{"rules":[{"id":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","metadata":{"cwe":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"],"owasp":["A05:2017 - Broken Access Control","A01:2021 - Broken Access Control","A01:2025 - Broken Access Control"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN","references":["https://www.owasp.org/index.php/Path_Traversal"],"category":"security","technology":["java"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","shortlink":"https://sg.run/oxXN","semgrep.dev":{"rule":{"r_id":9160,"rv_id":1263064,"rule_id":"NbUk7X","version_id":"zyTb2rq","url":"https://semgrep.dev/playground/r/zyTb2rq/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","origin":"community"}}},"message":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.","mode":"taint","pattern-sources":[{"patterns":[{"pattern-either":[{"pattern":"(HttpServletRequest $REQ)\n"},{"patterns":[{"pattern-inside":"(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n  ...\n}\n"},{"pattern":"$COOKIE.getValue(...)\n"}]},{"patterns":[{"pattern-inside":"$TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(...);\n...\n"},{"pattern":"$PARAM = $VALS[$INDEX];\n"}]}]}]}],"pattern-sanitizers":[{"pattern":"org.apache.commons.io.FilenameUtils.getName(...)"}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"(java.io.File $FILE) = ...\n"},{"pattern":"(java.io.FileOutputStream $FOS) = ...\n"},{"pattern":"new java.io.FileInputStream(...)\n"}]}]}],"severity":"ERROR","languages":["java"]},{"id":"java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss","message":"Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET","category":"security","technology":["java"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss","shortlink":"https://sg.run/pxjN","semgrep.dev":{"rule":{"r_id":9162,"rv_id":1263066,"rule_id":"wdUJOk","version_id":"2KTv2EG","url":"https://semgrep.dev/playground/r/2KTv2EG/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss","origin":"community"}}},"severity":"ERROR","patterns":[{"pattern-inside":"$TYPE $FUNC(..., HttpServletResponse $RESP, ...) { ... }"},{"pattern-inside":"$VAR = $REQ.getParameter(...); ..."},{"pattern-either":[{"pattern":"$RESP.getWriter(...).write(..., $VAR, ...);"},{"pattern":"$WRITER = $RESP.getWriter(...);\n...\n$WRITER.write(..., $VAR, ...);\n"}]}],"languages":["java"]},{"id":"java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle","message":"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead.","metadata":{"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE","references":["https://capec.mitre.org/data/definitions/463.html","https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes","https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"],"category":"security","technology":["java"],"subcategory":["audit"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle","shortlink":"https://sg.run/ydxr","semgrep.dev":{"rule":{"r_id":9168,"rv_id":1262990,"rule_id":"ZqU5oD","version_id":"44TEjbE","url":"https://semgrep.dev/playground/r/44TEjbE/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle","origin":"community"}}},"severity":"WARNING","fix":"\"AES/GCM/NoPadding\"\n","languages":["java"],"patterns":[{"pattern-inside":"Cipher.getInstance(\"=~/.*\\/CBC\\/PKCS5Padding/\")"},{"pattern":"\"=~/.*\\/CBC\\/PKCS5Padding/\"\n"}]},{"id":"java.lang.security.audit.formatted-sql-string.formatted-sql-string","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION","asvs":{"section":"V5: Validation, Sanitization and Encoding Verification Requirements","control_id":"5.3.5 Injection","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements","version":"4"},"references":["https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html","https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps","https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement"],"category":"security","technology":["java"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string","shortlink":"https://sg.run/OPXp","semgrep.dev":{"rule":{"r_id":9175,"rv_id":1409389,"rule_id":"QrUzxR","version_id":"ExTeyBP","url":"https://semgrep.dev/playground/r/ExTeyBP/java.lang.security.audit.formatted-sql-string.formatted-sql-string","origin":"community"}}},"options":{"taint_assume_safe_numbers":true,"taint_assume_safe_booleans":true},"message":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.","mode":"taint","pattern-sources":[{"patterns":[{"pattern-either":[{"pattern":"(HttpServletRequest $REQ)\n"},{"patterns":[{"pattern-inside":"$ANNOT $FUNC (..., $INPUT, ...) {\n  ...\n}\n"},{"pattern":"(String $INPUT)"},{"focus-metavariable":"$INPUT"}]}]}],"label":"INPUT"},{"patterns":[{"pattern-either":[{"pattern":"$X + $INPUT"},{"pattern":"$X += $INPUT"},{"pattern":"String.format(..., $INPUT, ...)"},{"pattern":"String.join(..., $INPUT, ...)"},{"pattern":"(String $STR).concat($INPUT)"},{"pattern":"$INPUT.concat(...)"},{"patterns":[{"pattern-either":[{"pattern":"$STRB.append($INPUT)"},{"pattern":"new $STRB(..., $INPUT, ...)"}]},{"metavariable-type":{"metavariable":"$STRB","type":"StringBuilder"}}]}]}],"label":"CONCAT","requires":"INPUT"}],"pattern-propagators":[{"pattern":"(StringBuffer $S).append($X)","from":"$X","to":"$S"},{"pattern":"(StringBuilder $S).append($X)","from":"$X","to":"$S"}],"pattern-sinks":[{"patterns":[{"pattern-not":"$S.$SQLFUNC(<... \"=~/.*TABLE *$/\" ...>)"},{"pattern-not":"$S.$SQLFUNC(<... \"=~/.*TABLE %s$/\" ...>)"},{"pattern-either":[{"pattern":"(Statement $S).$SQLFUNC(...)"},{"pattern":"(PreparedStatement $P).$SQLFUNC(...)"},{"pattern":"(Connection $C).createStatement(...).$SQLFUNC(...)"},{"pattern":"(Connection $C).prepareStatement(...).$SQLFUNC(...)"},{"pattern":"(EntityManager $EM).$SQLFUNC(...)"}]},{"metavariable-regex":{"metavariable":"$SQLFUNC","regex":"execute|executeQuery|createQuery|query|addBatch|nativeSQL|create|prepare"}}],"requires":"CONCAT"}],"pattern-sanitizers":[{"patterns":[{"pattern":"(CriteriaBuilder $CB).$ANY(...)"}]}],"severity":"ERROR","languages":["java"]},{"id":"java.lang.security.audit.http-response-splitting.http-response-splitting","metadata":{"cwe":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"],"owasp":["A03:2021 - Injection","A05:2025 - Injection"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING","references":["https://www.owasp.org/index.php/HTTP_Response_Splitting"],"category":"security","technology":["java"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Validation"],"source":"https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting","shortlink":"https://sg.run/eL0l","semgrep.dev":{"rule":{"r_id":9176,"rv_id":1263023,"rule_id":"3qUPyK","version_id":"X0Tzykw","url":"https://semgrep.dev/playground/r/X0Tzykw/java.lang.security.audit.http-response-splitting.http-response-splitting","origin":"community"}}},"message":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.","severity":"INFO","languages":["java"],"pattern-either":[{"pattern":"$VAR = $REQ.getParameter(...);\n...\n$COOKIE = new Cookie(..., $VAR, ...);\n...\n$RESP.addCookie($COOKIE, ...);\n"},{"patterns":[{"pattern-inside":"$RETTYPE $FUNC(...,@PathVariable $TYPE $VAR, ...) {\n  ...\n}\n"},{"pattern":"$COOKIE = new Cookie(..., $VAR, ...);\n...\n$RESP.addCookie($COOKIE, ...);\n"}]}]},{"id":"java.lang.security.audit.unvalidated-redirect.unvalidated-redirect","message":"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.","metadata":{"cwe":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"],"owasp":["A01:2021 - Broken Access Control","A01:2025 - Broken Access Control"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT","asvs":{"section":"V5: Validation, Sanitization and Encoding Verification Requirements","control_id":"5.1.5 Open Redirect","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation-requirements","version":"4"},"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A01_2021-Broken_Access_Control"],"subcategory":["vuln"],"impact":"LOW","likelihood":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Open Redirect"],"source":"https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect","shortlink":"https://sg.run/Q51P","semgrep.dev":{"rule":{"r_id":9186,"rv_id":1263048,"rule_id":"WAUo0p","version_id":"PkTR329","url":"https://semgrep.dev/playground/r/PkTR329/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect","origin":"community"}}},"severity":"WARNING","languages":["java"],"pattern-either":[{"pattern":"$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {\n  ...\n  $RES.sendRedirect($URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {\n  ...\n  $RES.sendRedirect($URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n  ...\n  String $URL = $REQ.getParameter(...);\n  ...\n  $RES.sendRedirect($URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n  ...\n  String $URL = $REQ.getParameter(...);\n  ...\n  $RES.sendRedirect($URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,String $URL,...) {\n  ...\n  HttpServletResponse $RES = ...;\n  ...\n  $RES.sendRedirect($URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n  ...\n  $RES.sendRedirect($REQ.getParameter(...));\n  ...\n}\n"},{"pattern":"$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n  ...\n  $RES.sendRedirect($REQ.getParameter(...));\n  ...\n}\n"},{"pattern":"$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {\n  ...\n  $RES.addHeader(\"Location\",$URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {\n  ...\n  $RES.addHeader(\"Location\",$URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n  ...\n  String $URL = $REQ.getParameter(...);\n  ...\n  $RES.addHeader(\"Location\",$URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n  ...\n  String $URL = $REQ.getParameter(...);\n  ...\n  $RES.addHeader(\"Location\",$URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,String $URL,...) {\n  ...\n  HttpServletResponse $RES = ...;\n  ...\n  $RES.addHeader(\"Location\",$URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n  ...\n  $RES.addHeader(\"Location\",$REQ.getParameter(...));\n  ...\n}\n"},{"pattern":"$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n  ...\n  $RES.addHeader(\"Location\",$REQ.getParameter(...));\n  ...\n}"}]},{"id":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","metadata":{"cwe":["CWE-326: Inadequate Encryption Strength"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source_rule_url":"https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT","references":["https://tools.ietf.org/html/rfc7568","https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html"],"category":"security","technology":["java"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context","shortlink":"https://sg.run/4x7E","semgrep.dev":{"rule":{"r_id":9188,"rv_id":1263050,"rule_id":"KxUb1k","version_id":"5PTo1rW","url":"https://semgrep.dev/playground/r/5PTo1rW/java.lang.security.audit.weak-ssl-context.weak-ssl-context","origin":"community"}}},"message":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.","severity":"WARNING","languages":["java"],"patterns":[{"pattern-not":"SSLContext.getInstance(\"TLSv1.3\")"},{"pattern-not":"SSLContext.getInstance(\"TLSv1.2\")"},{"pattern":"SSLContext.getInstance(\"...\")"}],"fix-regex":{"regex":"(.*?)\\.getInstance\\(.*?