kingfisher/crates/kingfisher-rules/data/rules/jdbc.yml

rules:
  - name: JDBC connection string with embedded credentials
    id: kingfisher.jdbc.1
    pattern: |
      (?xi)
      (
        jdbc:
        [a-z][a-z0-9+.-]{2,32}
        (?:[:][a-z0-9+.-]{1,32})*
        :
        [^\s"'<>,(){}\[\]]{10,448}
      )
    pattern_requirements:              
      min_special_chars: 2
      special_chars: ";=/?@&"
      ignore_if_contains:
        - "****"
        - "xxxx"
        - "example"
    min_entropy: 3.3
    confidence: medium
    validation:
      type: Jdbc
    tls_mode: lax
    examples:
      - jdbc:postgresql://db.example.com:5432/app?user=admin&password=s3cr3t
      - jdbc:mysql://admin:s3cr3t@prod.internal:3306/inventory
      - jdbc:oracle:thin:@ora.example.net:1521/ORCLPDB1
      - jdbc:sqlserver://sql.example.org:1433;databaseName=inventory;user=sa;password=s3cr3t!
    references:
      - https://docs.oracle.com/javase/8/docs/api/java/sql/DriverManager.html
      - https://jdbc.postgresql.org/documentation/use/
added jdbc rule and validator 2025-11-12 22:25:33 -08:00			`rules:`
			`- name: JDBC connection string with embedded credentials`
			`id: kingfisher.jdbc.1`
			`pattern: \|`
			`(?xi)`
			`(`
			`jdbc:`
- Skip reporting MongoDB and Postgres findings when their connection strings cannot be parsed, even when validation is disabled. - Improve MySQL detection by broadening URI coverage and adding live validation that skips clearly invalid connection strings. 2025-11-15 08:43:54 -08:00			`[a-z][a-z0-9+.-]{2,32}`
			`(?:[:][a-z0-9+.-]{1,32})*`
added jdbc rule and validator 2025-11-12 22:25:33 -08:00			`:`
added jdbc rule and validator 2025-11-12 22:26:29 -08:00			`[^\s"'<>,(){}\[\]]{10,448}`
added jdbc rule and validator 2025-11-12 22:25:33 -08:00			`)`
reducing false positives 2025-11-24 09:33:58 -08:00			`pattern_requirements:`
			`min_special_chars: 2`
			`special_chars: ";=/?@&"`
- Skip reporting MongoDB and Postgres findings when their connection strings cannot be parsed, even when validation is disabled. - Improve MySQL detection by broadening URI coverage and adding live validation that skips clearly invalid connection strings. 2025-11-15 08:23:06 -08:00			`ignore_if_contains:`
reducing false positives 2025-11-24 09:33:58 -08:00			`- "****"`
			`- "xxxx"`
v1.73.0 2026-01-01 22:24:57 -08:00			`- "example"`
added jdbc rule and validator 2025-11-12 22:25:33 -08:00			`min_entropy: 3.3`
			`confidence: medium`
			`validation:`
			`type: Jdbc`
preparing for v1.78.0 2026-02-02 23:22:08 -08:00			`tls_mode: lax`
added jdbc rule and validator 2025-11-12 22:25:33 -08:00			`examples:`
			`- jdbc:postgresql://db.example.com:5432/app?user=admin&password=s3cr3t`
			`- jdbc:mysql://admin:s3cr3t@prod.internal:3306/inventory`
			`- jdbc:oracle:thin:@ora.example.net:1521/ORCLPDB1`
			`- jdbc:sqlserver://sql.example.org:1433;databaseName=inventory;user=sa;password=s3cr3t!`
			`references:`
			`- https://docs.oracle.com/javase/8/docs/api/java/sql/DriverManager.html`
v1.81.0 2026-02-10 19:24:19 -08:00			`- https://jdbc.postgresql.org/documentation/use/`