diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1313.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1313.html
index 8648b39b783..144296d72d7 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1313.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1313.html
@@ -40,9 +40,13 @@
Exceptions
- Loopback addresses 127.0.0.0/8 in CIDR notation (from 127.0.0.0 to 127.255.255.255)
- Broadcast address 255.255.255.255
- - Non routable address 0.0.0.0
+ - Non-routable address 0.0.0.0
- Strings of the form
2.5.<number>.<number>
as they often match
- Object Identifiers (OID).
+ Object Identifiers (OID)
+ - Addresses in the ranges 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, reserved for documentation purposes by RFC 5737
+ - Addresses in the range 2001:db8::/32, reserved for documentation purposes by RFC
+ 3849
See
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2097.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2097.html
index 816baca49a0..a12d2473a67 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2097.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2097.html
@@ -2,8 +2,8 @@
should not assume it will only be used to test objects of its class type. It must instead check the parameter’s type.
Noncompliant Code Example
-public boolean equals(Object obj) {
- MyClass mc = (MyClass)obj; // Noncompliant
+public boolean equals(Object obj) { // Noncompliant
+ MyClass mc = (MyClass)obj;
// ...
}
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2629.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2629.html
index 7689671800f..ea632b5334f 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2629.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2629.html
@@ -30,7 +30,7 @@ Compliant Solution
LOG.error("Unable to open file {0}", csvPath, e);
-if (LOG.isDebugEnabled() {
+if (LOG.isDebugEnabled()) {
LOG.debug("Unable to open file " + csvPath, e); // this is compliant, because it will not evaluate if log level is above debug.
}
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.html
index a63b3ec59f0..7baff3829da 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.html
@@ -4,54 +4,40 @@
To generate Initialization Vectors, NIST recommends to use a secure random number generator.
Noncompliant Code Example
-public class MyCbcClass {
+public void encrypt(String key, String plainText) throws GeneralSecurityException {
+ byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes(StandardCharsets.UTF_8); // secondary
- public String applyCBC(String strKey, String plainText) {
- byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes("UTF-8");
+ GCMParameterSpec iv = new GCMParameterSpec(128,bytesIV); // secondary
+ SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), "AES");
- /* KEY + IV setting */
- IvParameterSpec iv = new IvParameterSpec(bytesIV);
- SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");
-
- /* Ciphering */
- Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
- cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Noncompliant: the IV is hard coded and thus not generated with a secure random generator
- byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8"));
- return DatatypeConverter.printBase64Binary(bytesIV)
- + ";" + DatatypeConverter.printBase64Binary(encryptedBytes);
+ Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
+ cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Noncompliant
}
-}
Compliant Solution
-public class MyCbcClass {
-
- SecureRandom random = new SecureRandom();
-
- public String applyCBC(String strKey, String plainText) {
+public void encrypt(String key, String plainText) throws GeneralSecurityException {
+ SecureRandom random = new SecureRandom();
byte[] bytesIV = new byte[16];
- random.nextBytes(bytesIV);
+ random.nextBytes(bytesIV); // Random initialization vector
- /* KEY + IV setting */
- IvParameterSpec iv = new IvParameterSpec(bytesIV);
- SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");
+ GCMParameterSpec iv = new GCMParameterSpec(128, bytesIV);
+ SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), "AES");
- /* Ciphering */
- Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
- cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Compliant
- byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8"));
- return DatatypeConverter.printBase64Binary(bytesIV)
- + ";" + DatatypeConverter.printBase64Binary(encryptedBytes);
+ Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
+ cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);
}
-}
See
- OWASP Top 10 2021 Category A2 - Cryptographic Failures
- - OWASP Top 10 2017 Category A6 - Security
- Misconfiguration
- - MITRE, CWE-329 - CWE-329: Not Using an Unpredictable IV with CBC Mode
- - MITRE, CWE-330 - Use of Insufficiently Random Values
+ - OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
+
+ - Mobile AppSec
+ Verification Standard - Cryptography Requirements
+ - OWASP Mobile Top 10 2016 Category M5 -
+ Insufficient Cryptography
+ - MITRE, CWE-329 - Not Using an Unpredictable IV with CBC Mode
- NIST, SP-800-38A - Recommendation for Block Cipher
Modes of Operation
- Derived from FindSecBugs rule STATIC_IV
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.json
index 25800fe2967..7785a171452 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.json
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3329.json
@@ -8,7 +8,7 @@
},
"tags": [
"cwe",
- "owasp-a6",
+ "owasp-a3",
"owasp-m5"
],
"defaultSeverity": "Critical",
@@ -17,13 +17,10 @@
"scope": "Main",
"securityStandards": {
"CWE": [
- 329,
- 330,
- 340,
- 1204
+ 329
],
"OWASP": [
- "A6"
+ "A3"
],
"OWASP Mobile": [
"M5"
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4423.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4423.html
index 8031c6f1212..83dc8aa665a 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4423.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4423.html
@@ -3,6 +3,9 @@
It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the
door to downgrade attacks: a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a
less secure version.