\\)","replacement":"\\1.getInstance(\"TLSv1.2\")"}},{"id":"java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket","metadata":{"functional-categories":["net::search::crypto-config::java.net"],"cwe":["CWE-319: Cleartext Transmission of Sensitive Information"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET","asvs":{"section":"V6 Stored Cryptography Verification Requirements","control_id":"6.2.5 Insecure Algorithm","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms","version":"4"},"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Mishandled Sensitive Information"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket","shortlink":"https://sg.run/W8zA","semgrep.dev":{"rule":{"r_id":9197,"rv_id":1263008,"rule_id":"BYUN3X","version_id":"RGT0LEj","url":"https://semgrep.dev/playground/r/RGT0LEj/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket","origin":"community"}}},"message":"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.","severity":"WARNING","languages":["java"],"pattern-either":[{"pattern":"new ServerSocket(...)"},{"pattern":"new Socket(...)"}]},{"id":"java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector","message":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.","metadata":{"cwe":["CWE-329: Generation of Predictable IV with CBC Mode"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#STATIC_IV","asvs":{"section":"V6 Stored Cryptography Verification Requirements","control_id":"6.2.5 Insecure Algorithm","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms","version":"4"},"references":["https://cwe.mitre.org/data/definitions/329.html"],"category":"security","technology":["java"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector","shortlink":"https://sg.run/BkB5","semgrep.dev":{"rule":{"r_id":9195,"rv_id":1263002,"rule_id":"ReUgj1","version_id":"qkTR7vP","url":"https://semgrep.dev/playground/r/qkTR7vP/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector","origin":"community"}}},"severity":"WARNING","languages":["java"],"pattern-either":[{"pattern":"byte[] $IV = {\n    ...\n};\n...\nnew IvParameterSpec($IV, ...);\n"},{"pattern":"class $CLASS {\n    byte[] $IV = {\n        ...\n    };\n    ...\n    $METHOD(...) {\n        ...\n        new IvParameterSpec($IV, ...);\n        ...\n    }\n}\n"}]},{"id":"java.lang.security.audit.crypto.no-null-cipher.no-null-cipher","patterns":[{"pattern-either":[{"pattern":"new NullCipher(...);"},{"pattern":"new javax.crypto.NullCipher(...);"}]}],"metadata":{"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER","asvs":{"section":"V6 Stored Cryptography Verification Requirements","control_id":"6.2.5 Insecure Algorithm","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms","version":"4"},"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher","shortlink":"https://sg.run/AvA4","semgrep.dev":{"rule":{"r_id":9194,"rv_id":1263001,"rule_id":"GdU7pw","version_id":"K3TKkgB","url":"https://semgrep.dev/playground/r/K3TKkgB/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher","origin":"community"}}},"message":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.","severity":"WARNING","languages":["java"]},{"id":"java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization","patterns":[{"pattern-either":[{"patterns":[{"pattern-inside":"ObjectMapper $OM = new ObjectMapper(...);\n...\n"},{"pattern-inside":"$OM.enableDefaultTyping();\n...\n"},{"pattern":"$OM.readValue($JSON, ...);"}]},{"patterns":[{"pattern-inside":"class $CLASS {\n  ...\n  @JsonTypeInfo(use = Id.CLASS,...)\n  $TYPE $VAR;\n  ...\n}\n"},{"metavariable-regex":{"metavariable":"$TYPE","regex":"(Object|Serializable|Comparable)"}},{"pattern":"$OM.readValue($JSON, $CLASS.class);"}]},{"patterns":[{"pattern-inside":"class $CLASS {\n  ...\n  ObjectMapper $OM;\n  ...\n  $INITMETHODTYPE $INITMETHOD(...) {\n    ...\n    $OM = new ObjectMapper();\n    ...\n    $OM.enableDefaultTyping();\n    ...\n  }\n  ...\n}\n"},{"pattern-inside":"$METHODTYPE $METHOD(...) {\n  ...  \n}\n"},{"pattern":"$OM.readValue($JSON, ...);"}]}]}],"message":"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.","languages":["java"],"severity":"WARNING","metadata":{"category":"security","subcategory":["audit"],"cwe":["CWE-502: Deserialization of Untrusted Data"],"confidence":"MEDIUM","likelihood":"LOW","impact":"HIGH","owasp":["A8:2017 Insecure Deserialization","A8:2021 Software and Data Integrity Failures"],"references":["https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038","https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062","https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/"],"technology":["jackson"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Deserialization "],"source":"https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization","shortlink":"https://sg.run/GDop","semgrep.dev":{"rule":{"r_id":56948,"rv_id":945724,"rule_id":"QrUD20","version_id":"2KTYbA9","url":"https://semgrep.dev/playground/r/2KTYbA9/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization","origin":"community"}}}},{"id":"java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer","message":"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.","severity":"WARNING","options":{"interfile":true},"metadata":{"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","category":"security","cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"cwe2021-top25":true,"cwe2022-top25":true,"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html"],"subcategory":["vuln"],"technology":["java","servlets"],"interfile":true,"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer","shortlink":"https://sg.run/KlRL","semgrep.dev":{"rule":{"r_id":9211,"rv_id":1263055,"rule_id":"j2Uv7B","version_id":"DkTRbXy","url":"https://semgrep.dev/playground/r/DkTRbXy/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer","origin":"community"}}},"languages":["java"],"mode":"taint","pattern-sources":[{"patterns":[{"pattern-either":[{"pattern":"(HttpServletRequest $REQ).$REQFUNC(...)\n"},{"pattern":"(ServletRequest $REQ).$REQFUNC(...) \n"}]},{"metavariable-regex":{"metavariable":"$REQFUNC","regex":"(getInputStream|getParameter|getParameterMap|getParameterValues|getReader|getCookies|getHeader|getHeaderNames|getHeaders|getPart|getParts|getQueryString)"}}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"(HttpServletResponse $RESPONSE).getWriter(...).$WRITE(...)\n"},{"pattern":"(HttpServletResponse $RESPONSE).getOutputStream(...).$WRITE(...)\n"},{"pattern":"(java.io.PrintWriter $WRITER).$WRITE(...)\n"},{"pattern":"(PrintWriter $WRITER).$WRITE(...)\n"},{"pattern":"(javax.servlet.ServletOutputStream $WRITER).$WRITE(...)\n"},{"pattern":"(ServletOutputStream $WRITER).$WRITE(...)\n"},{"pattern":"(java.io.OutputStream $WRITER).$WRITE(...)\n"},{"pattern":"(OutputStream $WRITER).$WRITE(...)\n"}]}]}],"pattern-sanitizers":[{"pattern-either":[{"pattern":"Encode.forHtml(...)"},{"pattern":"(PolicyFactory $POLICY).sanitize(...)"},{"pattern":"(AntiSamy $AS).scan(...)"},{"pattern":"JSoup.clean(...)"},{"pattern":"org.apache.commons.lang.StringEscapeUtils.escapeHtml(...)"},{"pattern":"org.springframework.web.util.HtmlUtils.htmlEscape(...)"},{"pattern":"org.owasp.esapi.ESAPI.encoder().encodeForHTML(...)"}]}]},{"id":"java.lang.security.audit.crypto.use-of-sha1.use-of-sha1","message":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.","languages":["java"],"severity":"WARNING","metadata":{"functional-categories":["crypto::search::hash-algorithm::javax.crypto"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"cwe":["CWE-328: Use of Weak Hash"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1","asvs":{"section":"V6 Stored Cryptography Verification Requirements","control_id":"6.2.5 Insecure Algorithm","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms","version":"4"},"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Hashing Algorithm"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1","shortlink":"https://sg.run/bXNp","semgrep.dev":{"rule":{"r_id":17326,"rv_id":1263016,"rule_id":"qNUWNn","version_id":"l4TJRpL","url":"https://semgrep.dev/playground/r/l4TJRpL/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1","origin":"community"}}},"pattern-either":[{"patterns":[{"pattern":"java.security.MessageDigest.getInstance(\"$ALGO\", ...);\n"},{"metavariable-regex":{"metavariable":"$ALGO","regex":"(SHA1|SHA-1)"}}]},{"pattern":"$DU.getSha1Digest().digest(...)\n"}]},{"id":"java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated","message":"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.","metadata":{"functional-categories":["crypto::search::symmetric-algorithm::javax.crypto"],"cwe":["CWE-326: Inadequate Encryption Strength"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE","references":["https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA"],"category":"security","technology":["java"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated","shortlink":"https://sg.run/Geqn","semgrep.dev":{"rule":{"r_id":9192,"rv_id":1262997,"rule_id":"JDUy8J","version_id":"BjTkZyQ","url":"https://semgrep.dev/playground/r/BjTkZyQ/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated","origin":"community"}}},"severity":"WARNING","patterns":[{"pattern-either":[{"pattern":"$CIPHER.getInstance(\"=~/DESede.*/\")\n"},{"pattern":"$CRYPTO.KeyGenerator.getInstance(\"DES\")\n"}]}],"languages":["java","kt"]},{"id":"java.lang.security.audit.crypto.use-of-md5.use-of-md5","message":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.","languages":["java"],"severity":"WARNING","metadata":{"functional-categories":["crypto::search::hash-algorithm::java.security"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"cwe":["CWE-328: Use of Weak Hash"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5","category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Hashing Algorithm"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5","shortlink":"https://sg.run/ryJn","semgrep.dev":{"rule":{"r_id":17325,"rv_id":1263013,"rule_id":"KxU5lW","version_id":"0bTKzGX","url":"https://semgrep.dev/playground/r/0bTKzGX/java.lang.security.audit.crypto.use-of-md5.use-of-md5","origin":"community"}}},"patterns":[{"pattern":"java.security.MessageDigest.getInstance($ALGO, ...);\n"},{"metavariable-regex":{"metavariable":"$ALGO","regex":"(?i)(.MD5.)"}},{"focus-metavariable":"$ALGO"}],"fix":"\"SHA-512\"\n"},{"id":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","message":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.","metadata":{"cwe":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection"],"category":"security","technology":["java"],"subcategory":["vuln"],"impact":"MEDIUM","likelihood":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["LDAP Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","shortlink":"https://sg.run/gRg0","semgrep.dev":{"rule":{"r_id":18241,"rv_id":1409392,"rule_id":"pKUXAv","version_id":"8KT3Pe6","url":"https://semgrep.dev/playground/r/8KT3Pe6/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","origin":"community"}}},"severity":"WARNING","languages":["java"],"mode":"taint","pattern-sources":[{"patterns":[{"pattern":"(HttpServletRequest $REQ)"}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"(javax.naming.directory.InitialDirContext $IDC).search(...)\n"},{"pattern":"(javax.naming.directory.DirContext $CTX).search(...)\n"}]},{"pattern-not":"(javax.naming.directory.InitialDirContext $IDC).search($Y, \"...\", ...)\n"},{"pattern-not":"(javax.naming.directory.DirContext $CTX).search($Y, \"...\", ...)