SONARJAVA-4345 Update rule metadata. (#4265)

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1313.html

@@ -40,9 +40,13 @@ <h2>Exceptions</h2>
 <ul>
   <li> Loopback addresses 127.0.0.0/8 in CIDR notation (from 127.0.0.0 to 127.255.255.255) </li>
   <li> Broadcast address 255.255.255.255 </li>
-  <li> Non routable address 0.0.0.0 </li>
+  <li> Non-routable address 0.0.0.0 </li>
   <li> Strings of the form <code>2.5.&lt;number&gt;.&lt;number&gt;</code> as they <a href="http://www.oid-info.com/introduction.htm">often match
-  Object Identifiers</a> (OID). </li>
+  Object Identifiers</a> (OID) </li>
+  <li> Addresses in the ranges 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, reserved for documentation purposes by <a
+  href="https://datatracker.ietf.org/doc/html/rfc5737">RFC 5737</a> </li>
+  <li> Addresses in the range 2001:db8::/32, reserved for documentation purposes by <a href="https://datatracker.ietf.org/doc/html/rfc3849">RFC
+  3849</a> </li>
 </ul>
 <h2>See</h2>
 <ul>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2097.html

@@ -2,8 +2,8 @@
 should not assume it will only be used to test objects of its class type. It must instead check the parameter’s type.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
-public boolean equals(Object obj) {
-  MyClass mc = (MyClass)obj;  // Noncompliant
+public boolean equals(Object obj) { // Noncompliant
+  MyClass mc = (MyClass)obj;
   // ...
 }
 </pre>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2629.html

@@ -30,7 +30,7 @@ <h2>Compliant Solution</h2>
 
 LOG.error("Unable to open file {0}", csvPath, e);
 
-if (LOG.isDebugEnabled() {
+if (LOG.isDebugEnabled()) {
   LOG.debug("Unable to open file " + csvPath, e);  // this is compliant, because it will not evaluate if log level is above debug.
 }
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.html

@@ -4,54 +4,40 @@
 <p>To generate Initialization Vectors, NIST recommends to use a secure random number generator.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
-public class MyCbcClass {
+public void encrypt(String key, String plainText) throws GeneralSecurityException {
+    byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes(StandardCharsets.UTF_8); // secondary
 
-  public String applyCBC(String strKey, String plainText) {
-    byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes("UTF-8");
+    GCMParameterSpec iv = new GCMParameterSpec(128,bytesIV);  // secondary
+    SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), "AES");
 
-    /* KEY + IV setting */
-    IvParameterSpec iv = new IvParameterSpec(bytesIV);
-    SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");
-
-    /* Ciphering */
-    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
-    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);  // Noncompliant: the IV is hard coded and thus not generated with a secure random generator
-    byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8"));
-    return DatatypeConverter.printBase64Binary(bytesIV)
-            + ";" + DatatypeConverter.printBase64Binary(encryptedBytes);
+    Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
+    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Noncompliant
   }
-}
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
-public class MyCbcClass {
-
-  SecureRandom random = new SecureRandom();
-
-  public String applyCBC(String strKey, String plainText) {
+public void encrypt(String key, String plainText) throws GeneralSecurityException {
+    SecureRandom random = new SecureRandom();
     byte[] bytesIV = new byte[16];
-    random.nextBytes(bytesIV);
+    random.nextBytes(bytesIV); // Random initialization vector
 
-    /* KEY + IV setting */
-    IvParameterSpec iv = new IvParameterSpec(bytesIV);
-    SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");
+    GCMParameterSpec iv = new GCMParameterSpec(128, bytesIV);
+    SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), "AES");
 
-    /* Ciphering */
-    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
-    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Compliant
-    byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8"));
-    return DatatypeConverter.printBase64Binary(bytesIV)
-            + ";" + DatatypeConverter.printBase64Binary(encryptedBytes);
+    Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
+    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);
   }
-}
 </pre>
 <h2>See</h2>
 <ul>
   <li> <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">OWASP Top 10 2021 Category A2</a> - Cryptographic Failures </li>
-  <li> <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
-  Misconfiguration </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/329">MITRE, CWE-329</a> - CWE-329: Not Using an Unpredictable IV with CBC Mode </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/330">MITRE, CWE-330</a> - Use of Insufficiently Random Values </li>
+  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
+  </li>
+  <li> <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements">Mobile AppSec
+  Verification Standard</a> - Cryptography Requirements </li>
+  <li> <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">OWASP Mobile Top 10 2016 Category M5</a> -
+  Insufficient Cryptography </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/329">MITRE, CWE-329</a> - Not Using an Unpredictable IV with CBC Mode </li>
   <li> <a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf">NIST, SP-800-38A</a> - Recommendation for Block Cipher
   Modes of Operation </li>
   <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#STATIC_IV">STATIC_IV</a> </li>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.json

@@ -8,7 +8,7 @@
   },
   "tags": [
     "cwe",
-    "owasp-a6",
+    "owasp-a3",
     "owasp-m5"
   ],
   "defaultSeverity": "Critical",
@@ -17,13 +17,10 @@
   "scope": "Main",
   "securityStandards": {
     "CWE": [
-      329,
-      330,
-      340,
-      1204
+      329
     ],
     "OWASP": [
-      "A6"
+      "A3"
     ],
     "OWASP Mobile": [
       "M5"

