rules:
  - id: payment-no-md5-sha1
    message: Unsichere Hash-Algorithmen erkannt.
    severity: ERROR
    languages: [python, javascript, typescript, java, go]
    pattern-regex: (?i)\b(md5|sha1)\b

  - id: payment-no-des-3des
    message: Veraltete symmetrische Verfahren erkannt.
    severity: ERROR
    languages: [python, javascript, typescript, java, go]
    pattern-regex: (?i)\b(des|3des|tripledes)\b

  - id: payment-no-ecb
    message: ECB-Modus ist fuer sensible Daten ungeeignet.
    severity: ERROR
    languages: [python, javascript, typescript, java, go]
    pattern-regex: (?i)\becb\b

  - id: payment-hardcoded-secret
    message: Moeglicherweise hartkodiertes Secret erkannt.
    severity: ERROR
    languages: [python, javascript, typescript, java, go]
    patterns:
      - pattern-either:
          - pattern: $KEY = "..."
          - pattern: const $KEY = "..."
          - pattern: final String $KEY = "..."
      - metavariable-pattern:
          metavariable: $KEY
          pattern-regex: (?i).*(secret|apikey|api_key|password|passwd|privatekey|private_key|terminalkey|zvtkey|opiKey).*

  - id: payment-weak-random
    message: Nicht-kryptographischer Zufall in Sicherheitskontext erkannt.
    severity: ERROR
    languages: [python, javascript, typescript, java]
    pattern-regex: (?i)(Math\.random|random\.random|new Random\()

  - id: payment-disable-tls-verify
    message: TLS-Zertifikatspruefung scheint deaktiviert zu sein.
    severity: ERROR
    languages: [python, javascript, typescript, java, go]
    pattern-regex: (?i)(verify\s*=\s*False|rejectUnauthorized\s*:\s*false|InsecureSkipVerify\s*:\s*true|trustAll)