\n"}]}]},{"id":"java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request","message":"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.","languages":["java"],"severity":"WARNING","mode":"taint","pattern-sources":[{"patterns":[{"pattern":"(HttpServletRequest $REQ).$FUNC(...)\n"}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"(javax.xml.xpath.XPath $XP).evaluate(...)\n"},{"pattern":"(javax.xml.xpath.XPath $XP).compile(...).evaluate(...)\n"}]}]}],"metadata":{"category":"security","technology":["java"],"cwe":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')"],"owasp":["A03:2021 - Injection","A05:2025 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["XPath Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request","shortlink":"https://sg.run/3BvK","semgrep.dev":{"rule":{"r_id":18243,"rv_id":1409394,"rule_id":"X5U5nj","version_id":"QkTERKP","url":"https://semgrep.dev/playground/r/QkTERKP/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request","origin":"community"}}}},{"id":"java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request","message":"Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.","languages":["java"],"severity":"ERROR","mode":"taint","pattern-sources":[{"patterns":[{"pattern-either":[{"pattern":"(HttpServletRequest $REQ)\n"},{"patterns":[{"pattern-inside":"(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n  ...\n}\n"},{"pattern":"$COOKIE.getValue(...)\n"}]}]}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"(ProcessBuilder $PB) = ...;\n"},{"patterns":[{"pattern":"(Process $P) = ...;\n"},{"pattern-not":"(Process $P) = (java.lang.Runtime $R).exec(...);\n"}]},{"patterns":[{"pattern":"(java.lang.Runtime $R).exec($CMD, ...);"},{"focus-metavariable":"$CMD"}]},{"patterns":[{"pattern-either":[{"pattern-inside":"(java.util.List<$TYPE> $ARGLIST) = ...;  \n...\n(ProcessBuilder $PB) = ...;\n...\n$PB.command($ARGLIST);\n"},{"pattern-inside":"(java.util.List<$TYPE> $ARGLIST) = ...;  \n...\n(ProcessBuilder $PB) = ...;\n"},{"pattern-inside":"(java.util.List<$TYPE> $ARGLIST) = ...;  \n...\n(Process $P) = ...;\n"}]},{"pattern":"$ARGLIST.add(...);\n"}]}]}]}],"metadata":{"category":"security","technology":["java"],"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request","shortlink":"https://sg.run/8zPN","semgrep.dev":{"rule":{"r_id":18240,"rv_id":1263042,"rule_id":"zdUWrg","version_id":"LjTkg9J","url":"https://semgrep.dev/playground/r/LjTkg9J/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request","origin":"community"}}}},{"id":"java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request","message":"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.","languages":["java"],"severity":"WARNING","mode":"taint","pattern-sources":[{"patterns":[{"pattern-either":[{"patterns":[{"pattern":"(HttpServletRequest $REQ).$FUNC(...)\n"},{"pattern-not":"(HttpServletRequest $REQ).getSession()\n"}]},{"patterns":[{"pattern-inside":"(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n  ...\n}\n"},{"pattern":"$COOKIE.getValue(...)\n"}]},{"patterns":[{"pattern-inside":"$TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(... );\n...\n"},{"pattern":"$PARAM = $VALS[$INDEX];\n"}]},{"patterns":[{"pattern-inside":"$HEADERS = (HttpServletRequest $REQ).getHeaders(...);\n...\n$PARAM = $HEADERS.$FUNC(...);\n...\n"},{"pattern":"java.net.URLDecoder.decode($PARAM, ...)\n"}]}]}]}],"pattern-sinks":[{"patterns":[{"pattern":"(HttpServletRequest $REQ).getSession().$FUNC($NAME, $VALUE);"},{"metavariable-regex":{"metavariable":"$FUNC","regex":"^(putValue|setAttribute)$"}},{"focus-metavariable":"$VALUE"}]}],"options":{"interfile":true},"metadata":{"category":"security","technology":["java"],"cwe":["CWE-501: Trust Boundary Violation"],"owasp":["A04:2021 - Insecure Design","A06:2025 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["vuln"],"impact":"MEDIUM","likelihood":"MEDIUM","confidence":"MEDIUM","interfile":true,"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Other"],"source":"https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request","shortlink":"https://sg.run/QbDZ","semgrep.dev":{"rule":{"r_id":18242,"rv_id":1409393,"rule_id":"2ZU7Eo","version_id":"gETrv9j","url":"https://semgrep.dev/playground/r/gETrv9j/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request","origin":"community"}}}},{"id":"java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request","message":"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.","severity":"WARNING","metadata":{"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","category":"security","cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2021-top25":true,"cwe2022-top25":true,"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html","https://owasp.org/www-community/attacks/SQL_Injection"],"subcategory":["vuln"],"technology":["sql","java","servlets","spring"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request","shortlink":"https://sg.run/Lg56","semgrep.dev":{"rule":{"r_id":18239,"rv_id":1409390,"rule_id":"oqUBJG","version_id":"7ZTKJNj","url":"https://semgrep.dev/playground/r/7ZTKJNj/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request","origin":"community"}}},"languages":["java"],"mode":"taint","options":{"taint_assume_safe_numbers":true,"taint_assume_safe_booleans":true},"pattern-sources":[{"patterns":[{"pattern-either":[{"pattern":"(HttpServletRequest $REQ).$REQFUNC(...)\n"},{"pattern":"(ServletRequest $REQ).$REQFUNC(...) \n"}]},{"metavariable-regex":{"metavariable":"$REQFUNC","regex":"(getInputStream|getParameter|getParameterMap|getParameterValues|getReader|getCookies|getHeader|getHeaderNames|getHeaders|getPart|getParts|getQueryString)"}}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"(java.sql.CallableStatement $STMT) = ...; \n"},{"pattern":"(java.sql.Statement $STMT) = ...;\n...\n$OUTPUT = $STMT.$FUNC(...);\n"},{"pattern":"(java.sql.PreparedStatement $STMT) = ...;\n"},{"pattern":"$VAR = $CONN.prepareStatement(...)\n"},{"pattern":"$PATH.queryForObject(...);\n"},{"pattern":"(java.util.Map<String, Object> $STMT) = $PATH.queryForMap(...);\n"},{"pattern":"(org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...;\n"},{"pattern":"(org.springframework.jdbc.core.JdbcTemplate $TEMPL).batchUpdate(...)\n"},{"patterns":[{"pattern-inside":"(String $SQL) = \"$SQLSTR\" + ...;\n...\n"},{"pattern":"$PATH.$SQLCMD(..., $SQL, ...);"},{"metavariable-regex":{"metavariable":"$SQLSTR","regex":"(?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)"}},{"metavariable-regex":{"metavariable":"$SQLCMD","regex":"(execute|query|executeUpdate|batchUpdate)"}}]}]}]}]},{"id":"java.lang.security.audit.crypto.ecb-cipher.ecb-cipher","metadata":{"functional-categories":["crypto::search::mode::javax.crypto"],"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#ECB_MODE","category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher","shortlink":"https://sg.run/Ro9K","semgrep.dev":{"rule":{"r_id":9193,"rv_id":1262998,"rule_id":"5rUOb6","version_id":"DkTRbwL","url":"https://semgrep.dev/playground/r/DkTRbwL/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher","origin":"community"}}},"message":"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.","severity":"WARNING","languages":["java"],"patterns":[{"pattern":"Cipher $VAR = $CIPHER.getInstance($MODE);\n"},{"metavariable-regex":{"metavariable":"$MODE","regex":".*ECB.*"}}]},{"id":"java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size","metadata":{"cwe":["CWE-326: Inadequate Encryption Strength"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE","asvs":{"section":"V6 Stored Cryptography Verification Requirements","control_id":"6.2.5 Insecure Algorithm","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms","version":"4"},"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"],"subcategory":["audit"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size","shortlink":"https://sg.run/9o74","semgrep.dev":{"rule":{"r_id":9167,"rv_id":1262989,"rule_id":"d8UjJ3","version_id":"3ZT4X2r","url":"https://semgrep.dev/playground/r/3ZT4X2r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size","origin":"community"}}},"message":"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.","severity":"WARNING","languages":["java"],"patterns":[{"pattern":"$KEYGEN = KeyGenerator.getInstance(\"Blowfish\");\n...\n$KEYGEN.init($SIZE);\n"},{"metavariable-comparison":{"metavariable":"$SIZE","comparison":"$SIZE < 128"}}]},{"id":"java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse","metadata":{"functional-categories":["crypto::search::randomness::javax.crypto"],"cwe":["CWE-323: Reusing a Nonce, Key Pair in Encryption"],"category":"security","source-rule-url":"https://www.youtube.com/watch?v=r1awgAl90wM","technology":["java"],"owasp":["A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse","shortlink":"https://sg.run/Dww2","semgrep.dev":{"rule":{"r_id":11908,"rv_id":1263000,"rule_id":"GdUZZ3","version_id":"0bTKzGk","url":"https://semgrep.dev/playground/r/0bTKzGk/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse","origin":"community"}}},"languages":["java"],"message":"GCM IV/nonce is reused: encryption can be totally useless","patterns":[{"pattern-either":[{"pattern":"new GCMParameterSpec(..., \"...\".getBytes(...), ...);"},{"pattern":"byte[] $NONCE = \"...\".getBytes(...); ... new GCMParameterSpec(..., $NONCE, ...);"}]}],"severity":"ERROR"},{"id":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","severity":"ERROR","metadata":{"cwe":["CWE-611: Improper Restriction of XML External Entity Reference"],"owasp":["A04:2017 - XML External Entities (XXE)","A05:2021 - Security Misconfiguration","A02:2025 - Security Misconfiguration"],"asvs":{"section":"V5 Validation, Sanitization and Encoding","control_id":"5.5.2 Insecue XML Deserialization","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention","version":"4"},"references":["https://semgrep.dev/blog/2022/xml-security-in-java","https://semgrep.dev/docs/cheat-sheets/java-xxe/","https://blog.sonarsource.com/secure-xml-processor","https://xerces.apache.org/xerces2-j/features.html"],"category":"security","technology":["java","xml"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["XML Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","shortlink":"https://sg.run/PYBz","semgrep.dev":{"rule":{"r_id":18245,"rv_id":1263058,"rule_id":"10UPQB","version_id":"K3TKk80","url":"https://semgrep.dev/playground/r/K3TKk80/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","origin":"community"}}},"message":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.","mode":"taint","pattern-sources":[{"by-side-effect":true,"patterns":[{"pattern-either":[{"pattern":"$FACTORY = DocumentBuilderFactory.newInstance();\n"},{"patterns":[{"pattern":"$FACTORY"},{"pattern-inside":"class $C {\n  ...\n  $V $FACTORY = DocumentBuilderFactory.newInstance();\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = DocumentBuilderFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n    ...\n  }\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = DocumentBuilderFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n    ...\n  }\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = DocumentBuilderFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n    ...\n  }\n  ...