Added rules file for insecure deserialisation issues in WebGoat.

Author: marek-trtik

benchmarks/GENUINE/WebGoatRulesIDES.json

@@ -0,0 +1,24 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Incoming accountName is potentially dangerous.",
+        "class": "Main",
+        "method": "makeTainted:(Ljava/lang/String;)Ljava/lang/String;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted XML string"
+        }
+      },
+      {
+        "comment": "A tainted XML string is insecurely deserialised.",
+        "class": "com.thoughtworks.xstream.XStream",
+        "method": "fromXML:(Ljava/lang/String;)Ljava/lang/Object;",
+        "sinkTarget": {
+          "location": "arg1",
+          "taint": "Tainted XML string"
+        }
+      }
+    ]
+}