Merge Develop into Release (#3716)

* fix(rules): CODE-9032 (#3683)

* fix for CODE-9032

* add test

* Improve OCaml rule protecting against stray Not_founds (#3702)

## Link to an issue, if relevant

(internal Slack thread)

### ~~Adding a new~~ Revising a rule? Look over this PR checklist

- The issue or PR has links, references, or examples.
- The rule has **true positive** and **true negative** test cases in a file that matches the rule name.

> If the rule is `my-rule`, the test file name should be `my-rule.js`.
>
> True positives are marked by comments with `ruleid: <my-rule>` and true negatives are marked by comments with `ok: <my-rule>`.

- The rule has a good message. A good message includes:

> 1. A description of the pattern (e.g., missing parameter, dangerous flag, out-of-order function calls).
> 1. A description of why this pattern was detected (e.g., logic bug, introduces a security vulnerability, bad practice).
> 1. An alternative that resolves the issue (e.g., use another function, validate data first, discard the dangerous flag).

* Update aws-cloudfront-insecure-tls rule (#3705)

This updates aws-cloudfront-insecure-tls rule
to account for the addition of aws cloudfront
support for TLSv1.2_2025 and TLSv1.3_2025

* Add rule to detect backdoor github action placed by Sha1-Hulud (#3714)

Co-authored-by: Pieter De Cremer <[email protected]>

* Fixed message in shai hulud backdoor rule (#3715)

Co-authored-by: Pieter De Cremer <[email protected]>

* Add additional GitHub shell injections patterns (#3735)

A GitHub Action may still be vulnerable when a more complicated pattern is used, like an || operator.

* [go] Add CWE-502 unsafe deserialization rule (#3736)

* Add owasp 2025 mapping (#3739)

* Add owasp 2025 mapping

* fix metadata of twilio twiml injection rule

---------

Co-authored-by: Pieter De Cremer <[email protected]>

---------

Co-authored-by: Kurt Boberg <[email protected]>
Co-authored-by: Martin Jambon <[email protected]>
Co-authored-by: Greg M <[email protected]>
Co-authored-by: Pieter De Cremer (Semgrep) <[email protected]>
Co-authored-by: Pieter De Cremer <[email protected]>
Co-authored-by: Tom Piccirello <[email protected]>
Co-authored-by: Ravi Sastry Kadali <[email protected]>

Author: 8 people

apex/lang/security/ncino/dml/ApexCSRFConstructor.yaml

@@ -9,6 +9,7 @@ rules:
       - 'CWE-352: Cross-Site Request Forgery (CSRF)'
       owasp:
       - A01:2021 - Broken Access Control
+      - A01:2025 - Broken Access Control
       cwe2020-top25': true
       cwe2021-top25': true
       cwe2022-top25': true

apex/lang/security/ncino/dml/ApexCSRFStaticConstructor.yaml

@@ -9,6 +9,7 @@ rules:
       - 'CWE-352: Cross-Site Request Forgery (CSRF)'
       owasp:
       - A01:2021 - Broken Access Control
+      - A01:2025 - Broken Access Control
       cwe2020-top25': true
       cwe2021-top25': true
       cwe2022-top25': true

apex/lang/security/ncino/dml/DmlNativeStatements.yaml

@@ -10,6 +10,8 @@ rules:
       owasp:
       - A01:2021 - Broken Access Control
       - A04:2021 - Insecure Design
+      - A01:2025 - Broken Access Control
+      - A06:2025 - Insecure Design
       impact: HIGH
       likelihood: LOW
       confidence: LOW

apex/lang/security/ncino/encryption/BadCrypto.yaml

@@ -9,6 +9,7 @@ rules:
       - 'CWE-321: Use of Hard-coded Cryptographic Key'
       owasp:
       - A02:2021 - Cryptographic Failures
+      - A04:2025 - Cryptographic Failures
       impact: HIGH
       likelihood: LOW
       confidence: LOW

apex/lang/security/ncino/injection/ApexSOQLInjectionFromUnescapedURLParam.yaml

@@ -15,6 +15,7 @@ rules:
       - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
       owasp:
       - A03:2021 - Injection
+      - A05:2025 - Injection
       references:
       - https://cwe.mitre.org/data/definitions/943.html
       impact: HIGH

apex/lang/security/ncino/injection/ApexSOQLInjectionUnescapedParam.yaml

@@ -15,6 +15,7 @@ rules:
       - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
       owasp:
       - A03:2021 - Injection
+      - A05:2025 - Injection
       references:
       - https://cwe.mitre.org/data/definitions/943.html
       impact: HIGH

apex/lang/security/ncino/sharing/SpecifySharingLevel.yaml

@@ -9,6 +9,7 @@ rules:
       - 'CWE-284: Improper Access Control'
       owasp:
       - A04:2021 - Insecure Design
+      - A06:2025 - Insecure Design
       references:
       - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm
       - https://cwe.mitre.org/data/definitions/284.html

bash/curl/security/curl-eval.yaml

@@ -10,6 +10,7 @@ rules:
   metadata:
     owasp:
     - A03:2021 - Injection
+    - A05:2025 - Injection
     cwe:
     - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
     category: security

bash/curl/security/curl-pipe-bash.yaml

@@ -12,6 +12,7 @@ rules:
   metadata:
     owasp:
     - A03:2021 - Injection
+    - A05:2025 - Injection
     cwe:
     - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
     category: security

bash/lang/security/ifs-tampering.yaml

@@ -18,6 +18,7 @@ rules:
     confidence: LOW
     owasp:
     - A03:2021 - Injection
+    - A05:2025 - Injection
     references:
     - https://owasp.org/Top10/A03_2021-Injection
     cwe2022-top25: true