\n}\n"}]}]}]}],"pattern-sinks":[{"patterns":[{"pattern":"$FACTORY.newDocumentBuilder();"}]}],"pattern-sanitizers":[{"by-side-effect":true,"pattern-either":[{"patterns":[{"pattern-either":[{"pattern":"$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n"},{"pattern":"$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n"},{"pattern":"$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n"}]},{"focus-metavariable":"$FACTORY"}]},{"patterns":[{"pattern-either":[{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\",\n    true);\n    ...\n  }\n  ...\n}\n"},{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n    ...\n  }\n  ...\n}\n"},{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\",false);\n    ...\n  }\n  ...\n}\n"}]},{"pattern":"$M($X)"},{"focus-metavariable":"$X"}]}]}],"fix":"$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n$FACTORY.newDocumentBuilder();\n","languages":["java"]},{"id":"java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify","message":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.","metadata":{"cwe":["CWE-345: Insufficient Verification of Data Authenticity"],"owasp":["A08:2021 - Software and Data Integrity Failures","A08:2025 - Software or Data Integrity Failures"],"source-rule-url":"https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/","category":"security","technology":["jwt"],"confidence":"MEDIUM","references":["https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"],"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authentication"],"source":"https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify","shortlink":"https://sg.run/Bk95","semgrep.dev":{"rule":{"r_id":9151,"rv_id":1262979,"rule_id":"pKUOE9","version_id":"vdT06Lp","url":"https://semgrep.dev/playground/r/vdT06Lp/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify","origin":"community"}}},"languages":["java"],"severity":"WARNING","patterns":[{"pattern":"com.auth0.jwt.JWT.decode(...);\n"},{"pattern-not-inside":"class $CLASS {\n  ...\n  $RETURNTYPE $FUNC (...) {\n    ...\n    $VERIFIER.verify(...);\n    ...\n  }\n}"}]},{"id":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","message":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.","metadata":{"cwe":["CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"],"owasp":["A03:2021 - Injection","A05:2025 - Injection"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS","category":"security","technology":["java"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"subcategory":["vuln"],"likelihood":"LOW","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Validation"],"source":"https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","shortlink":"https://sg.run/wek0","semgrep.dev":{"rule":{"r_id":9173,"rv_id":1262995,"rule_id":"8GUjwW","version_id":"RGT0LEr","url":"https://semgrep.dev/playground/r/RGT0LEr/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","origin":"community"}}},"severity":"WARNING","languages":["java"],"patterns":[{"pattern-either":[{"patterns":[{"pattern-inside":"class $CLASS {\n  ...\n  Logger $LOG = ...;\n  ...\n}\n"},{"pattern-either":[{"pattern-inside":"$X $METHOD(...,HttpServletRequest $REQ,...) {\n  ...\n}\n"},{"pattern-inside":"$X $METHOD(...,ServletRequest $REQ,...) {\n  ...\n}\n"},{"pattern-inside":"$X $METHOD(...) {\n  ...\n  HttpServletRequest $REQ = ...;\n  ...\n}\n"},{"pattern-inside":"$X $METHOD(...) {\n  ...\n  ServletRequest $REQ = ...;\n  ...\n}\n"}]}]},{"pattern-inside":"$X $METHOD(...) {\n  ...\n  Logger $LOG = ...;\n  ...\n  HttpServletRequest $REQ = ...;\n  ...\n}\n"},{"pattern-inside":"$X $METHOD(...) {\n  ...\n  Logger $LOG = ...;\n  ...\n  ServletRequest $REQ = ...;\n  ...\n}\n"}]},{"pattern-either":[{"pattern":"String $VAL = $REQ.getParameter(...);\n...\n$LOG.$LEVEL(<... $VAL ...>);\n"},{"pattern":"String $VAL = $REQ.getParameter(...);\n...\n$LOG.log($LEVEL,<... $VAL ...>);\n"},{"pattern":"$LOG.$LEVEL(<... $REQ.getParameter(...) ...>);\n"},{"pattern":"$LOG.log($LEVEL,<... $REQ.getParameter(...) ...>);\n"}]}]},{"id":"java.spring.security.injection.tainted-html-string.tainted-html-string","languages":["java"],"severity":"ERROR","message":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"category":"security","technology":["java","spring"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string","shortlink":"https://sg.run/ObdR","semgrep.dev":{"rule":{"r_id":22075,"rv_id":1409395,"rule_id":"YGUvkL","version_id":"3ZT2598","url":"https://semgrep.dev/playground/r/3ZT2598/java.spring.security.injection.tainted-html-string.tainted-html-string","origin":"community"}}},"mode":"taint","pattern-sources":[{"label":"INPUT","patterns":[{"pattern-either":[{"pattern-inside":"$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n  ...\n}\n"},{"pattern-inside":"$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n  ...\n}\n"}]},{"metavariable-regex":{"metavariable":"$TYPE","regex":"^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"}},{"metavariable-regex":{"metavariable":"$REQ","regex":"(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)"}},{"focus-metavariable":"$SOURCE"}]},{"label":"CONCAT","by-side-effect":true,"requires":"INPUT","patterns":[{"pattern-either":[{"pattern":"\"$HTMLSTR\" + ...\n"},{"pattern":"\"$HTMLSTR\".concat(...)\n"},{"patterns":[{"pattern-inside":"StringBuilder $SB = new StringBuilder(\"$HTMLSTR\");\n...\n"},{"pattern":"$SB.append(...)"}]},{"patterns":[{"pattern-inside":"$VAR = \"$HTMLSTR\";\n...\n"},{"pattern":"$VAR += ..."}]},{"pattern":"String.format(\"$HTMLSTR\", ...)"},{"patterns":[{"pattern-inside":"String $VAR = \"$HTMLSTR\";\n...\n"},{"pattern":"String.format($VAR, ...)"}]}]},{"metavariable-regex":{"metavariable":"$HTMLSTR","regex":"^<\\w+"}}]}],"pattern-propagators":[{"pattern":"(StringBuilder $SB).append($...TAINTED)","from":"$...TAINTED","to":"$SB"},{"pattern":"$VAR += $...TAINTED","from":"$...TAINTED","to":"$VAR"}],"pattern-sinks":[{"requires":"CONCAT","patterns":[{"pattern-either":[{"pattern":"new ResponseEntity<>($PAYLOAD, ...)"},{"pattern":"new ResponseEntity<$ERROR>($PAYLOAD, ...)"},{"pattern":"ResponseEntity. ... .body($PAYLOAD)"},{"patterns":[{"pattern":"ResponseEntity.$RESPFUNC($PAYLOAD). ...\n"},{"metavariable-regex":{"metavariable":"$RESPFUNC","regex":"^(ok|of)$"}}]}]},{"focus-metavariable":"$PAYLOAD"}]}],"pattern-sanitizers":[{"pattern-either":[{"pattern":"Encode.forHtml(...)"},{"pattern":"(PolicyFactory $POLICY).sanitize(...)"},{"pattern":"(AntiSamy $AS).scan(...)"},{"pattern":"JSoup.clean(...)"}]}]},{"id":"java.lang.security.audit.md5-used-as-password.md5-used-as-password","languages":["java"],"severity":"WARNING","message":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.","metadata":{"category":"security","technology":["java","md5"],"references":["https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html","https://github.com/returntocorp/semgrep-rules/issues/1609","https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory","https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password","shortlink":"https://sg.run/JxEQ","semgrep.dev":{"rule":{"r_id":14690,"rv_id":1263029,"rule_id":"JDULAW","version_id":"bZT53QB","url":"https://semgrep.dev/playground/r/bZT53QB/java.lang.security.audit.md5-used-as-password.md5-used-as-password","origin":"community"}}},"mode":"taint","pattern-sources":[{"patterns":[{"pattern-inside":"$TYPE $MD = MessageDigest.getInstance(\"MD5\");\n...\n"},{"pattern":"$MD.digest(...);"}]}],"pattern-sinks":[{"patterns":[{"pattern":"$MODEL.$METHOD(...);"},{"metavariable-regex":{"metavariable":"$METHOD","regex":"(?i)(.*password.*)"}}]}]},{"id":"java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal","metadata":{"owasp":["A05:2017 - Broken Access Control","A01:2021 - Broken Access Control","A01:2025 - Broken Access Control"],"cwe":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN","references":["https://www.owasp.org/index.php/Path_Traversal"],"category":"security","technology":["jax-rs"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"LOW","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal","shortlink":"https://sg.run/DoWj","semgrep.dev":{"rule":{"r_id":9152,"rv_id":1262984,"rule_id":"2ZUb9l","version_id":"7ZTE3KW","url":"https://semgrep.dev/playground/r/7ZTE3KW/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal","origin":"community"}}},"message":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.","severity":"WARNING","languages":["java"],"pattern-either":[{"pattern":"$RETURNTYPE $FUNC (..., @PathParam(...) $TYPE $VAR, ...) {\n  ...\n  new File(..., $VAR, ...);\n  ...\n}\n"},{"pattern":"$RETURNTYPE $FUNC (..., @javax.ws.rs.PathParam(...) $TYPE $VAR, ...) {\n  ...\n  new File(..., $VAR, ...);\n  ...\n}"}]},{"id":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","message":"RSA keys should be at least 2048 bits based on NIST recommendation.","languages":["java"],"severity":"WARNING","metadata":{"functional-categories":["crypto::search::key-length::java.security"],"cwe":["CWE-326: Inadequate Encryption Strength"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE","asvs":{"section":"V6 Stored Cryptography Verification Requirements","control_id":"6.2.5 Insecure Algorithm","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms","version":"4"},"references":["https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms"],"category":"security","technology":["java"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","shortlink":"https://sg.run/4x6x","semgrep.dev":{"rule":{"r_id":9200,"rv_id":1263019,"rule_id":"0oU5P5","version_id":"o5TbDLY","url":"https://semgrep.dev/playground/r/o5TbDLY/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","origin":"community"}}},"patterns":[{"pattern":"KeyPairGenerator $KEY = $G.getInstance(\"RSA\");\n...\n$KEY.initialize($BITS);\n"},{"metavariable-comparison":{"metavariable":"$BITS","comparison":"$BITS < 2048"}}]},{"id":"java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true","severity":"ERROR","metadata":{"cwe":["CWE-611: Improper Restriction of XML External Entity Reference"],"owasp":["A04:2017 - XML External Entities (XXE)","A05:2021 - Security Misconfiguration","A02:2025 - Security Misconfiguration"],"asvs":{"section":"V5 Validation, Sanitization and Encoding","control_id":"5.5.2 Insecue XML Deserialization","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention","version":"4"},"references":["https://semgrep.dev/blog/2022/xml-security-in-java","https://semgrep.dev/docs/cheat-sheets/java-xxe/","https://blog.sonarsource.com/secure-xml-processor"],"category":"security","technology":["java","xml"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["XML Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true","shortlink":"https://sg.run/5Lv0","semgrep.dev":{"rule":{"r_id":18247,"rv_id":1263060,"rule_id":"yyUNeo","version_id":"l4TJRoL","url":"https://semgrep.dev/playground/r/l4TJRoL/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true","origin":"community"}}},"message":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.","pattern":"$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", true);","fix":"$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);","languages":["java"]},{"id":"java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection","metadata":{"cwe":["CWE-297: Improper Validation of Certificate with Host Mismatch"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL","category":"security","technology":["java"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"subcategory":["vuln"],"likelihood":"LOW","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authentication"],"source":"https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection","shortlink":"https://sg.run/vzN4","semgrep.dev":{"rule":{"r_id":9177,"rv_id":1263024,"rule_id":"4bUkrW","version_id":"jQTn5Dv","url":"https://semgrep.dev/playground/r/jQTn5Dv/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection","origin":"community"}}},"message":"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.","severity":"WARNING","patterns":[{"pattern-not-inside":"$EMAIL.setSSLCheckServerIdentity(true);\n...