SONARJAVA-4416 Update rules metadata (#4309)

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1066.json

@@ -13,5 +13,5 @@
   "ruleSpecification": "RSPEC-1066",
   "sqKey": "S1066",
   "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "covered"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1132.json

@@ -13,5 +13,5 @@
   "ruleSpecification": "RSPEC-1132",
   "sqKey": "S1132",
   "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "covered"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1181.html

@@ -15,7 +15,7 @@ <h2>Compliant Solution</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="https://cwe.mitre.org/data/definitions/396">MITRE, CWE-396</a> - Declaration of Catch for Generic Exception </li>
-  <li> <a href="https://github.com/isocpp/CppCoreGuidelines/blob/036324/CppCoreGuidelines.md#Re-exception-types">C++ Core Guidelines E.14</a> - Use
-  purpose-designed user-defined types as exceptions (not built-in types) </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/display/java/ERR08-J.+Do+not+catch+NullPointerException+or+any+of+its+ancestors">CERT,
+  ERR08-J.</a> - Do not catch NullPointerException or any of its ancestors </li>
 </ul>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1217.json

@@ -23,5 +23,5 @@
       "THI00-J."
     ]
   },
-  "quickfix": "unknown"
+  "quickfix": "covered"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1450.json

@@ -13,5 +13,5 @@
   "ruleSpecification": "RSPEC-1450",
   "sqKey": "S1450",
   "scope": "Main",
-  "quickfix": "unknown"
+  "quickfix": "partial"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1656.json

@@ -13,7 +13,7 @@
   "ruleSpecification": "RSPEC-1656",
   "sqKey": "S1656",
   "scope": "All",
-  "quickfix": "unknown",
+  "quickfix": "partial",
   "securityStandards": {
     "CERT": [
       "MSC12-C."

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2116.json

@@ -11,5 +11,5 @@
   "ruleSpecification": "RSPEC-2116",
   "sqKey": "S2116",
   "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "covered"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2129.json

@@ -13,5 +13,5 @@
   "ruleSpecification": "RSPEC-2129",
   "sqKey": "S2129",
   "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "covered"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2147.json

@@ -13,5 +13,5 @@
   "ruleSpecification": "RSPEC-2147",
   "sqKey": "S2147",
   "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "covered"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2225.json

@@ -22,5 +22,5 @@
       476
     ]
   },
-  "quickfix": "unknown"
+  "quickfix": "covered"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2612.html

@@ -1,5 +1,7 @@
-<p>In Unix, "<code>others</code>" class refers to all users except the owner of the file and the members of the group assigned to this file.</p>
-<p>Granting permissions to this group can lead to unintended access to files.</p>
+<p>In Unix file system permissions, the "<code>others</code>" category refers to all users except the owner of the file system resource and the
+members of the group assigned to this resource.</p>
+<p>Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive
+information, disrupt services or elevate privileges.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> The application is designed to be run on a multi-user environment. </li>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4507.html

@@ -1,19 +1,14 @@
-<p>Delivering code in production with debug features activated is security-sensitive. It has led in the past to the following vulnerabilities:</p>
-<ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999007">CVE-2018-1999007</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5306">CVE-2015-5306</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2006">CVE-2013-2006</a> </li>
-</ul>
-<p>An application’s debug features enable developers to find bugs more easily and thus facilitate also the work of attackers. It often gives access to
-detailed information on both the system running the application and users.</p>
+<p>Development tools and frameworks usually have options to make debugging easier for developers. Although these features are useful during
+development, they should never be enabled for applications deployed in production. Debug instructions or error messages can leak detailed information
+about the system, like the application’s path or file names.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
-  <li> the code or configuration enabling the application debug features is deployed on production servers or distributed to end users. </li>
-  <li> the application runs by default with debug features activated. </li>
+  <li> The code or configuration enabling the application debug features is deployed on production servers or distributed to end users. </li>
+  <li> The application runs by default with debug features activated. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<p>Do not enable debug features on production servers or applications distributed to end users.</p>
+<p>Do not enable debugging features on production servers or applications distributed to end users.</p>
 <h2>Sensitive Code Example</h2>
 <p><code>Throwable.printStackTrace(...)</code> prints a Throwable and its stack trace to <code>System.Err</code> (by default) which is not easily
 parseable and can expose sensitive information:</p>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4719.json

@@ -14,5 +14,5 @@
   "ruleSpecification": "RSPEC-4719",
   "sqKey": "S4719",
   "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "covered"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5322.html

@@ -4,22 +4,22 @@
   <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1677">CVE-2019-1677</a> </li>
   <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1275">CVE-2015-1275</a> </li>
 </ul>
-<p>Receivers can be declared in the manifest or in the code to make them context specific. If the receiver is declared in the manifest Android will
+<p>Receivers can be declared in the manifest or in the code to make them context-specific. If the receiver is declared in the manifest Android will
 start the application if it is not already running once a matching broadcast is received. The receiver is an entry point into the application.</p>
 <p>Other applications can send potentially malicious broadcasts, so it is important to consider broadcasts as untrusted and to limit the applications
 that can send broadcasts to the receiver.</p>
 <p>Permissions can be specified to restrict broadcasts to authorized applications. Restrictions can be enforced by both the sender and receiver of a
 broadcast. If permissions are specified when registering a broadcast receiver, then only broadcasters who were granted this permission can send a
 message to the receiver.</p>
-<p>This rule raises an issue when a receiver is registered without specifying any "broadcast permission".</p>
+<p>This rule raises an issue when a receiver is registered without specifying any broadcast permission.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> The data extracted from intents is not sanitized. </li>
   <li> Intents broadcast is not restricted. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<p>Restrict the access to broadcasted intents. See <a
+<p>Restrict the access to broadcasted intents. See the <a
 href="https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions">Android documentation</a> for more
 information.</p>
 <h2>Sensitive Code Example</h2>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5332.html

