Merge Develop into Release

apex/lang/security/ncino/dml/ApexCSRFConstructor.yaml

@@ -9,6 +9,7 @@ rules:
       - 'CWE-352: Cross-Site Request Forgery (CSRF)'
       owasp:
       - A01:2021 - Broken Access Control
+      - A01:2025 - Broken Access Control
       cwe2020-top25': true
       cwe2021-top25': true
       cwe2022-top25': true

apex/lang/security/ncino/dml/ApexCSRFStaticConstructor.yaml

@@ -9,6 +9,7 @@ rules:
       - 'CWE-352: Cross-Site Request Forgery (CSRF)'
       owasp:
       - A01:2021 - Broken Access Control
+      - A01:2025 - Broken Access Control
       cwe2020-top25': true
       cwe2021-top25': true
       cwe2022-top25': true

apex/lang/security/ncino/dml/DmlNativeStatements.yaml

@@ -10,6 +10,8 @@ rules:
       owasp:
       - A01:2021 - Broken Access Control
       - A04:2021 - Insecure Design
+      - A01:2025 - Broken Access Control
+      - A06:2025 - Insecure Design
       impact: HIGH
       likelihood: LOW
       confidence: LOW

apex/lang/security/ncino/encryption/BadCrypto.yaml

@@ -9,6 +9,7 @@ rules:
       - 'CWE-321: Use of Hard-coded Cryptographic Key'
       owasp:
       - A02:2021 - Cryptographic Failures
+      - A04:2025 - Cryptographic Failures
       impact: HIGH
       likelihood: LOW
       confidence: LOW

apex/lang/security/ncino/injection/ApexSOQLInjectionFromUnescapedURLParam.yaml

@@ -15,6 +15,7 @@ rules:
       - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
       owasp:
       - A03:2021 - Injection
+      - A05:2025 - Injection
       references:
       - https://cwe.mitre.org/data/definitions/943.html
       impact: HIGH

apex/lang/security/ncino/injection/ApexSOQLInjectionUnescapedParam.yaml

@@ -15,6 +15,7 @@ rules:
       - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
       owasp:
       - A03:2021 - Injection
+      - A05:2025 - Injection
       references:
       - https://cwe.mitre.org/data/definitions/943.html
       impact: HIGH

apex/lang/security/ncino/sharing/SpecifySharingLevel.yaml

@@ -9,6 +9,7 @@ rules:
       - 'CWE-284: Improper Access Control'
       owasp:
       - A04:2021 - Insecure Design
+      - A06:2025 - Insecure Design
       references:
       - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm
       - https://cwe.mitre.org/data/definitions/284.html

bash/curl/security/curl-eval.yaml

@@ -10,6 +10,7 @@ rules:
   metadata:
     owasp:
     - A03:2021 - Injection
+    - A05:2025 - Injection
     cwe:
     - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
     category: security

bash/curl/security/curl-pipe-bash.yaml

@@ -12,6 +12,7 @@ rules:
   metadata:
     owasp:
     - A03:2021 - Injection
+    - A05:2025 - Injection
     cwe:
     - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
     category: security

bash/lang/security/ifs-tampering.yaml

@@ -18,6 +18,7 @@ rules:
     confidence: LOW
     owasp:
     - A03:2021 - Injection
+    - A05:2025 - Injection
     references:
     - https://owasp.org/Top10/A03_2021-Injection
     cwe2022-top25: true

c/lang/security/double-free.yaml

@@ -29,6 +29,7 @@ rules:
     owasp:
     - A03:2021 - Injection
     - A01:2017 - Injection
+    - A05:2025 - Injection
     references:
     - https://cwe.mitre.org/data/definitions/415.html
     - https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory

c/lang/security/info-leak-on-non-formatted-string.yaml

@@ -13,6 +13,7 @@ rules:
     confidence: LOW
     owasp:
     - A09:2021 - Security Logging and Monitoring Failures
+    - A09:2025 - Security Logging & Alerting Failures
     subcategory:
     - audit
     likelihood: LOW

c/lang/security/insecure-use-memset.yaml

@@ -22,6 +22,7 @@ rules:
     - 'CWE-14: Compiler Removal of Code to Clear Buffers'
     owasp:
     - "A04:2021 - Insecure Design"
+    - A06:2025 - Insecure Design
     references:
     - https://cwe.mitre.org/data/definitions/14.html
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/

clojure/lang/security/command-injection-shell-call.yaml

@@ -7,6 +7,7 @@ rules:
       owasp:
         - A01:2017 - Injection
         - A03:2021 - Injection
+        - A05:2025 - Injection
       cwe:
         - "CWE-78: Improper Neutralization of Special Elements used in an OS Command
           ('OS Command Injection')"

