feat: Fuse Servlet and Spring rules for enhanced integration

CHANGELOG.md

@@ -1,3 +1,6 @@
+## v2.2.0
+### feat: Fuse Servlet and Spring rules for enhanced integration
+- feat: Servlet and Spring rules fusion
 ## v2.1.3
 ### fix: Update insecure cookie and command injection rules
 - fix: Require insecure cookie to flow in response and add tests

rules/java/lib/generic/seam-untrusted-data-source.yaml

@@ -4,6 +4,44 @@ rules:
       lib: true
     message: Untrusted data flows from here
     severity: NOTE
+    metadata:
+      short-description: Untrusted data source in Seam/JSF request context
+      full-description: |-
+        This is a source rule for untrusted input in Seam/JSF applications.
+        It marks values as tainted when they are obtained from request parameter/header/cookie maps
+        or injected into Seam components from request context.
+
+        Typical source locations matched by this rule include:
+        - `@In`-annotated Seam setter parameters
+        - `FacesContext.getCurrentInstance().getExternalContext().getRequestParameterMap().get(...)`
+        - `...getRequestHeaderMap().get(...)`
+        - `...getRequestCookieMap().get(...)`
+
+        Example source usage (tainted):
+
+        ```java
+        import javax.faces.context.FacesContext;
+
+        public class LoginAction {
+            public void login() {
+                String username = FacesContext.getCurrentInstance()
+                    .getExternalContext()
+                    .getRequestParameterMap()
+                    .get("username"); // source: untrusted
+
+                process(username);
+            }
+
+            private void process(String input) {
+                // A vulnerability is reported only when tainted input reaches a vulnerable API pattern.
+            }
+        }
+        ```
+
+        Recommended handling at the boundary:
+        - Treat all JSF request map values as untrusted.
+        - Validate and normalize input before passing to logging, query, template, or command-execution APIs.
+        - Keep security checks and canonicalization centralized for consistent handling.
     languages:
       - java
     pattern-either:

rules/java/lib/generic/servlet-untrusted-data-source.yaml

@@ -4,6 +4,43 @@ rules:
       lib: true
     severity: NOTE
     message: Untrusted data flows from here
+    metadata:
+      short-description: Untrusted data source in Servlet/JSP entrypoints
+      full-description: |-
+        This is a source rule for untrusted input in Servlet and JSP code paths.
+        It marks values as tainted when they originate from HTTP request-controlled entrypoints,
+        request body readers, or uploaded-file metadata APIs.
+
+        Typical source locations matched by this rule include:
+        - `HttpServletRequest` parameters in servlet entry methods (`doGet`, `doPost`, etc.)
+        - Values returned by `MessageBodyReader.readFrom(...)`
+        - File names from multipart upload parsing (`parseRequest(...).getName()`)
+        - File names from `Part.getSubmittedFileName()`
+
+        Example source usage (tainted):
+
+        ```java
+        import jakarta.servlet.http.HttpServlet;
+        import jakarta.servlet.http.HttpServletRequest;
+        import jakarta.servlet.http.HttpServletResponse;
+
+        public class DownloadServlet extends HttpServlet {
+            @Override
+            protected void doGet(HttpServletRequest request, HttpServletResponse response) {
+                String filename = request.getParameter("file"); // source: untrusted
+                handleFile(filename);
+            }
+
+            private void handleFile(String input) {
+                // Later flow to a vulnerable API pattern is what creates a finding.
+            }
+        }
+        ```
+
+        Recommended handling at the boundary:
+        - Treat all request-derived values as untrusted by default.
+        - Validate expected shape (type, length, charset, allowlist) as early as possible.
+        - Convert to strongly typed/domain values before business logic and security-sensitive calls.
     languages:
       - java
     patterns:

rules/java/lib/spring/untrusted-data-source.yaml

@@ -4,6 +4,44 @@ rules:
       lib: true
     severity: NOTE
     message: Untrusted data flows from here
+    metadata:
+      short-description: Untrusted data source in Spring request handlers
+      full-description: |-
+        This is a source rule for untrusted input in Spring MVC / Spring Boot handlers.
+        It marks method parameters and request-derived values as tainted when they can be
+        controlled by an external caller.
+
+        Typical source locations matched by this rule include:
+        - Handler method parameters in `@RequestMapping`, `@GetMapping`, `@PostMapping`, etc.
+        - Values returned by `MessageBodyReader.readFrom(...)`
+        - Cookie values resolved via `WebUtils.getCookie(...).getValue()`
+
+        Example source usage (tainted):
+
+        ```java
+        import org.springframework.web.bind.annotation.GetMapping;
+        import org.springframework.web.bind.annotation.RequestParam;
+        import org.springframework.web.bind.annotation.RestController;
+
+        @RestController
+        class SearchController {
+            @GetMapping("/search")
+            String search(@RequestParam String q) {
+                // q is a source: untrusted user-controlled input
+                return doSearch(q);
+            }
+
+            private String doSearch(String input) {
+                // Vulnerability findings appear only when this value reaches an unsafe usage.
+                return input;
+            }
+        }
+        ```
+
+        Recommended handling at the boundary:
+        - Assume all request parameters, headers, cookies, and bodies are untrusted.
+        - Apply validation constraints (Bean Validation / explicit checks) close to controller boundaries.
+        - Normalize and map external input to typed internal models before unsafe usage.
     languages:
       - java
     patterns:

rules/java/lib/spring/untrusted-path-source.yaml

@@ -4,6 +4,45 @@ rules:
       lib: true
     severity: NOTE
     message: Untrusted data flows from here
+    metadata:
+      short-description: Untrusted path-like source in Spring handlers
+      full-description: |-
+        This is a source rule for path-like untrusted data in Spring handlers.
+        It marks values as tainted when they come from request-controlled mapping parameters,
+        wildcard route captures, body readers, or cookies that can later influence file/path operations.
+
+        Typical source locations matched by this rule include:
+        - `@PathVariable` values and wildcard mapping captures in `@RequestMapping` methods
+        - Other handler parameters in mapped methods that can carry path segments
+        - Values from `MessageBodyReader.readFrom(...)`
+        - Cookie-derived values via `WebUtils.getCookie(...).getValue()`
+
+        Example source usage (tainted):
+
+        ```java
+        import org.springframework.web.bind.annotation.GetMapping;
+        import org.springframework.web.bind.annotation.PathVariable;
+        import org.springframework.web.bind.annotation.RestController;
+
+        @RestController
+        class FileController {
+            @GetMapping("/files/{name}")
+            byte[] readFile(@PathVariable String name) {
+                // name is untrusted path-related input (source)
+                return load(name);
+            }
+
+            private byte[] load(String candidatePath) {
+                // A finding is raised when this reaches a path traversal operation.
+                return new byte[0];
+            }
+        }
+        ```
+
+        Recommended handling at the boundary:
+        - Prefer opaque file IDs over raw path input from clients.
+        - Validate allowed filename patterns and reject traversal tokens (`..`, absolute paths, encoded variants).
+        - Normalize and enforce base-directory checks before any filesystem operation.
     languages:
       - java
     patterns: