add archrules-security rules library

Author: wakingrufus

archrules-deprecation/gradle.lockfile

@@ -3,18 +3,18 @@
 # This file is expected to be part of source control.
 ch.qos.logback:logback-classic:1.5.20=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 ch.qos.logback:logback-core:1.5.20=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
-com.netflix.nebula:archrules-joda:0.1.3=archRules
-com.netflix.nebula:archrules-nullability:0.1.3=archRules
-com.netflix.nebula:archrules-testing-frameworks:0.1.3=archRules
-com.netflix.nebula:nebula-archrules-core:0.1.5=archRules
-com.netflix.nebula:nebula-archrules-core:0.2.3=archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+com.netflix.nebula:archrules-joda:0.3.0=archRules
+com.netflix.nebula:archrules-nullability:0.3.0=archRules
+com.netflix.nebula:archrules-testing-frameworks:0.3.0=archRules
+com.netflix.nebula:nebula-archrules-core:0.2.3=archRules
+com.netflix.nebula:nebula-archrules-core:0.2.4=archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 com.tngtech.archunit:archunit:1.4.1=archRules,archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 net.bytebuddy:byte-buddy:1.17.7=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.apiguardian:apiguardian-api:1.1.2=archRulesTestCompileClasspath
 org.assertj:assertj-core:3.27.6=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.jetbrains.kotlin:kotlin-stdlib:2.2.0=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.jetbrains:annotations:13.0=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
-org.jspecify:jspecify:1.0.0=archRulesCompileClasspath,archRulesRuntimeClasspath
+org.jspecify:jspecify:1.0.0=archRules,archRulesCompileClasspath,archRulesRuntimeClasspath
 org.junit.jupiter:junit-jupiter-api:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.junit.jupiter:junit-jupiter-engine:5.12.2=archRulesTestRuntimeClasspath
 org.junit.jupiter:junit-jupiter-params:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath

archrules-joda/gradle.lockfile

@@ -3,17 +3,17 @@
 # This file is expected to be part of source control.
 ch.qos.logback:logback-classic:1.5.20=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 ch.qos.logback:logback-core:1.5.20=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
-com.netflix.nebula:archrules-deprecation:0.1.3=archRules
-com.netflix.nebula:archrules-nullability:0.1.3=archRules
-com.netflix.nebula:archrules-testing-frameworks:0.1.3=archRules
-com.netflix.nebula:nebula-archrules-core:0.1.5=archRules
-com.netflix.nebula:nebula-archrules-core:0.2.3=archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+com.netflix.nebula:archrules-deprecation:0.3.0=archRules
+com.netflix.nebula:archrules-nullability:0.3.0=archRules
+com.netflix.nebula:archrules-testing-frameworks:0.3.0=archRules
+com.netflix.nebula:nebula-archrules-core:0.2.3=archRules
+com.netflix.nebula:nebula-archrules-core:0.2.4=archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 com.tngtech.archunit:archunit:1.4.1=archRules,archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 joda-time:joda-time:2.14.0=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 net.bytebuddy:byte-buddy:1.17.7=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.apiguardian:apiguardian-api:1.1.2=archRulesTestCompileClasspath
 org.assertj:assertj-core:3.27.6=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
-org.jspecify:jspecify:1.0.0=archRulesCompileClasspath,archRulesRuntimeClasspath
+org.jspecify:jspecify:1.0.0=archRules,archRulesCompileClasspath,archRulesRuntimeClasspath
 org.junit.jupiter:junit-jupiter-api:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.junit.jupiter:junit-jupiter-engine:5.12.2=archRulesTestRuntimeClasspath
 org.junit.jupiter:junit-jupiter-params:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath

archrules-nullability/gradle.lockfile

@@ -4,18 +4,18 @@
 ch.qos.logback:logback-classic:1.5.20=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 ch.qos.logback:logback-core:1.5.20=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 com.google.code.findbugs:jsr305:3.0.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
-com.netflix.nebula:archrules-deprecation:0.1.3=archRules
-com.netflix.nebula:archrules-joda:0.1.3=archRules
-com.netflix.nebula:archrules-testing-frameworks:0.1.3=archRules
-com.netflix.nebula:nebula-archrules-core:0.1.5=archRules
-com.netflix.nebula:nebula-archrules-core:0.2.3=archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+com.netflix.nebula:archrules-deprecation:0.3.0=archRules
+com.netflix.nebula:archrules-joda:0.3.0=archRules
+com.netflix.nebula:archrules-testing-frameworks:0.3.0=archRules
+com.netflix.nebula:nebula-archrules-core:0.2.3=archRules
+com.netflix.nebula:nebula-archrules-core:0.2.4=archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 com.tngtech.archunit:archunit:1.4.1=archRules,archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 jakarta.annotation:jakarta.annotation-api:3.0.0=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 net.bytebuddy:byte-buddy:1.17.7=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.apiguardian:apiguardian-api:1.1.2=archRulesTestCompileClasspath
 org.assertj:assertj-core:3.27.6=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.jetbrains:annotations:26.0.2-1=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
-org.jspecify:jspecify:1.0.0=archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.jspecify:jspecify:1.0.0=archRules,archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.junit.jupiter:junit-jupiter-api:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
 org.junit.jupiter:junit-jupiter-engine:5.12.2=archRulesTestRuntimeClasspath
 org.junit.jupiter:junit-jupiter-params:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath

archrules-security/build.gradle.kts

@@ -0,0 +1,25 @@
+plugins {
+    id("com.netflix.nebula.library")
+    id("com.netflix.nebula.archrules.library")
+}
+description = "Arch Rules for detecting usage of identified insecure APIs"
+repositories {
+    mavenCentral()
+}
+dependencies {
+    archRulesImplementation(libs.jspecify)
+
+    archRulesTestImplementation(libs.assertj)
+    archRulesTestImplementation(libs.logback)
+    archRulesTestImplementation("com.google.guava:guava:23.0")
+    archRulesTestImplementation("org.jetbrains.kotlin:kotlin-stdlib:2.2.21")
+    archRulesTestImplementation("org.eclipse.jetty:jetty-servlet:9.+")
+}
+java {
+    toolchain {
+        languageVersion = JavaLanguageVersion.of(8)
+    }
+}
+dependencyLocking {
+    lockAllConfigurations()
+}

archrules-security/gradle.lockfile

@@ -0,0 +1,42 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+ch.qos.logback:logback-classic:1.5.20=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+ch.qos.logback:logback-core:1.5.20=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+com.google.code.findbugs:jsr305:1.3.9=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.0.18=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+com.google.guava:guava:23.0=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+com.google.j2objc:j2objc-annotations:1.1=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+com.netflix.nebula:archrules-deprecation:0.3.0=archRules
+com.netflix.nebula:archrules-joda:0.3.0=archRules
+com.netflix.nebula:archrules-nullability:0.3.0=archRules
+com.netflix.nebula:archrules-testing-frameworks:0.3.0=archRules
+com.netflix.nebula:nebula-archrules-core:0.2.3=archRules
+com.netflix.nebula:nebula-archrules-core:0.2.4=archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+com.tngtech.archunit:archunit:1.4.1=archRules,archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+javax.servlet:javax.servlet-api:3.1.0=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+net.bytebuddy:byte-buddy:1.17.7=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.apiguardian:apiguardian-api:1.1.2=archRulesTestCompileClasspath
+org.assertj:assertj-core:3.27.6=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.codehaus.mojo:animal-sniffer-annotations:1.14=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.eclipse.jetty:jetty-http:9.4.58.v20250814=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.eclipse.jetty:jetty-io:9.4.58.v20250814=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.eclipse.jetty:jetty-security:9.4.58.v20250814=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.eclipse.jetty:jetty-server:9.4.58.v20250814=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.eclipse.jetty:jetty-servlet:9.4.58.v20250814=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.eclipse.jetty:jetty-util-ajax:9.4.58.v20250814=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.eclipse.jetty:jetty-util:9.4.58.v20250814=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.jetbrains.kotlin:kotlin-stdlib:2.2.21=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.jetbrains:annotations:13.0=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.jspecify:jspecify:1.0.0=archRules,archRulesCompileClasspath,archRulesRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.12.2=archRulesTestRuntimeClasspath
+org.junit.jupiter:junit-jupiter-params:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.junit.jupiter:junit-jupiter:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.12.2=archRulesTestRuntimeClasspath
+org.junit.platform:junit-platform-launcher:1.12.2=archRulesTestRuntimeClasspath
+org.junit:junit-bom:5.12.2=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.opentest4j:opentest4j:1.3.0=archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+org.slf4j:slf4j-api:2.0.17=archRules,archRulesCompileClasspath,archRulesRuntimeClasspath,archRulesTestCompileClasspath,archRulesTestRuntimeClasspath
+empty=annotationProcessor,archRulesAnnotationProcessor,archRulesTestAnnotationProcessor,compileClasspath,runtimeClasspath,testAnnotationProcessor,testCompileClasspath,testRuntimeClasspath

archrules-security/src/archRules/java/com/netflix/nebula/archrules/security/CveArchRules.java

@@ -0,0 +1,88 @@
+package com.netflix.nebula.archrules.security;
+
+import com.netflix.nebula.archrules.core.ArchRulesService;
+import com.tngtech.archunit.core.domain.JavaClass;
+import com.tngtech.archunit.lang.ArchRule;
+import com.tngtech.archunit.lang.Priority;
+import com.tngtech.archunit.lang.syntax.ArchRuleDefinition;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.tngtech.archunit.core.domain.JavaAccess.Predicates.targetOwner;
+import static com.tngtech.archunit.core.domain.JavaClass.Predicates.assignableTo;
+
+public class CveArchRules implements ArchRulesService {
+    public static final ArchRule CVE_2020_29582 = ArchRuleDefinition.priority(Priority.HIGH)
+            .noClasses()
+            .should().callMethod(
+                    "kotlin.io.FilesKt",
+                    "createTempDir",
+                    "java.lang.String", "java.lang.String", "java.io.File")
+            .orShould().callMethod(
+                    "kotlin.io.FilesKt",
+                    "createTempFile",
+                    "java.lang.String", "java.lang.String", "java.io.File")
+            .because("A Kotlin application using createTempDir or createTempFile " +
+                     "and placing sensitive information within either of these locations " +
+                     "would be leaking this information in a read-only way to other users also on this system. " +
+                     "We recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() " +
+                     "which explicitly configures permissions of 700");
+
+    public static final ArchRule CVE_2023_2976 = ArchRuleDefinition.priority(Priority.HIGH)
+            .noClasses()
+            .should()
+            .dependOnClassesThat(JavaClass.Predicates.simpleName("FileBackedOutputStream"))
+            .orShould()
+            .accessTargetWhere(targetOwner(assignableTo(JavaClass.Predicates.simpleName("FileBackedOutputStream"))))
+            .because("CVE-2023-2976: Use of Java's default temporary directory for file creation in " +
+                     "`FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems " +
+                     "and Android Ice Cream Sandwich allows other users and apps on the machine " +
+                     "with access to the default Java temporary directory to be able to access the " +
+                     "files created by the class.");
+
+    public static final ArchRule CVE_2020_8908 = ArchRuleDefinition.priority(Priority.HIGH)
+            .noClasses()
+            .should().callMethod("com.google.common.io.Files", "createTempDir")
+            .because("A temp directory creation vulnerability exists in all versions of Guava, " +
+                     "allowing an attacker with access to the machine to potentially access data in a temporary directory " +
+                     "created by the Guava API com.google.common.io.Files.createTempDir(). " +
+                     "By default, on unix-like systems, the created directory is world-readable " +
+                     "(readable by an attacker with access to the system). " +
+                     "We recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() " +
+                     "which explicitly configures permissions of 700");
+
+    public static final ArchRule CVE_2018_10237 = ArchRuleDefinition.priority(Priority.HIGH)
+            .noClasses()
+            .should()
+            .dependOnClassesThat(JavaClass.Predicates.simpleName("AtomicDoubleArray"))
+            .orShould()
+            .accessTargetWhere(targetOwner(assignableTo(JavaClass.Predicates.simpleName("AtomicDoubleArray"))))
+            .orShould()
+            .dependOnClassesThat(JavaClass.Predicates.simpleName("CompoundOrdering"))
+            .orShould()
+            .accessTargetWhere(targetOwner(assignableTo(JavaClass.Predicates.simpleName("CompoundOrdering"))))
+            .because("Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 " +
+                     "allows remote attackers to conduct denial of service attacks against servers " +
+                     "that depend on this library and deserialize attacker-provided data, " +
+                     "because the AtomicDoubleArray class (when serialized with Java serialization) " +
+                     "and the CompoundOrdering class (when serialized with GWT serialization) " +
+                     "perform eager allocation without appropriate checks on what a client has sent " +
+                     "and whether the data size is reasonable. ");
+
+    public static final ArchRule CVE_2024_6763 = ArchRuleDefinition.priority(Priority.HIGH)
+            .noClasses()
+            .should().dependOnClassesThat().haveFullyQualifiedName("org.eclipse.jetty.http.HttpURI")
+            .because("The HttpURI class does insufficient validation on the authority segment of a URI.");
+
+    @Override
+    public Map<String, ArchRule> getRules() {
+        Map<String, ArchRule> rules = new HashMap<>();
+        rules.put("CVE-2020-29582", CVE_2020_29582);
+        rules.put("CVE-2023-2976", CVE_2023_2976);
+        rules.put("CVE-2020-8908", CVE_2020_8908);
+        rules.put("CVE-2018-10237", CVE_2018_10237);
+        rules.put("CVE-2024-6763", CVE_2024_6763);
+        return rules;
+    }
+}

archrules-security/src/archRulesTest/java/com/netflix/nebula/archrules/security/CveArchRulesTest.java

@@ -0,0 +1,89 @@
+package com.netflix.nebula.archrules.security;
+
+import com.google.common.io.FileBackedOutputStream;
+import com.netflix.nebula.archrules.core.Runner;
+import com.tngtech.archunit.lang.EvaluationResult;
+import kotlin.io.FilesKt;
+import org.eclipse.jetty.http.HttpURI;
+import org.junit.jupiter.api.Test;
+
+import java.io.File;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class CveArchRulesTest {
+    @Test
+    public void test_pass() {
+        EvaluationResult result = Runner.check(CveArchRules.CVE_2023_2976, PassingClass.class);
+        assertThat(result.hasViolation())
+                .isFalse();
+    }
+
+    @Test
+    public void test_fail() {
+        EvaluationResult result = Runner.check(CveArchRules.CVE_2023_2976, FailingClass.class);
+        assertThat(result.hasViolation())
+                .isTrue();
+        assertThat(result.getFailureReport().getDetails())
+                .hasSize(1);
+    }
+
+    @Test
+    public void test_fail_shaded() {
+        EvaluationResult result = Runner.check(CveArchRules.CVE_2023_2976, FailingClassShaded.class);
+        assertThat(result.hasViolation())
+                .isTrue();
+        assertThat(result.getFailureReport().getDetails())
+                .hasSize(1);
+    }
+
+    @Test
+    public void test_kotlin_cve_fail_file() {
+        EvaluationResult result = Runner.check(CveArchRules.CVE_2020_29582, KotlinFailingClassFile.class);
+        assertThat(result.hasViolation())
+                .isTrue();
+        assertThat(result.getFailureReport().getDetails())
+                .hasSize(1);
+    }
+
+    @Test
+    public void test_kotlin_cve_fail_dir() {
+        EvaluationResult result = Runner.check(CveArchRules.CVE_2020_29582, KotlinFailingClassDir.class);
+        assertThat(result.hasViolation())
+                .isTrue();
+        assertThat(result.getFailureReport().getDetails())
+                .hasSize(1);
+    }
+
+    @Test
+    public void test_jetty() {
+        EvaluationResult result = Runner.check(CveArchRules.CVE_2024_6763, UsesJettyHttpURI.class);
+        assertThat(result.hasViolation())
+                .isTrue();
+        assertThat(result.getFailureReport().getDetails())
+                .hasSize(1);
+    }
+
+    static class KotlinFailingClassFile {
+        File thing = FilesKt.createTempFile("tmp", null, null);
+    }
+
+    static class KotlinFailingClassDir {
+        File thing = FilesKt.createTempDir("tmp", null, null);
+    }
+
+    static class FailingClass {
+        FileBackedOutputStream fileBackedOutputStream;
+    }
+
+    static class FailingClassShaded {
+        com.tngtech.archunit.thirdparty.com.google.common.io.FileBackedOutputStream fileBackedOutputStream;
+    }
+
+    static class PassingClass {
+    }
+
+    static class UsesJettyHttpURI {
+        HttpURI httpURI;
+    }
+}