goMenuItem|inputColor|inputComboboxListOfValues|inputDate|inputFile|inputListOfValues|inputNumberSlider|inputNumberSpinbox|inputRangeSlider|inputText|menu|menuBar|query|quickQuery|resetButton|richTextEditor|selectBooleanCheckbox|selectBooleanRadio|selectManyCheckbox|selectManyChoice|selectManyListbox|selectManyShuttle|selectOneChoice|selectOneListbox|selectOneRadio|selectOrderShuttle|table|toolbar|toolbox|train|trainButtonBar|tree|treeTable)\"\n and namedParameters contains [\n NamedParameter: name matches \"jspBody|body\" and\n expression is [Expression body: ]\n ]\n and namedParameters contains [\n NamedParameter: name matches \"jspContext|context\" and\n expression is [Expression context: ]\n ]\n and namedParameters contains [\n NamedParameter: name is \"unsecure\" and\n expression is [Expression unsecure: ]\n ]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "OGNL Expression Injection", - "vuln_subcategory": "Struts 2", - "predicate": "\n FunctionCall fc: function.name matches \"_jspService|execute\"\n and fc.function.enclosingClass.name matches \"/struts-tags/(url|a)\"\n and namedParameters contains [\n NamedParameter: name matches \"jspBody|body\" and\n expression is [Expression body: ]\n ]\n and namedParameters contains [\n NamedParameter: name matches \"jspContext|context\" and\n expression is [Expression context: ]\n ]\n and namedParameters contains [NamedParameter p: p.name is \"includeParams\" and p.expression.constantValue matches \"all|get\"]\n " - }, - { - "language": "jsp", - "vuln_kingdom": "Input Validation and Representation", - "vuln_category": "OGNL Expression Injection", - "vuln_subcategory": "Struts 2", - "predicate": "\n FunctionCall fc:\n function.name matches \"_jspService|execute\"\n and function.enclosingClass.name == \"/struts-tags/url\"\n and not namedParameters contains [NamedParameter: name is \"value\"]\n and not namedParameters contains [NamedParameter: name is \"action\"]\n " - } -] \ No newline at end of file diff --git a/rules/__init__.py b/rules/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/rules/fortify/__init__.py b/rules/fortify/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/rules/fortify/fortify.py b/rules/fortify/fortify.py deleted file mode 100644 index 8a4f764..0000000 --- a/rules/fortify/fortify.py +++ /dev/null @@ -1,44 +0,0 @@ -import json -import os -import xml.etree.ElementTree as ET - - -rules_list = [] - -def extract_rules(xml_file): - tree = ET.parse(xml_file) - root = tree.getroot() - - rules = root.findall('.//{xmlns://www.fortifysoftware.com/schema/rules}StructuralRule') - - for rule in rules: - rule_info = {} - - vuln_kingdom = rule.find('{xmlns://www.fortifysoftware.com/schema/rules}VulnKingdom') - vuln_category = rule.find('{xmlns://www.fortifysoftware.com/schema/rules}VulnCategory') - vuln_subcategory = rule.find('{xmlns://www.fortifysoftware.com/schema/rules}VulnSubcategory') - predicate = rule.find('{xmlns://www.fortifysoftware.com/schema/rules}Predicate') - - rule_info['language'] = rule.get('language') - - if rule_info['language'] in ['c', 'cpp', 'go', 'php', 'jsp', 'java', 'python', 'javascript']: - rule_info['vuln_kingdom'] = vuln_kingdom.text.replace(' ', ' ') if vuln_kingdom is not None else None - rule_info['vuln_category'] = vuln_category.text.replace(' ', ' ') if vuln_category is not None else None - rule_info['vuln_subcategory'] = vuln_subcategory.text.replace(' ', ' ') if vuln_subcategory is not None else None - rule_info['predicate'] = predicate.text.replace(' ', ' ') if predicate is not None else None - - rules_list.append(rule_info) - - - -def load_fortify_rules(src_path): - for root, dirs, files in os.walk(src_path): - for file_name in files: - if file_name.endswith('.xml'): - file_path = os.path.join(root, file_name) - extract_rules(file_path) - - open('../../fortify_rules.json', 'w', encoding='utf-8').write(json.dumps(rules_list)) - -if __name__ == '__main__': - load_fortify_rules(r'C:\Users\yvling\Desktop\data') \ No newline at end of file