@@ -68,7 +68,7 @@ <h2>Sensitive Code Example</h2>
   .build();
 </pre>
 <p>Android WebView can be configured to allow a secure origin to load content from any other origin, even if that origin is insecure (mixed
-content);</p>
+content):</p>
 <pre>
 import android.webkit.WebView
 
@@ -79,22 +79,22 @@ <h2>Compliant Solution</h2>
 <p>Use instead these clients from <a href="https://commons.apache.org/proper/commons-net/">Apache commons net</a> and <a
 href="http://www.jcraft.com/jsch/">JSch/ssh</a> library:</p>
 <pre>
-JSch jsch = new JSch(); // Compliant
+JSch jsch = new JSch();
 
 if(implicit) {
   // implicit mode is considered deprecated but offer the same security than explicit mode
-  FTPSClient ftpsClient = new FTPSClient(true); // Compliant
+  FTPSClient ftpsClient = new FTPSClient(true);
 }
 else {
-  FTPSClient ftpsClient = new FTPSClient(); // Compliant
+  FTPSClient ftpsClient = new FTPSClient();
 }
 
 if(implicit) {
   // implicit mode is considered deprecated but offer the same security than explicit mode
-  SMTPSClient smtpsClient = new SMTPSClient(true); // Compliant
+  SMTPSClient smtpsClient = new SMTPSClient(true);
 }
 else {
-  SMTPSClient smtpsClient = new SMTPSClient(); // Compliant
+  SMTPSClient smtpsClient = new SMTPSClient();
   smtpsClient.connect("127.0.0.1", 25);
   if (smtpsClient.execTLS()) {
     // commands
@@ -103,10 +103,10 @@ <h2>Compliant Solution</h2>
 </pre>
 <p>Perform HTTP encrypted connections, with <a href="https://square.github.io/okhttp/https/">okhttp</a> library for instance:</p>
 <pre>
-ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) // Compliant
+ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
   .build();
 </pre>
-<p>The most secure mode for Android WebView is <code>MIXED_CONTENT_NEVER_ALLOW</code>;</p>
+<p>The most secure mode for Android WebView is <code>MIXED_CONTENT_NEVER_ALLOW</code>:</p>
 <pre>
 import android.webkit.WebView
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5810.json

@@ -14,5 +14,5 @@
   "ruleSpecification": "RSPEC-5810",
   "sqKey": "S5810",
   "scope": "Tests",
-  "quickfix": "unknown"
+  "quickfix": "covered"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S6362.html

@@ -1,6 +1,6 @@
 <p>WebViews can be used to display web content as part of a mobile application. A browser engine is used to render and display the content. Like a web
-application a mobile application that uses WebViews can be vulnerable to Cross-Site Scripting if untrusted code is rendered. In the context of a
-WebView JavaScript code can exfiltrate local files that might be sensitive or even worse, access exposed functions of the application that can result
+application, a mobile application that uses WebViews can be vulnerable to Cross-Site Scripting if untrusted code is rendered. In the context of a
+WebView, JavaScript code can exfiltrate local files that might be sensitive or even worse, access exposed functions of the application that can result
 in more severe vulnerabilities such as code injection. Thus JavaScript support should not be enabled for WebViews unless it is absolutely necessary
 and the authenticity of the web resources can be guaranteed.</p>
 <h2>Ask Yourself Whether</h2>
@@ -10,7 +10,7 @@ <h2>Ask Yourself Whether</h2>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<p>It’s recommended to disable JavaScript support for WebViews unless it is necessary to execute JavaScript code. Only trusted pages should be
+<p>It is recommended to disable JavaScript support for WebViews unless it is necessary to execute JavaScript code. Only trusted pages should be
 rendered.</p>
 <h2>Sensitive Code Example</h2>
 <pre>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S6363.html

@@ -1,5 +1,5 @@
 <p>WebViews can be used to display web content as part of a mobile application. A browser engine is used to render and display the content. Like a web
-application a mobile application that uses WebViews can be vulnerable to Cross-Site Scripting if untrusted code is rendered.</p>
+application, a mobile application that uses WebViews can be vulnerable to Cross-Site Scripting if untrusted code is rendered.</p>
 <p>If malicious JavaScript code in a WebView is executed this can leak the contents of sensitive files when access to local files is enabled.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
@@ -8,7 +8,7 @@ <h2>Ask Yourself Whether</h2>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<p>It’s recommended to disable access to local files for WebViews unless it is necessary. In the case of a successful attack through a Cross-Site
+<p>It is recommended to disable access to local files for WebViews unless it is necessary. In the case of a successful attack through a Cross-Site
 Scripting vulnerability the attackers attack surface decreases drastically if no files can be read out.</p>
 <h2>Sensitive Code Example</h2>
 <pre>

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2023-01-06T15:19:03.336873100Z",
+  "latest-update": "2023-02-13T09:48:50.128257Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false