\n"},{"pattern-inside":"$EMAIL = new SimpleEmail(...);\n...\n"},{"pattern":"$EMAIL.send(...);"}],"languages":["java"]},{"id":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false","severity":"ERROR","metadata":{"cwe":["CWE-611: Improper Restriction of XML External Entity Reference"],"owasp":["A04:2017 - XML External Entities (XXE)","A05:2021 - Security Misconfiguration","A02:2025 - Security Misconfiguration"],"asvs":{"section":"V5 Validation, Sanitization and Encoding","control_id":"5.5.2 Insecue XML Deserialization","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention","version":"4"},"references":["https://semgrep.dev/blog/2022/xml-security-in-java","https://semgrep.dev/docs/cheat-sheets/java-xxe/","https://blog.sonarsource.com/secure-xml-processor","https://xerces.apache.org/xerces2-j/features.html"],"category":"security","technology":["java","xml"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["XML Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false","shortlink":"https://sg.run/4Dv5","semgrep.dev":{"rule":{"r_id":18244,"rv_id":1263057,"rule_id":"j2UrJ8","version_id":"0bTKzgX","url":"https://semgrep.dev/playground/r/0bTKzgX/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false","origin":"community"}}},"message":"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.","patterns":[{"pattern":"$DBFACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", false);"},{"pattern-not-inside":"$RETURNTYPE $METHOD(...){\n  ...\n  $DBF.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  ...\n  $DBF.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  ...\n}\n"},{"pattern-not-inside":"$RETURNTYPE $METHOD(...){\n  ...\n  $DBF.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  ...\n  $DBF.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  ...\n}\n"},{"pattern-not-inside":"$RETURNTYPE $METHOD(...){\n  ...\n  $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n  ...\n  $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\");\n  ...\n}\n"},{"pattern-not-inside":"$RETURNTYPE $METHOD(...){\n  ...\n  $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\");\n  ...\n  $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n  ...\n}\n"}],"languages":["java"]},{"id":"java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe","severity":"WARNING","metadata":{"cwe":["CWE-611: Improper Restriction of XML External Entity Reference"],"owasp":["A04:2017 - XML External Entities (XXE)","A05:2021 - Security Misconfiguration","A02:2025 - Security Misconfiguration"],"asvs":{"section":"V5 Validation, Sanitization and Encoding","control_id":"5.5.2 Insecue XML Deserialization","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention","version":"4"},"references":["https://semgrep.dev/blog/2022/xml-security-in-java","https://semgrep.dev/docs/cheat-sheets/java-xxe/","https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf","https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser"],"category":"security","technology":["java"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["XML Injection"],"source":"https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe","shortlink":"https://sg.run/XBwA","semgrep.dev":{"rule":{"r_id":9164,"rv_id":1263069,"rule_id":"OrU35O","version_id":"1QTypQZ","url":"https://semgrep.dev/playground/r/1QTypQZ/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe","origin":"community"}}},"message":"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.","patterns":[{"pattern-not-inside":"$METHOD(...) {\n  ...\n  $XMLFACTORY.setProperty(\"javax.xml.stream.isSupportingExternalEntities\", false);\n  ...\n}\n"},{"pattern-not-inside":"$METHOD(...) {\n  ...\n  $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);\n  ...\n}\n"},{"pattern-not-inside":"$METHOD(...) {\n  ...\n  $XMLFACTORY.setProperty(\"javax.xml.stream.isSupportingExternalEntities\", Boolean.FALSE);\n  ...\n}\n"},{"pattern-not-inside":"$METHOD(...) {\n  ...\n  $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);\n  ...\n}\n"},{"pattern-either":[{"pattern":"javax.xml.stream.XMLInputFactory.newFactory(...)"},{"pattern":"new XMLInputFactory(...)"}]}],"languages":["java"]},{"id":"java.spring.security.injection.tainted-url-host.tainted-url-host","languages":["java"],"severity":"ERROR","message":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.","options":{"interfile":true},"metadata":{"cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)","A01:2025 - Broken Access Control"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"],"category":"security","technology":["java","spring"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"impact":"MEDIUM","likelihood":"MEDIUM","confidence":"MEDIUM","interfile":true,"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host","shortlink":"https://sg.run/vkYn","semgrep.dev":{"rule":{"r_id":22077,"rv_id":1263088,"rule_id":"oqUZo8","version_id":"gETB708","url":"https://semgrep.dev/playground/r/gETB708/java.spring.security.injection.tainted-url-host.tainted-url-host","origin":"community"}}},"mode":"taint","pattern-sources":[{"patterns":[{"pattern-either":[{"pattern-inside":"$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n  ...\n}\n"},{"pattern-inside":"$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n  ...\n}\n"}]},{"metavariable-regex":{"metavariable":"$TYPE","regex":"^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"}},{"metavariable-regex":{"metavariable":"$REQ","regex":"(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)"}},{"focus-metavariable":"$SOURCE"}]}],"pattern-sinks":[{"pattern-either":[{"pattern":"new URL($ONEARG)"},{"patterns":[{"pattern-either":[{"pattern":"\"$URLSTR\" + ...\n"},{"pattern":"\"$URLSTR\".concat(...)\n"},{"patterns":[{"pattern-inside":"StringBuilder $SB = new StringBuilder(\"$URLSTR\");\n...\n"},{"pattern":"$SB.append(...)"}]},{"patterns":[{"pattern-inside":"$VAR = \"$URLSTR\";\n...\n"},{"pattern":"$VAR += ..."}]},{"patterns":[{"pattern":"String.format(\"$URLSTR\", ...)"},{"pattern-not":"String.format(\"$URLSTR\", \"...\", ...)"}]},{"patterns":[{"pattern-inside":"String $VAR = \"$URLSTR\";\n...\n"},{"pattern":"String.format($VAR, ...)"}]}]},{"metavariable-regex":{"metavariable":"$URLSTR","regex":"http(s?)://%(v|s|q).*"}}]}]}]},{"id":"java.aws-lambda.security.tainted-sqli.tainted-sqli","message":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.","languages":["java"],"severity":"WARNING","mode":"taint","pattern-sources":[{"patterns":[{"focus-metavariable":"$EVENT"},{"pattern-either":[{"pattern":"$HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n  ...\n}\n"},{"pattern":"$HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n  ...\n}\n"}]}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"(java.sql.CallableStatement $STMT) = ...; \n"},{"pattern":"(java.sql.Statement $STMT) = ...;\n"},{"pattern":"(java.sql.PreparedStatement $STMT) = ...;\n"},{"pattern":"$VAR = $CONN.prepareStatement(...)\n"},{"pattern":"$PATH.queryForObject(...);\n"},{"pattern":"(java.util.Map<String, Object> $STMT) = $PATH.queryForMap(...);\n"},{"pattern":"(org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...;\n"},{"patterns":[{"pattern-inside":"(String $SQL) = \"$SQLSTR\" + ...;\n...\n"},{"pattern":"$PATH.$SQLCMD(..., $SQL, ...);"},{"metavariable-regex":{"metavariable":"$SQLSTR","regex":"(?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)"}},{"metavariable-regex":{"metavariable":"$SQLCMD","regex":"(execute|query|executeUpdate|batchUpdate)"}}]}]}]}],"options":{"interfile":true},"metadata":{"category":"security","technology":["sql","java","aws-lambda"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","interfile":true,"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli","shortlink":"https://sg.run/7942","semgrep.dev":{"rule":{"r_id":18238,"rv_id":1262978,"rule_id":"6JUDWk","version_id":"e1Tyj4g","url":"https://semgrep.dev/playground/r/e1Tyj4g/java.aws-lambda.security.tainted-sqli.tainted-sqli","origin":"community"}}}},{"id":"java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated","message":"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.","metadata":{"functional-categories":["crypto::search::symmetric-algorithm::javax.crypto"],"cwe":["CWE-326: Inadequate Encryption Strength"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#DES_USAGE","asvs":{"section":"V6 Stored Cryptography Verification Requirements","control_id":"6.2.5 Insecure Algorithm","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms","version":"4"},"references":["https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard","https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms"],"category":"security","technology":["java"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated","shortlink":"https://sg.run/5Q73","semgrep.dev":{"rule":{"r_id":9191,"rv_id":1262996,"rule_id":"PeUZNg","version_id":"A8TgdEn","url":"https://semgrep.dev/playground/r/A8TgdEn/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated","origin":"community"}}},"severity":"WARNING","patterns":[{"pattern-either":[{"pattern-inside":"$CIPHER.getInstance(\"=~/DES/.*/\")"},{"pattern-inside":"$CIPHER.getInstance(\"DES\")"}]},{"pattern-either":[{"pattern":"\"=~/DES/.*/\"\n"},{"pattern":"\"DES\"\n"}]}],"fix":"\"AES/GCM/NoPadding\"\n","languages":["java","kt"]},{"id":"java.spring.security.audit.spring-sqli.spring-sqli","mode":"taint","pattern-sources":[{"patterns":[{"pattern":"$ARG"},{"pattern-inside":"public $T $M (..., String $ARG,...){...}\n"}]}],"pattern-sanitizers":[{"not_conflicting":true,"pattern-either":[{"patterns":[{"focus-metavariable":"$A"},{"pattern-inside":"new $TYPE(...,$A,...);\n"}]}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"patterns":[{"focus-metavariable":"$A"},{"pattern":"new PreparedStatementCreatorFactory($A,...);\n"}]},{"patterns":[{"focus-metavariable":"$A"},{"pattern":"(JdbcTemplate $T).$M($A,...)\n"}]},{"patterns":[{"pattern":"(String $A)"},{"pattern-inside":"(JdbcTemplate $T).batchUpdate(...)\n"}]},{"patterns":[{"focus-metavariable":"$A"},{"pattern":"NamedParameterBatchUpdateUtils.$M($A,...)\n"}]},{"patterns":[{"focus-metavariable":"$A"},{"pattern":"BatchUpdateUtils.$M($A,...)