Tighten _threats.toml: feature-flags mapping, LDAP libs, drop dead scraping mapping

knowledge/_shared/_threats.toml

@@ -148,11 +148,6 @@ match = ["function:file-management"]
 threats = ["path_traversal"]
 note = "File operations with caller-controlled paths"
 
-[[mappings]]
-match = ["function:scraping"]
-threats = ["ssrf"]
-note = "Fetches caller-controlled URLs"
-
 [[mappings]]
 match = ["function:http-client"]
 threats = ["ssrf"]
@@ -183,6 +178,11 @@ match = ["role:framework", "layer:backend"]
 threats = ["xss", "csrf", "open_redirect", "ssrf", "path_traversal", "auth_bypass"]
 note = "Server-side framework handling user-controlled HTTP input"
 
+[[mappings]]
+match = ["function:feature-flags"]
+threats = ["auth_bypass"]
+note = "Feature gates protecting access checks; accidental exposure of flagged-off code paths"
+
 [[mappings]]
 match = ["role:framework", "layer:frontend"]
 threats = ["xss", "open_redirect"]

knowledge/node/ldapjs.toml

@@ -0,0 +1,28 @@
+[tool]
+name = "ldapjs"
+category = "build"
+homepage = "http://ldapjs.org"
+docs = "http://ldapjs.org"
+repo = "https://github.com/ldapjs/node-ldapjs"
+description = "LDAP client and server for Node.js"
+
+[detect]
+dependencies = ["ldapjs"]
+ecosystems = ["node"]
+
+[taxonomy]
+role = ["library"]
+function = ["authentication"]
+layer = ["backend"]
+
+[[security.sinks]]
+symbol = "client.search"
+threat = "ldap_injection"
+cwe = "CWE-90"
+note = "When filter string built from caller input; use ldapjs filter objects"
+
+[[security.sinks]]
+symbol = "client.bind"
+threat = "ldap_injection"
+cwe = "CWE-90"
+note = "When DN built from caller input"

knowledge/php/ldap.toml

@@ -0,0 +1,34 @@
+[tool]
+name = "PHP LDAP"
+category = "build"
+homepage = "https://www.php.net/manual/en/book.ldap.php"
+docs = "https://www.php.net/manual/en/book.ldap.php"
+description = "LDAP extension for PHP"
+
+[detect]
+ecosystems = ["php"]
+
+[detect.file_contains]
+"composer.json" = ["ext-ldap"]
+
+[taxonomy]
+role = ["library"]
+function = ["authentication"]
+layer = ["backend"]
+
+[[security.sinks]]
+symbol = "ldap_search"
+threat = "ldap_injection"
+cwe = "CWE-90"
+note = "When filter built from user input without escaping; use ldap_escape"
+
+[[security.sinks]]
+symbol = "ldap_bind"
+threat = "ldap_injection"
+cwe = "CWE-90"
+note = "When DN built from user input"
+
+[[security.sinks]]
+symbol = "ldap_read"
+threat = "ldap_injection"
+cwe = "CWE-90"

knowledge/python/ldap3.toml

@@ -0,0 +1,27 @@
+[tool]
+name = "ldap3"
+category = "build"
+homepage = "https://ldap3.readthedocs.io"
+docs = "https://ldap3.readthedocs.io"
+repo = "https://github.com/cannatag/ldap3"
+description = "LDAP client library for Python"
+
+[detect]
+dependencies = ["ldap3"]
+ecosystems = ["python"]
+
+[taxonomy]
+role = ["library"]
+function = ["authentication"]
+layer = ["backend"]
+
+[[security.sinks]]
+symbol = "Connection.search"
+threat = "ldap_injection"
+cwe = "CWE-90"
+note = "When search_filter built via string formatting with caller input"
+
+[[security.sinks]]
+symbol = "Connection.extend.standard.modify_password"
+threat = "ldap_injection"
+cwe = "CWE-90"

knowledge/ruby/net-ldap.toml

@@ -0,0 +1,27 @@
+[tool]
+name = "net-ldap"
+category = "build"
+homepage = "https://github.com/ruby-ldap/ruby-net-ldap"
+docs = "https://www.rubydoc.info/gems/net-ldap"
+repo = "https://github.com/ruby-ldap/ruby-net-ldap"
+description = "LDAP client library for Ruby"
+
+[detect]
+dependencies = ["net-ldap"]
+ecosystems = ["ruby"]
+
+[taxonomy]
+role = ["library"]
+function = ["authentication"]
+layer = ["backend"]
+
+[[security.sinks]]
+symbol = "Net::LDAP#search"
+threat = "ldap_injection"
+cwe = "CWE-90"
+note = "When filter built via string interpolation; use Net::LDAP::Filter"
+
+[[security.sinks]]
+symbol = "Net::LDAP#bind_as"
+threat = "ldap_injection"
+cwe = "CWE-90"