clojure/lang/security/documentbuilderfactory-xxe.yaml

@@ -9,6 +9,7 @@ rules:
       owasp:
       - A04:2017 - XML External Entities (XXE)
       - A05:2021 - Security Misconfiguration
+      - A02:2025 - Security Misconfiguration
       asvs:
         section: V5 Validation, Sanitization and Encoding
         control_id: 5.5.2 Insecue XML Deserialization

clojure/lang/security/use-of-md5.yaml

@@ -17,6 +17,7 @@ rules:
       owasp:
         - A03:2017 - Sensitive Data Exposure
         - A02:2021 - Cryptographic Failures
+        - A04:2025 - Cryptographic Failures
       cwe:
         - "CWE-328: Use of Weak Hash"
       author: Gabriel Marquet <[email protected]>

clojure/lang/security/use-of-sha1.yaml

@@ -17,6 +17,7 @@ rules:
       owasp:
         - A03:2017 - Sensitive Data Exposure
         - A02:2021 - Cryptographic Failures
+        - A04:2025 - Cryptographic Failures
       cwe:
         - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
         - "CWE-328: Use of Weak Hash"

clojure/security/clojure-read-string/read-string-unsafe.yaml

@@ -12,6 +12,7 @@ rules:
     owasp:
     - A08:2017 - Insecure Deserialization
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     cwe:
     - 'CWE-502: Deserialization of Untrusted Data'
     likelihood: MEDIUM

csharp/dotnet/security/audit/ldap-injection.yaml

@@ -13,6 +13,7 @@ rules:
     owasp:
     - A01:2017 - Injection
     - A03:2021 - Injection
+    - A05:2025 - Injection
     references:
     - https://owasp.org/Top10/A03_2021-Injection/
     - https://cwe.mitre.org/data/definitions/90

csharp/dotnet/security/audit/mass-assignment.yaml

@@ -13,6 +13,7 @@ rules:
     - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes'
     owasp:
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     references:
     - https://cwe.mitre.org/data/definitions/915.html
     - https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md

csharp/dotnet/security/audit/misconfigured-lockout-option.yaml

@@ -14,6 +14,7 @@ rules:
     - 'CWE-307: Improper Restriction of Excessive Authentication Attempts'
     owasp:
     - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
     references:
     - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
     - https://cwe.mitre.org/data/definitions/307.html

csharp/dotnet/security/audit/missing-or-broken-authorization.yaml

@@ -18,6 +18,7 @@ rules:
     cwe2023-top25: true
     owasp:
     - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
     references:
     - https://owasp.org/Top10/A01_2021-Broken_Access_Control
     - https://cwe.mitre.org/data/definitions/862.html

csharp/dotnet/security/audit/open-directory-listing.yaml

@@ -14,6 +14,7 @@ rules:
     owasp:
     - A06:2017 - Security Misconfiguration
     - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
     references:
     - https://cwe.mitre.org/data/definitions/548.html
     - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

csharp/dotnet/security/audit/razor-use-of-htmlstring.yaml

@@ -12,6 +12,7 @@ rules:
     - 'CWE-116: Improper Encoding or Escaping of Output'
     owasp:
     - A03:2021 - Injection
+    - A05:2025 - Injection
     references:
     - https://cwe.mitre.org/data/definitions/116.html
     - https://owasp.org/Top10/A03_2021-Injection/

csharp/dotnet/security/audit/xpath-injection.yaml

@@ -12,6 +12,7 @@ rules:
     - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')"
     owasp:
     - A03:2021 - Injection
+    - A05:2025 - Injection
     references:
     - https://owasp.org/Top10/A03_2021-Injection/
     - https://cwe.mitre.org/data/definitions/643.html

csharp/dotnet/security/mvc-missing-antiforgery.yaml

@@ -16,6 +16,7 @@ rules:
     cwe2022-top25: true
     owasp:
     - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
     references:
     - https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery
     - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

csharp/dotnet/security/net-webconfig-debug.yaml

@@ -14,6 +14,7 @@ rules:
     - 'CWE-11: ASP.NET Misconfiguration: Creating Debug Binary'
     owasp:
     - A05:2021 - Security Misconfiguration
+    - A02:2025 - Security Misconfiguration
     references:
     - https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/
     - https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx

csharp/dotnet/security/razor-template-injection.yaml

@@ -13,6 +13,7 @@ rules:
     cwe2022-top25: true
     owasp:
     - A03:2021 - Injection
+    - A05:2025 - Injection
     references:
     - https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/
     subcategory:

csharp/dotnet/security/use_deprecated_cipher_algorithm.yaml

@@ -11,6 +11,7 @@ rules:
     - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
     owasp:
     - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
     references:
     - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks
     - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks

csharp/dotnet/security/use_ecb_mode.yaml

@@ -12,6 +12,7 @@ rules:
     - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
     owasp:
     - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
     references:
     - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0
     - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0

csharp/dotnet/security/use_weak_rng_for_keygeneration.yaml

@@ -13,6 +13,7 @@ rules:
     - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)'
     owasp:
     - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
     references:
     - https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks
     - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0

csharp/dotnet/security/use_weak_rsa_encryption_padding.yaml

@@ -12,6 +12,7 @@ rules:
     - 'CWE-780: Use of RSA Algorithm without OAEP'
     owasp:
     - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
     references:
     - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter
     - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter

csharp/dotnet/security/web-config-insecure-cookie-settings.yaml

@@ -12,6 +12,7 @@ rules:
     - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
     owasp:
     - A05:2021 - Security Misconfiguration
+    - A02:2025 - Security Misconfiguration
     references:
     - https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies
     - https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL

csharp/lang/best-practice/structured-logging.yaml

@@ -34,6 +34,7 @@ rules:
     - 'CWE-117: Improper Output Neutralization for Logs'
     owasp:
     - A09:2021 - Security Logging and Monitoring Failures
+    - A09:2025 - Security Logging & Alerting Failures
     technology:
     - .net
     - serilog

csharp/lang/security/ad/jwt-tokenvalidationparameters-no-expiry-validation.yaml

@@ -28,6 +28,7 @@ rules:
     owasp:
     - A02:2017 - Broken Authentication
     - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
     cwe:
     - 'CWE-613: Insufficient Session Expiration'
     references:

csharp/lang/security/cryptography/X509-subject-name-validation.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A03:2017 - Sensitive Data Exposure
     - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
     references:
     - https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8
     category: security

csharp/lang/security/cryptography/X509Certificate2-privkey.yaml

@@ -8,6 +8,7 @@ rules:
     - 'CWE-310: CWE CATEGORY: Cryptographic Issues'
     owasp:
     - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
     references:
     - https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.privatekey
     category: security

csharp/lang/security/cryptography/unsigned-security-token.yaml

@@ -15,6 +15,7 @@ rules:
     - csharp
     owasp:
     - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
     cwe:
     - 'CWE-347: Improper Verification of Cryptographic Signature'
     references:

csharp/lang/security/filesystem/unsafe-path-combine.yaml

@@ -52,6 +52,7 @@ rules:
     owasp:
     - A05:2017 - Broken Access Control
     - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

csharp/lang/security/http/http-listener-wildcard-bindings.yaml

@@ -8,6 +8,7 @@ rules:
     - 'CWE-706: Use of Incorrectly-Resolved Name or Reference'
     owasp:
     - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
     references:
     - https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0
     category: security

csharp/lang/security/injections/os-command.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A01:2017 - Injection
     - A03:2021 - Injection
+    - A05:2025 - Injection
     references:
     - https://owasp.org/www-community/attacks/Command_Injection
     category: security

csharp/lang/security/insecure-deserialization/binary-formatter.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A08:2017 - Insecure Deserialization
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     references:
     - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
     category: security

csharp/lang/security/insecure-deserialization/data-contract-resolver.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A08:2017 - Insecure Deserialization
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     references:
     - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
     category: security

csharp/lang/security/insecure-deserialization/fast-json.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A08:2017 - Insecure Deserialization
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     references:
     - https://github.com/mgholam/fastJSON#security-warning-update
     category: security

csharp/lang/security/insecure-deserialization/fs-pickler.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A08:2017 - Insecure Deserialization
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     references:
     - https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution
     category: security

csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A08:2017 - Insecure Deserialization
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     references:
     - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0
     - https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html

csharp/lang/security/insecure-deserialization/javascript-serializer.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A08:2017 - Insecure Deserialization
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     references:
     - https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks
     category: security

csharp/lang/security/insecure-deserialization/los-formatter.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A08:2017 - Insecure Deserialization
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     references:
     - https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8
     category: security

csharp/lang/security/insecure-deserialization/net-data-contract.yaml

@@ -9,6 +9,7 @@ rules:
     owasp:
     - A08:2017 - Insecure Deserialization
     - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
     references:
     - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security
     category: security