\n"}]}]}]}],"message":"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.","languages":["java"],"severity":"WARNING","options":{"taint_assume_safe_numbers":true,"taint_assume_safe_booleans":true},"metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"category":"security","technology":["spring"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli","shortlink":"https://sg.run/1Z3x","semgrep.dev":{"rule":{"r_id":9222,"rv_id":1263082,"rule_id":"eqU8N2","version_id":"ZRTKAWW","url":"https://semgrep.dev/playground/r/ZRTKAWW/java.spring.security.audit.spring-sqli.spring-sqli","origin":"community"}}}},{"id":"java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding","metadata":{"functional-categories":["crypto::search::mode::javax.crypto"],"cwe":["CWE-326: Inadequate Encryption Strength"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING","references":["https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/"],"asvs":{"section":"V6 Stored Cryptography Verification Requirements","control_id":"6.2.5 Insecure Algorithm","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms","version":"4"},"category":"security","technology":["java","kotlin"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding","shortlink":"https://sg.run/DoOj","semgrep.dev":{"rule":{"r_id":9196,"rv_id":1263003,"rule_id":"AbUzoj","version_id":"l4TJRpK","url":"https://semgrep.dev/playground/r/l4TJRpK/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding","origin":"community"}}},"message":"Using RSA without OAEP mode weakens the encryption.","severity":"WARNING","languages":["java","kt"],"pattern":"$CIPHER.getInstance(\"=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/\")"},{"id":"java.spring.security.injection.tainted-sql-string.tainted-sql-string","languages":["java"],"severity":"ERROR","message":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html"],"category":"security","technology":["spring"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","interfile":true,"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string","shortlink":"https://sg.run/9rzz","semgrep.dev":{"rule":{"r_id":14767,"rv_id":1409396,"rule_id":"10UdRR","version_id":"44TbKvr","url":"https://semgrep.dev/playground/r/44TbKvr/java.spring.security.injection.tainted-sql-string.tainted-sql-string","origin":"community"}}},"options":{"taint_assume_safe_numbers":true,"taint_assume_safe_booleans":true,"interfile":true},"mode":"taint","pattern-sources":[{"patterns":[{"pattern-either":[{"pattern-inside":"$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n  ...\n}\n"},{"pattern-inside":"$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n  ...\n}\n"}]},{"metavariable-regex":{"metavariable":"$REQ","regex":"(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue)"}},{"metavariable-regex":{"metavariable":"$TYPE","regex":"^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"}},{"focus-metavariable":"$SOURCE"}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"\"$SQLSTR\" + ...\n"},{"pattern":"\"$SQLSTR\".concat(...)\n"},{"patterns":[{"pattern-inside":"StringBuilder $SB = new StringBuilder(\"$SQLSTR\");\n...\n"},{"pattern":"$SB.append(...)"}]},{"patterns":[{"pattern-inside":"$VAR = \"$SQLSTR\";\n...\n"},{"pattern":"$VAR += ..."}]},{"pattern":"String.format(\"$SQLSTR\", ...)"},{"patterns":[{"pattern-inside":"String $VAR = \"$SQLSTR\";\n...\n"},{"pattern":"String.format($VAR, ...)"}]}]},{"pattern-not-inside":"System.out.println(...)"},{"pattern-not-inside":"$LOG.info(...)"},{"pattern-not-inside":"$LOG.warn(...)"},{"pattern-not-inside":"$LOG.warning(...)"},{"pattern-not-inside":"$LOG.debug(...)"},{"pattern-not-inside":"$LOG.debugging(...)"},{"pattern-not-inside":"$LOG.error(...)"},{"pattern-not-inside":"new Exception(...)"},{"pattern-not-inside":"throw ...;"},{"metavariable-regex":{"metavariable":"$SQLSTR","regex":"(?i)(select|delete|insert|create|update|alter|drop)\\b"}}]}]},{"id":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","languages":["java"],"severity":"ERROR","message":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.","options":{"interfile":true},"metadata":{"references":["https://owasp.org/www-community/attacks/SQL_Injection"],"category":"security","owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"technology":["aws-lambda"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","interfile":true,"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string","shortlink":"https://sg.run/EBYN","semgrep.dev":{"rule":{"r_id":18237,"rv_id":1262977,"rule_id":"YGUl4z","version_id":"O9TpxQN","url":"https://semgrep.dev/playground/r/O9TpxQN/java.aws-lambda.security.tainted-sql-string.tainted-sql-string","origin":"community"}}},"mode":"taint","pattern-sources":[{"patterns":[{"focus-metavariable":"$EVENT"},{"pattern-either":[{"pattern":"$HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n  ...\n}\n"},{"pattern":"$HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n  ...\n}\n"}]}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"\"$SQLSTR\" + ...\n"},{"pattern":"\"$SQLSTR\".concat(...)\n"},{"patterns":[{"pattern-inside":"StringBuilder $SB = new StringBuilder(\"$SQLSTR\");\n...\n"},{"pattern":"$SB.append(...)"}]},{"patterns":[{"pattern-inside":"$VAR = \"$SQLSTR\";\n...\n"},{"pattern":"$VAR += ..."}]},{"pattern":"String.format(\"$SQLSTR\", ...)"}]},{"metavariable-regex":{"metavariable":"$SQLSTR","regex":"(?i)(select|delete|insert|create|update|alter|drop)\\b"}},{"pattern-not-inside":"System.out.$PRINTLN(...)\n"}]}]},{"id":"java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret","message":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"technology":["java","secrets","jwt"],"category":"security","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret","shortlink":"https://sg.run/RoDK","semgrep.dev":{"rule":{"r_id":9149,"rv_id":1262980,"rule_id":"oqUeAn","version_id":"d6Tyx8j","url":"https://semgrep.dev/playground/r/d6Tyx8j/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret","origin":"community"}}},"languages":["java"],"severity":"WARNING","patterns":[{"pattern-either":[{"pattern":"(Algorithm $ALG) = $ALGO.$HMAC(\"$Y\");\n"},{"pattern":"$SECRET = \"$Y\";\n...\n(Algorithm $ALG) = $ALGO.$HMAC($SECRET);\n"},{"pattern":"class $CLASS {\n  ...\n  $TYPE $SECRET = \"$Y\";\n  ...\n  $RETURNTYPE $FUNC (...) {\n    ...\n    (Algorithm $ALG) = $ALGO.$HMAC($SECRET);\n    ...\n  }\n  ...\n}\n"}]},{"focus-metavariable":"$Y"},{"metavariable-regex":{"metavariable":"$HMAC","regex":"(HMAC384|HMAC256|HMAC512)"}}]},{"id":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","severity":"ERROR","metadata":{"cwe":["CWE-611: Improper Restriction of XML External Entity Reference"],"owasp":["A04:2017 - XML External Entities (XXE)","A05:2021 - Security Misconfiguration","A02:2025 - Security Misconfiguration"],"asvs":{"section":"V5 Validation, Sanitization and Encoding","control_id":"5.5.2 Insecue XML Deserialization","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention","version":"4"},"references":["https://semgrep.dev/blog/2022/xml-security-in-java","https://semgrep.dev/docs/cheat-sheets/java-xxe/","https://blog.sonarsource.com/secure-xml-processor"],"category":"security","technology":["java","xml"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["XML Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","shortlink":"https://sg.run/JgPy","semgrep.dev":{"rule":{"r_id":18246,"rv_id":1263059,"rule_id":"9AUJ6r","version_id":"qkTR7Lk","url":"https://semgrep.dev/playground/r/qkTR7Lk/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","origin":"community"}}},"message":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.","pattern":"$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", true);","fix":"$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);","languages":["java"]},{"id":"java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization","severity":"WARNING","languages":["java"],"metadata":{"cwe":["CWE-502: Deserialization of Untrusted Data"],"owasp":["A08:2017 - Insecure Deserialization","A08:2021 - Software and Data Integrity Failures","A08:2025 - Software or Data Integrity Failures"],"asvs":{"section":"V5 Validation, Sanitization and Encoding","control_id":"5.5.3 Insecue Deserialization","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention","version":"4"},"references":["https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf"],"category":"security","technology":["java"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Deserialization "],"source":"https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization","shortlink":"https://sg.run/zvO1","semgrep.dev":{"rule":{"r_id":9161,"rv_id":1263065,"rule_id":"kxUk12","version_id":"pZT03A1","url":"https://semgrep.dev/playground/r/pZT03A1/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization","origin":"community"}}},"message":"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.","patterns":[{"pattern-inside":"public class $JMS_LISTENER implements MessageListener {\n  ...\n  public void onMessage(Message $JMS_MSG) {\n      ...\n  }\n}\n"},{"pattern-either":[{"pattern-inside":"$X = $Y.getObject(...);"},{"pattern-inside":"$X = ($Z) $Y.getObject(...);"}]}]},{"id":"java.java-jwt.security.jwt-none-alg.java-jwt-none-alg","message":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.","metadata":{"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"source-rule-url":"https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/","category":"security","technology":["jwt"],"confidence":"HIGH","references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg","shortlink":"https://sg.run/Av14","semgrep.dev":{"rule":{"r_id":9150,"rv_id":1262981,"rule_id":"zdUkzR","version_id":"ZRTKADq","url":"https://semgrep.dev/playground/r/ZRTKADq/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg","origin":"community"}}},"languages":["java"],"severity":"ERROR","pattern-either":[{"pattern":"$JWT.sign(com.auth0.jwt.algorithms.Algorithm.none());\n"},{"pattern":"$NONE = com.auth0.jwt.algorithms.Algorithm.none();\n...\n$JWT.sign($NONE);\n"},{"pattern":"class $CLASS {\n  ...\n  $TYPE $NONE = com.auth0.jwt.algorithms.Algorithm.none();\n  ...\n  $RETURNTYPE $FUNC (...) {\n    ...\n    $JWT.sign($NONE);\n    ...\n  }\n  ...\n}"}]},{"id":"java.spring.security.injection.tainted-system-command.tainted-system-command","languages":["java"],"severity":"ERROR","mode":"taint","pattern-propagators":[{"pattern":"(StringBuilder $STRB).append($INPUT)","from":"$INPUT","to":"$STRB","label":"CONCAT","requires":"INPUT"}],"pattern-sources":[{"patterns":[{"pattern-either":[{"pattern-inside":"$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n  ...\n}\n"},{"pattern-inside":"$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n  ...\n}\n"}]},{"metavariable-regex":{"metavariable":"$TYPE","regex":"^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"}},{"metavariable-regex":{"metavariable":"$REQ","regex":"(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)"}},{"focus-metavariable":"$SOURCE"}],"label":"INPUT"},{"patterns":[{"pattern-either":[{"pattern":"$X + $SOURCE"},{"pattern":"$SOURCE + $Y"},{"pattern":"String.format(\"...\", ..., $SOURCE, ...)"},{"pattern":"String.join(\"...\", ..., $SOURCE, ...)"},{"pattern":"(String $STR).concat($SOURCE)"},{"pattern":"$SOURCE.concat(...)"},{"pattern":"$X += $SOURCE"},{"pattern":"$SOURCE += $X"}]}],"label":"CONCAT","requires":"INPUT"}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"(Process $P) = new Process(...);\n"},{"pattern":"(ProcessBuilder $PB).command(...);\n"},{"patterns":[{"pattern-either":[{"pattern":"(Runtime $R).$EXEC(...);\n"},{"pattern":"Runtime.getRuntime(...).$EXEC(...);\n"}]},{"metavariable-regex":{"metavariable":"$EXEC","regex":"(exec|loadLibrary|load)"}}]},{"patterns":[{"pattern":"(ProcessBuilder $PB).command(...).$ADD(...);\n"},{"metavariable-regex":{"metavariable":"$ADD","regex":"(add|addAll)"}}]},{"patterns":[{"pattern-either":[{"patterns":[{"pattern-inside":"$BUILDER = new ProcessBuilder(...);\n...\n"},{"pattern":"$BUILDER.start(...)"