mcp-server-semgrep/semgrep-rules/java/java-jwt/security/audit/jwt-decode-without-verify.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: java-jwt-decode-without-verify
  message: >-
    Detected the decoding of a JWT token without a verify step.
    JWT tokens must be verified before use, otherwise the token's
    integrity is unknown. This means a malicious actor could forge
    a JWT token with any claims. Call '.verify()' before using the token.
  metadata:
    cwe:
    - 'CWE-345: Insufficient Verification of Data Authenticity'
    owasp:
    - A08:2021 - Software and Data Integrity Failures
    source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
    category: security
    technology:
    - jwt
    confidence: MEDIUM
    references:
    - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
    subcategory:
    - vuln
    likelihood: LOW
    impact: HIGH
  languages: [java]
  severity: WARNING
  patterns:
  - pattern: |
      com.auth0.jwt.JWT.decode(...);
  - pattern-not-inside: |-
      class $CLASS {
        ...
        $RETURNTYPE $FUNC (...) {
          ...
          $VERIFIER.verify(...);
          ...
        }
      }