Add security rules for cookie settings and XML processing in YAML config

rules/java/security/cookie-secure-flag-false-java.yml

@@ -0,0 +1,14 @@
+id: cookie-secure-flag-false-java
+language: java
+severity: warning
+message: >-
+ A cookie was detected without setting the 'secure' flag. The 'secure'
+ flag for cookies prevents the client from transmitting the cookie over
+ insecure channels such as HTTP. Set the 'secure' flag by calling
+ '$COOKIE.setSecure(true);'.
+note: >-
+  [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute.
+  [REFERENCES]
+      - https://owasp.org/www-community/controls/SecureCookieAttribute
+rule:
+ pattern: $COOKIE.setSecure(false);

rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml

@@ -0,0 +1,46 @@
+id: documentbuilderfactory-disallow-doctype-decl-false-java
+language: java
+severity: warning
+message: >-
+    DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting
+      external entity declarations, this is vulnerable to XML external entity
+      attacks. Disable this by setting the feature
+      "http://apache.org/xml/features/disallow-doctype-decl" to true.
+      Alternatively, allow DOCTYPE declarations and only prohibit external
+      entities declarations. This can be done by setting the features
+      "http://xml.org/sax/features/external-general-entities" and
+      "http://xml.org/sax/features/external-parameter-entities" to false.
+note: >-
+  [CWE-611]: mproper Restriction of XML External Entity Reference
+  [OWASP A04:2017]: XML External Entities (XXE)
+  [OWASP A05:2021 - Security Misconfiguration]
+  [REFERENCES]
+       https://blog.sonarsource.com/secure-xml-processor
+       https://xerces.apache.org/xerces2-j/features.html
+utils:
+  match_expression_statement:
+    kind: expression_statement
+    has:
+      stopBy: end
+      kind: method_invocation
+      all:
+        - has:
+           stopBy: end
+           kind: identifier
+        - has:
+           stopBy: end
+           kind: identifier
+           regex: '^setFeature$'
+      has:
+        kind: argument_list
+        all:
+          - has:
+             stopBy: end
+             kind: string_literal
+             regex: 'http://apache.org/xml/features/disallow-doctype-decl'
+          - has:
+             stopBy: end
+             regex: '^false$'
+rule:
+  any:
+    - matches: match_expression_statement

tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml

@@ -0,0 +1,9 @@
+id: cookie-secure-flag-false-java
+snapshots:
+  ? |
+    cookie.setSecure(false);
+  : labels:
+    - source: cookie.setSecure(false);
+      style: primary
+      start: 0
+      end: 24

tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml

@@ -0,0 +1,70 @@
+id: documentbuilderfactory-disallow-doctype-decl-false-java
+snapshots:
+  ? |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+    }
+  : labels:
+    - source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+      style: primary
+      start: 106
+      end: 184
+    - source: dbf
+      style: secondary
+      start: 106
+      end: 109
+    - source: setFeature
+      style: secondary
+      start: 110
+      end: 120
+    - source: '"http://apache.org/xml/features/disallow-doctype-decl"'
+      style: secondary
+      start: 121
+      end: 175
+    - source: 'false'
+      style: secondary
+      start: 177
+      end: 182
+    - source: ("http://apache.org/xml/features/disallow-doctype-decl", false)
+      style: secondary
+      start: 120
+      end: 183
+    - source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false)
+      style: secondary
+      start: 106
+      end: 183
+  ? |
+    ParserConfigurationException {
+        SAXParserFactory spf = SAXParserFactory.newInstance();
+        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+    }
+  : labels:
+    - source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+      style: primary
+      start: 94
+      end: 172
+    - source: spf
+      style: secondary
+      start: 94
+      end: 97
+    - source: setFeature
+      style: secondary
+      start: 98
+      end: 108
+    - source: '"http://apache.org/xml/features/disallow-doctype-decl"'
+      style: secondary
+      start: 109
+      end: 163
+    - source: 'false'
+      style: secondary
+      start: 165
+      end: 170
+    - source: ("http://apache.org/xml/features/disallow-doctype-decl", false)
+      style: secondary
+      start: 108
+      end: 171
+    - source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false)
+      style: secondary
+      start: 94
+      end: 171

tests/java/cookie-secure-flag-false-java-test.yml

@@ -0,0 +1,10 @@
+id: cookie-secure-flag-false-java
+valid:
+  - |
+    response.addCookie(cookie);
+    cookie.setSecure(true);
+    cookie.setHttpOnly(true);
+    response.addCookie(cookie);
+invalid:
+  - |
+    cookie.setSecure(false);

tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml

@@ -0,0 +1,51 @@
+id: documentbuilderfactory-disallow-doctype-decl-false-java
+valid:
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    }
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    }
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    } 
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+    } 
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+    } 
+  - |
+    ParserConfigurationException {
+        SAXParserFactory spf = SAXParserFactory.newInstance();
+        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    }
+invalid:
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+    }
+  - |
+    ParserConfigurationException {
+        SAXParserFactory spf = SAXParserFactory.newInstance();
+        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+    }