}]},{"pattern":"new ProcessBuilder(...). ... .start(...);\n"}]}]}]}],"requires":"CONCAT"}],"message":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.","metadata":{"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"category":"security","technology":["java","spring"],"confidence":"HIGH","references":["https://www.stackhawk.com/blog/command-injection-java/","https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html","https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command","shortlink":"https://sg.run/epY0","semgrep.dev":{"rule":{"r_id":22076,"rv_id":1263087,"rule_id":"6JUxGN","version_id":"8KT5rnP","url":"https://semgrep.dev/playground/r/8KT5rnP/java.spring.security.injection.tainted-system-command.tainted-system-command","origin":"community"}}}},{"id":"java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect","message":"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.","metadata":{"cwe":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"],"owasp":["A01:2021 - Broken Access Control","A01:2025 - Broken Access Control"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT","category":"security","technology":["spring"],"references":["https://owasp.org/Top10/A01_2021-Broken_Access_Control"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Open Redirect"],"source":"https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect","shortlink":"https://sg.run/9oXz","semgrep.dev":{"rule":{"r_id":9223,"rv_id":1263083,"rule_id":"v8Un7w","version_id":"nWT2Lk0","url":"https://semgrep.dev/playground/r/nWT2Lk0/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect","origin":"community"}}},"severity":"WARNING","languages":["java"],"pattern-either":[{"pattern":"$X $METHOD(...,String $URL,...) {\n  return \"redirect:\" + $URL;\n}\n"},{"pattern":"$X $METHOD(...,String $URL,...) {\n  ...\n  String $REDIR = \"redirect:\" + $URL;\n  ...\n  return $REDIR;\n  ...\n}\n"},{"pattern":"$X $METHOD(...,String $URL,...) {\n  ...\n  new ModelAndView(\"redirect:\" + $URL);\n  ...\n}\n"},{"pattern":"$X $METHOD(...,String $URL,...) {\n  ...\n  String $REDIR = \"redirect:\" + $URL;\n  ...\n  new ModelAndView($REDIR);\n  ...\n}"}]},{"id":"java.jboss.security.session_sqli.find-sql-string-concatenation","message":"In $METHOD, $X is used to construct a SQL query via string concatenation.","languages":["java"],"severity":"ERROR","pattern-either":[{"pattern":"$RETURN $METHOD(...,String $X,...){\n  ...\n  Session $SESSION = ...;\n  ...\n  String $QUERY = ... + $X + ...;\n  ...\n  PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY);\n  ...\n  ResultSet $RESULT = $PS.executeQuery();\n  ...\n}\n"},{"pattern":"$RETURN $METHOD(...,String $X,...){\n  ...\n  String $QUERY = ... + $X + ...;\n  ...\n  Session $SESSION = ...;\n  ...\n  PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY);\n  ...\n  ResultSet $RESULT = $PS.executeQuery();\n  ...\n}\n"}],"metadata":{"category":"security","technology":["jboss"],"confidence":"MEDIUM","cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation","shortlink":"https://sg.run/W8kA","semgrep.dev":{"rule":{"r_id":9153,"rv_id":1262986,"rule_id":"X5U8rQ","version_id":"8KT5r3v","url":"https://semgrep.dev/playground/r/8KT5r3v/java.jboss.security.session_sqli.find-sql-string-concatenation","origin":"community"}}}},{"id":"java.spring.security.injection.tainted-file-path.tainted-file-path","languages":["java"],"severity":"ERROR","message":"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.","options":{"interfile":true},"metadata":{"cwe":["CWE-23: Relative Path Traversal"],"owasp":["A01:2021 - Broken Access Control","A01:2025 - Broken Access Control"],"references":["https://owasp.org/www-community/attacks/Path_Traversal"],"category":"security","technology":["java","spring"],"subcategory":["vuln"],"impact":"HIGH","likelihood":"MEDIUM","confidence":"HIGH","interfile":true,"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path","shortlink":"https://sg.run/x9o0","semgrep.dev":{"rule":{"r_id":22074,"rv_id":1263084,"rule_id":"lBUxok","version_id":"ExTEx6Y","url":"https://semgrep.dev/playground/r/ExTEx6Y/java.spring.security.injection.tainted-file-path.tainted-file-path","origin":"community"}}},"mode":"taint","pattern-sources":[{"patterns":[{"pattern-either":[{"pattern-inside":"$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n  ...\n}\n"},{"pattern-inside":"$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n  ...\n}\n"}]},{"metavariable-regex":{"metavariable":"$TYPE","regex":"^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"}},{"metavariable-regex":{"metavariable":"$REQ","regex":"(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)"}},{"focus-metavariable":"$SOURCE"}]}],"pattern-sinks":[{"patterns":[{"pattern-either":[{"pattern":"new File(...)"},{"pattern":"new java.io.File(...)"},{"pattern":"new FileReader(...)"},{"pattern":"new java.io.FileReader(...)"},{"pattern":"new FileInputStream(...)"},{"pattern":"new java.io.FileInputStream(...)"},{"pattern":"(Paths $PATHS).get(...)"},{"patterns":[{"pattern":"$CLASS.$FUNC(...)\n"},{"metavariable-regex":{"metavariable":"$FUNC","regex":"^(getResourceAsStream|getResource)$"}}]},{"patterns":[{"pattern-either":[{"pattern":"new ClassPathResource($FILE, ...)"},{"pattern":"ResourceUtils.getFile($FILE, ...)"},{"pattern":"new FileOutputStream($FILE, ...)"},{"pattern":"new java.io.FileOutputStream($FILE, ...)"},{"pattern":"new StreamSource($FILE, ...)"},{"pattern":"new javax.xml.transform.StreamSource($FILE, ...)"},{"pattern":"FileUtils.openOutputStream($FILE, ...)"}]},{"focus-metavariable":"$FILE"}]}]}]}],"pattern-sanitizers":[{"pattern":"org.apache.commons.io.FilenameUtils.getName(...)"}]},{"id":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","message":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.","languages":["java"],"severity":"WARNING","metadata":{"functional-categories":["crypto::search::hash-algorithm::org.apache.commons"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"cwe":["CWE-328: Use of Weak Hash"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5","category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Hashing Algorithm"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","shortlink":"https://sg.run/AWL2","semgrep.dev":{"rule":{"r_id":39194,"rv_id":1263012,"rule_id":"BYUGK0","version_id":"WrTqK7K","url":"https://semgrep.dev/playground/r/WrTqK7K/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","origin":"community"}}},"patterns":[{"pattern":"$DU.$GET_ALGO().digest(...)\n"},{"metavariable-pattern":{"metavariable":"$GET_ALGO","pattern":"getMd5Digest"}},{"metavariable-pattern":{"metavariable":"$DU","pattern":"DigestUtils"}},{"focus-metavariable":"$GET_ALGO"}],"fix":"getSha512Digest\n"},{"id":"java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb","pattern":"$CIPHER.getInstance(\"=~/AES/ECB.*/\")","metadata":{"functional-categories":["crypto::search::mode::javax.crypto"],"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures","https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb","shortlink":"https://sg.run/dB2Y","semgrep.dev":{"rule":{"r_id":48734,"rv_id":1263009,"rule_id":"WAU2yA","version_id":"A8TgdEo","url":"https://semgrep.dev/playground/r/A8TgdEo/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb","origin":"community"}}},"message":"Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and  is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.","severity":"WARNING","languages":["java"]},{"id":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","pattern":"$CIPHER.getInstance(\"Blowfish\")","metadata":{"functional-categories":["crypto::search::symmetric-algorithm::javax.crypto"],"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures","https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","shortlink":"https://sg.run/ZE4n","semgrep.dev":{"rule":{"r_id":48735,"rv_id":1263010,"rule_id":"0oUR28","version_id":"BjTkZy0","url":"https://semgrep.dev/playground/r/BjTkZy0/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","origin":"community"}}},"message":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that  makes it vulnerable to birthday attacks, and is therefore considered non-compliant.  Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.","severity":"WARNING","languages":["java"]},{"id":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","pattern-either":[{"patterns":[{"pattern-either":[{"pattern-inside":"import javax;\n...\n"}]},{"pattern-either":[{"pattern":"javax.crypto.Cipher.getInstance(\"AES\")"},{"pattern":"(javax.crypto.Cipher $CIPHER).getInstance(\"AES\")"}]}]},{"patterns":[{"pattern-either":[{"pattern-inside":"import javax.*;\n...\n"},{"pattern-inside":"import javax.crypto;\n...\n"}]},{"pattern-either":[{"pattern":"crypto.Cipher.getInstance(\"AES\")"},{"pattern":"(crypto.Cipher $CIPHER).getInstance(\"AES\")"}]}]},{"patterns":[{"pattern-either":[{"pattern-inside":"import javax.crypto.*;\n...\n"},{"pattern-inside":"import javax.crypto.Cipher;\n...\n"}]},{"pattern-either":[{"pattern":"Cipher.getInstance(\"AES\")"},{"pattern":"(Cipher $CIPHER).getInstance(\"AES\")"}]}]}],"metadata":{"functional-categories":["crypto::search::mode::javax.crypto"],"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures","https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","shortlink":"https://sg.run/nzKO","semgrep.dev":{"rule":{"r_id":48736,"rv_id":1263011,"rule_id":"KxUB7Z","version_id":"DkTRbwy","url":"https://semgrep.dev/playground/r/DkTRbwy/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","origin":"community"}}},"message":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't  provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.","severity":"WARNING","languages":["java"]},{"id":"java.lang.security.audit.crypto.use-of-rc2.use-of-rc2","pattern":"$CIPHER.getInstance(\"RC2\")","metadata":{"functional-categories":["crypto::search::symmetric-algorithm::javax.crypto"],"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures","https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2","shortlink":"https://sg.run/EEvA","semgrep.dev":{"rule":{"r_id":48737,"rv_id":1263014,"rule_id":"qNUzXG","version_id":"K3TKkg0","url":"https://semgrep.dev/playground/r/K3TKkg0/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2","origin":"community"}}},"message":"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.","severity":"WARNING","languages":["java"]},{"id":"java.lang.security.audit.crypto.use-of-rc4.use-of-rc4","pattern":"$CIPHER.getInstance(\"RC4\")","metadata":{"functional-categories":["crypto::search::symmetric-algorithm::javax.crypto"],"cwe":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"category":"security","technology":["java"],"references":["https://owasp.org/Top10/A02_2021-Cryptographic_Failures","https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cryptographic Issues"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4","shortlink":"https://sg.run/7OYR","semgrep.dev":{"rule":{"r_id":48738,"rv_id":1263015,"rule_id":"lBUw8k","version_id":"qkTR7vk","url":"https://semgrep.dev/playground/r/qkTR7vk/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4","origin":"community"}}},"message":"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.","severity":"WARNING","languages":["java"]},{"id":"problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request","message":"Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent  over an insecure channel. Instead, it is recommended to send requests over HTTPS.","severity":"WARNING","metadata":{"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","category":"security","cwe":"CWE-319: Cleartext Transmission of Sensitive Information","owasp":"A03:2017 - Sensitive Data Exposure","references":["https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html","https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()"],"subcategory":["vuln"],"technology":["java"],"vulnerability":"Insecure Transport","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Mishandled Sensitive Information"],"source":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request","shortlink":"https://sg.run/QE2q","semgrep.dev":{"rule":{"r_id":48942,"rv_id":946061,"rule_id":"6JUOJ2","version_id":"WrTEo9G","url":"https://semgrep.dev/playground/r/WrTEo9G/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request","origin":"community"}}},"languages":["java"],"fix-regex":{"regex":"[Hh][Tt][Tt][Pp]://","replacement":"https://","count":1},"patterns":[{"pattern":"\"=~/[Hh][Tt][Tt][Pp]://.