+In most cases, using the default system configuration is not compliant. Indeed, an application might get deployed on a wide range of systems with
+different configurations. While using a system’s default value might be safe on modern up-to-date systems, this might not be the case on older
+systems. It is therefore recommended to explicitly set a safe configuration in every case.
Noncompliant Code Example
javax.net.ssl.SSLContext
library:
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5332.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5332.html
index 2da841194b0..104a45c588d 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5332.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5332.html
@@ -1,20 +1,20 @@
-Clear-text protocols such as ftp
, telnet
or non-secure http
lack encryption of transported data, as well as
-the capability to build an authenticated connection. It means that an attacker able to sniff traffic from the network can read, modify or corrupt the
+
Clear-text protocols such as ftp
, telnet
, or http
lack encryption of transported data, as well as the
+capability to build an authenticated connection. It means that an attacker able to sniff traffic from the network can read, modify, or corrupt the
transported content. These protocols are not secure as they expose applications to an extensive range of risks:
- - Sensitive data exposure
- - Traffic redirected to a malicious endpoint
- - Malware infected software update or installer
- - Execution of client side code
- - Corruption of critical information
+ - sensitive data exposure
+ - traffic redirected to a malicious endpoint
+ - malware-infected software update or installer
+ - execution of client-side code
+ - corruption of critical information
Even in the context of isolated networks like offline environments or segmented cloud environments, the insider threat exists. Thus, attacks
involving communications being sniffed or tampered with can still happen.
For example, attackers could successfully compromise prior security layers by:
- - Bypassing isolation mechanisms
- - Compromising a component of the network
- - Getting the credentials of an internal IAM account (either from a service account or an actual person)
+ - bypassing isolation mechanisms
+ - compromising a component of the network
+ - getting the credentials of an internal IAM account (either from a service account or an actual person)
In such cases, encrypting communications would decrease the chances of attackers to successfully leak data or steal credentials from other network
components. By layering various security practices (segmentation and encryption, for example), the application will follow the
@@ -30,10 +30,10 @@
Ask Yourself Whether
- Application data needs to be protected against falsifications or leaks when transiting over the network.
- - Application data transits over a network that is considered untrusted.
+ - Application data transits over an untrusted network.
- Compliance rules require the service to encrypt data in transit.
- Your application renders web pages with a relaxed mixed content policy.
- - OS level protections against clear-text traffic are deactivated.
+ - OS-level protections against clear-text traffic are deactivated.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
@@ -41,16 +41,16 @@ Recommended Secure Coding Practices
Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most
common clear-text protocols:
- - Use
ssh
as an alternative to telnet
- - Use
sftp
, scp
or ftps
instead of ftp
- - Use
https
instead of http
- - Use
SMTP
over SSL/TLS
or SMTP
with STARTTLS
instead of clear-text SMTP
+ - Use
ssh
as an alternative to telnet
.
+ - Use
sftp
, scp
, or ftps
instead of ftp
.
+ - Use
https
instead of http
.
+ - Use
SMTP
over SSL/TLS
or SMTP
with STARTTLS
instead of clear-text SMTP.
- Enable encryption of cloud components communications whenever it’s possible.
+ Enable encryption of cloud components communications whenever it is possible.
Configure your application to block mixed content when rendering web pages.
- If available, enforce OS level deactivation of all clear-text traffic
+ If available, enforce OS-level deactivation of all clear-text traffic.
-It is recommended to secure all transport channels (even local network) as it can take a single non secure connection to compromise an entire
+
It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire
application or system.
Sensitive Code Example
These clients from Apache commons net libraries are based on unencrypted protocols and
@@ -116,7 +116,7 @@
Compliant Solution
Exceptions
No issue is reported for the following cases because they are not considered sensitive:
- - Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or
localhost
+ - Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or
localhost
.
See
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.html
index 63f4260df1c..9e71bf8584b 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.html
@@ -34,7 +34,7 @@ Compliant Solution
See
- OWASP Top 10 2021 Category A2 - Cryptographic Failures
- - OWASP Top 10 2017 Category A6 - Security
+
- OWASP Top 10 2017 Category A6 - Security
Misconfiguration
- Mobile AppSec
Verification Standard - Cryptography Requirements
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.json
index edd532a7fc2..b55f5e5bd6b 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.json
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542.json
@@ -47,6 +47,11 @@
"PCI DSS 4.0": [
"4.2.1",
"6.2.4"
+ ],
+ "ASVS 4.0": [
+ "2.9.3",
+ "6.2.2",
+ "8.3.7"
]
},
"quickfix": "unknown"
diff --git a/sonarpedia.json b/sonarpedia.json
index 86d61741690..e37dd3ba73d 100644
--- a/sonarpedia.json
+++ b/sonarpedia.json
@@ -3,7 +3,7 @@
"languages": [
"JAVA"
],
- "latest-update": "2022-10-25T09:41:34.432584Z",
+ "latest-update": "2023-01-06T15:19:03.336873100Z",
"options": {
"no-language-in-filenames": true,
"preserve-filenames": false