kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call

rules:
  - id: command-injection-formatted-runtime-call
    message: A formatted or concatenated string was detected as input to a
      java.lang.Runtime call. This is dangerous if a variable is controlled by
      user input and could result in a command injection. Ensure your variables
      are not controlled by users or sufficiently sanitized.
    metadata:
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.
      category: security
      technology:
        - kt
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection
    severity: ERROR
    languages:
      - kt
    pattern-either:
      - pattern: $RUNTIME.exec($X + $Y)
      - pattern: $RUNTIME.exec(String.format(...))
      - pattern: $RUNTIME.loadLibrary($X + $Y)
      - pattern: $RUNTIME.loadLibrary(String.format(...))