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4423.html

@@ -3,6 +3,9 @@
 <p>It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the
 door to downgrade attacks: a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a
 less secure version.</p>
+<p>In most cases, using the default system configuration is not compliant. Indeed, an application might get deployed on a wide range of systems with
+different configurations. While using a system’s default value might be safe on modern up-to-date systems, this might not be the case on older
+systems. It is therefore recommended to explicitly set a safe configuration in every case.</p>
 <h2>Noncompliant Code Example</h2>
 <p><code>javax.net.ssl.SSLContext</code> library:</p>
 <pre>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5332.html

@@ -1,20 +1,20 @@
-<p>Clear-text protocols such as <code>ftp</code>, <code>telnet</code> or non-secure <code>http</code> lack encryption of transported data, as well as
-the capability to build an authenticated connection. It means that an attacker able to sniff traffic from the network can read, modify or corrupt the
+<p>Clear-text protocols such as <code>ftp</code>, <code>telnet</code>, or <code>http</code> lack encryption of transported data, as well as the
+capability to build an authenticated connection. It means that an attacker able to sniff traffic from the network can read, modify, or corrupt the
 transported content. These protocols are not secure as they expose applications to an extensive range of risks:</p>
 <ul>
-  <li> Sensitive data exposure </li>
-  <li> Traffic redirected to a malicious endpoint </li>
-  <li> Malware infected software update or installer </li>
-  <li> Execution of client side code </li>
-  <li> Corruption of critical information </li>
+  <li> sensitive data exposure </li>
+  <li> traffic redirected to a malicious endpoint </li>
+  <li> malware-infected software update or installer </li>
+  <li> execution of client-side code </li>
+  <li> corruption of critical information </li>
 </ul>
 <p>Even in the context of isolated networks like offline environments or segmented cloud environments, the insider threat exists. Thus, attacks
 involving communications being sniffed or tampered with can still happen.</p>
 <p>For example, attackers could successfully compromise prior security layers by:</p>
 <ul>
-  <li> Bypassing isolation mechanisms </li>
-  <li> Compromising a component of the network </li>
-  <li> Getting the credentials of an internal IAM account (either from a service account or an actual person) </li>
+  <li> bypassing isolation mechanisms </li>
+  <li> compromising a component of the network </li>
+  <li> getting the credentials of an internal IAM account (either from a service account or an actual person) </li>
 </ul>
 <p>In such cases, encrypting communications would decrease the chances of attackers to successfully leak data or steal credentials from other network
 components. By layering various security practices (segmentation and encryption, for example), the application will follow the
@@ -30,27 +30,27 @@
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> Application data needs to be protected against falsifications or leaks when transiting over the network. </li>
-  <li> Application data transits over a network that is considered untrusted. </li>
+  <li> Application data transits over an untrusted network. </li>
   <li> Compliance rules require the service to encrypt data in transit. </li>
   <li> Your application renders web pages with a relaxed mixed content policy. </li>
-  <li> OS level protections against clear-text traffic are deactivated. </li>
+  <li> OS-level protections against clear-text traffic are deactivated. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
   <li> Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most
   common clear-text protocols:
     <ul>
-      <li> Use<code>ssh</code> as an alternative to <code>telnet</code> </li>
-      <li> Use <code>sftp</code>, <code>scp</code> or <code>ftps</code> instead of <code>ftp</code> </li>
-      <li> Use <code>https</code> instead of <code>http</code> </li>
-      <li> Use <code>SMTP</code> over <code>SSL/TLS</code> or <code>SMTP</code> with <code>STARTTLS</code> instead of clear-text SMTP </li>
+      <li> Use <code>ssh</code> as an alternative to <code>telnet</code>. </li>
+      <li> Use <code>sftp</code>, <code>scp</code>, or <code>ftps</code> instead of <code>ftp</code>. </li>
+      <li> Use <code>https</code> instead of <code>http</code>. </li>
+      <li> Use <code>SMTP</code> over <code>SSL/TLS</code> or <code>SMTP</code> with <code>STARTTLS</code> instead of clear-text SMTP. </li>
     </ul>  </li>
-  <li> Enable encryption of cloud components communications whenever it’s possible. </li>
+  <li> Enable encryption of cloud components communications whenever it is possible. </li>
   <li> Configure your application to block mixed content when rendering web pages. </li>
-  <li> If available, enforce OS level deactivation of all clear-text traffic </li>
+  <li> If available, enforce OS-level deactivation of all clear-text traffic. </li>
 </ul>
-<p>It is recommended to secure all transport channels (even local network) as it can take a single non secure connection to compromise an entire
+<p>It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire
 application or system.</p>
 <h2>Sensitive Code Example</h2>
 <p>These clients from <a href="https://commons.apache.org/proper/commons-net/">Apache commons net</a> libraries are based on unencrypted protocols and
@@ -116,7 +116,7 @@ <h2>Compliant Solution</h2>
 <h2>Exceptions</h2>
 <p>No issue is reported for the following cases because they are not considered sensitive:</p>
 <ul>
-  <li> Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or <code>localhost</code> </li>
+  <li> Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or <code>localhost</code>. </li>
 </ul>
 <h2>See</h2>
 <ul>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.html

@@ -34,7 +34,7 @@ <h2>Compliant Solution</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">OWASP Top 10 2021 Category A2</a> - Cryptographic Failures </li>
-  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
+  <li> <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
   Misconfiguration </li>
   <li> <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements">Mobile AppSec
   Verification Standard</a> - Cryptography Requirements </li>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.json

@@ -47,6 +47,11 @@
     "PCI DSS 4.0": [
       "4.2.1",
       "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.9.3",
+      "6.2.2",
+      "8.3.7"
     ]
   },
   "quickfix": "unknown"

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2022-10-25T09:41:34.432584Z",
+  "latest-update": "2023-01-06T15:19:03.336873100Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false