*/\"\n"},{"pattern-inside":"$R = new HttpGet(\"=~/[Hh][Tt][Tt][Pp]://.*/\");\n...\n$CLIENT. ... .execute($R, ...);\n"}]},{"id":"java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing","severity":"ERROR","metadata":{"cwe":["CWE-611: Improper Restriction of XML External Entity Reference"],"owasp":["A04:2017 - XML External Entities (XXE)","A05:2021 - Security Misconfiguration","A02:2025 - Security Misconfiguration"],"asvs":{"section":"V5 Validation, Sanitization and Encoding","control_id":"5.5.2 Insecue XML Deserialization","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention","version":"4"},"references":["https://semgrep.dev/blog/2022/xml-security-in-java","https://semgrep.dev/docs/cheat-sheets/java-xxe/","https://blog.sonarsource.com/secure-xml-processor","https://xerces.apache.org/xerces2-j/features.html"],"category":"security","technology":["java","xml"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["XML Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing","shortlink":"https://sg.run/Gj32","semgrep.dev":{"rule":{"r_id":59048,"rv_id":1263061,"rule_id":"j2Udpk","version_id":"YDTZeko","url":"https://semgrep.dev/playground/r/YDTZeko/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing","origin":"community"}}},"message":"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.","mode":"taint","pattern-sources":[{"by-side-effect":true,"patterns":[{"pattern-either":[{"pattern":"$FACTORY = SAXParserFactory.newInstance();\n"},{"patterns":[{"pattern":"$FACTORY"},{"pattern-inside":"class $C {\n  ...\n  $V $FACTORY = SAXParserFactory.newInstance();\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = SAXParserFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n    ...\n  }\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = SAXParserFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n    ...\n  }\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = SAXParserFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n    ...\n  }\n  ...\n}\n"}]}]}]}],"pattern-sinks":[{"patterns":[{"pattern":"$FACTORY.newSAXParser();"}]}],"pattern-sanitizers":[{"by-side-effect":true,"pattern-either":[{"patterns":[{"pattern-either":[{"pattern":"$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n"},{"pattern":"$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n"},{"pattern":"$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n"}]},{"focus-metavariable":"$FACTORY"}]},{"patterns":[{"pattern-either":[{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\",\n    true);\n    ...\n  }\n  ...\n}\n"},{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n    ...\n  }\n  ...\n}\n"},{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n    ...\n    $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\",false);\n    ...\n  }\n  ...\n}\n"}]},{"pattern":"$M($X)"},{"focus-metavariable":"$X"}]}]}],"fix":"$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n$FACTORY.newSAXParser();\n","languages":["java"]},{"id":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","severity":"ERROR","metadata":{"cwe":["CWE-611: Improper Restriction of XML External Entity Reference"],"owasp":["A04:2017 - XML External Entities (XXE)","A05:2021 - Security Misconfiguration","A02:2025 - Security Misconfiguration"],"asvs":{"section":"V5 Validation, Sanitization and Encoding","control_id":"5.5.2 Insecue XML Deserialization","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention","version":"4"},"references":["https://semgrep.dev/blog/2022/xml-security-in-java","https://semgrep.dev/docs/cheat-sheets/java-xxe/","https://blog.sonarsource.com/secure-xml-processor","https://xerces.apache.org/xerces2-j/features.html"],"category":"security","technology":["java","xml"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["XML Injection"],"source":"https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","shortlink":"https://sg.run/1wyQ","semgrep.dev":{"rule":{"r_id":59622,"rv_id":1263062,"rule_id":"v8UeQ1","version_id":"6xT29GK","url":"https://semgrep.dev/playground/r/6xT29GK/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","origin":"community"}}},"message":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".","mode":"taint","pattern-sources":[{"by-side-effect":true,"patterns":[{"pattern-either":[{"pattern":"$FACTORY = TransformerFactory.newInstance();\n"},{"patterns":[{"pattern":"$FACTORY"},{"pattern-inside":"class $C {\n  ...\n  $V $FACTORY = TransformerFactory.newInstance();\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = TransformerFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n    ...\n    $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n    ...\n  }\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = TransformerFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n    ...\n    $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n    ...\n  }\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = TransformerFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n    ...\n    $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n    ...\n  }\n  ...\n}\n"},{"pattern-not-inside":"class $C {\n  ...\n  $V $FACTORY = TransformerFactory.newInstance();\n  static {\n    ...\n    $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n    ...\n    $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n    ...\n  }\n  ...\n}\n"}]}]}]}],"pattern-sinks":[{"patterns":[{"pattern":"$FACTORY.newTransformer(...);"}]}],"pattern-sanitizers":[{"by-side-effect":true,"pattern-either":[{"patterns":[{"pattern-either":[{"pattern":"$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\"); ...\n$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n"},{"pattern":"$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n...\n$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n"},{"pattern":"$FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\"); ...\n$FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n"},{"pattern":"$FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n...\n$FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n"}]},{"focus-metavariable":"$FACTORY"}]},{"patterns":[{"pattern-either":[{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n    ...\n    $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n    ...\n  }\n  ...\n}\n"},{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n    ...\n    $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n    ...\n  }\n  ...\n}\n"},{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n    ...\n    $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n    ...\n  }\n  ...\n}\n"},{"pattern-inside":"class $C {\n  ...\n  $T $M(...) {\n    ...\n    $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n    ...\n    $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n    ...\n  }\n  ...\n}\n"}]},{"pattern":"$M($X)"},{"focus-metavariable":"$X"}]}]}],"fix":"$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"); $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n$FACTORY.newTransformer(...);\n","languages":["java"]},{"id":"java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request","message":"Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command.  Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.","languages":["java"],"severity":"ERROR","mode":"taint","pattern-sources":[{"patterns":[{"pattern-either":[{"pattern":"(HttpServletRequest $REQ)\n"},{"patterns":[{"pattern-inside":"(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n  ...\n}\n"},{"pattern":"$COOKIE.getValue(...)\n"}]}]}]}],"pattern-sinks":[{"patterns":[{"pattern":"(java.lang.Runtime $R).exec($CMD, $ENV_ARGS, ...);"},{"focus-metavariable":"$ENV_ARGS"}]}],"metadata":{"category":"security","technology":["java"],"cwe":["CWE-454: External Initialization of Trusted Variables or Data Stores"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"cwe2022-top25":false,"cwe2021-top25":false,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Other"],"source":"https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request","shortlink":"https://sg.run/EJAB","semgrep.dev":{"rule":{"r_id":70981,"rv_id":1409391,"rule_id":"nJULjy","version_id":"LjTRL6W","url":"https://semgrep.dev/playground/r/LjTRL6W/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request","origin":"community"}}}},{"id":"java.lang.security.audit.crypto.use-of-sha224.use-of-sha224","message":"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.","languages":["java"],"severity":"WARNING","metadata":{"functional-categories":["crypto::search::hash-algorithm::javax.crypto"],"owasp":["A03:2017 - Sensitive Data Exposure","A02:2021 - Cryptographic Failures","A04:2025 - Cryptographic Failures"],"cwe":["CWE-328: Use of Weak Hash"],"asvs":{"section":"V6 Stored Cryptography Verification Requirements","control_id":"6.2.5 Insecure Algorithm","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms","version":"4"},"category":"security","technology":["java"],"references":["https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf","https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography"],"subcategory":["vuln"],"likelihood":"LOW","impact":"LOW","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Hashing Algorithm"],"source":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224","shortlink":"https://sg.run/Ab2KQ","semgrep.dev":{"rule":{"r_id":151750,"rv_id":1263017,"rule_id":"ReUDGEz","version_id":"YDTZewo","url":"https://semgrep.dev/playground/r/YDTZewo/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224","origin":"community"}}},"pattern-either":[{"pattern":"org.apache.commons.codec.digest.DigestUtils.getSha3_224Digest()"},{"pattern":"org.apache.commons.codec.digest.DigestUtils.getSha512_224Digest()"},{"pattern":"org.apache.commons.codec.digest.DigestUtils.sha3_224(...)"},{"pattern":"org.apache.commons.codec.digest.DigestUtils.sha3_224Hex(...)"},{"pattern":"org.apache.commons.codec.digest.DigestUtils.sha512_224(...)"},{"pattern":"org.apache.commons.codec.digest.DigestUtils.sha512_224Hex(...)"},{"pattern":"new org.apache.commons.codec.digest.DigestUtils(org.apache.commons.codec.digest.MessageDigestAlgorithms.SHA_224)"},{"pattern":"new org.apache.commons.codec.digest.DigestUtils(org.apache.commons.codec.digest.MessageDigestAlgorithms.SHA_512_224)"},{"pattern":"new org.apache.commons.codec.digest.DigestUtils(org.apache.commons.codec.digest.MessageDigestAlgorithms.SHA3_224)"},{"patterns":[{"pattern":"java.security.MessageDigest.getInstance(\"$ALGO\", ...);"},{"metavariable-regex":{"metavariable":"$ALGO","regex":".*224"}}]}]}],"missed":181}