From 82b94b9a0b00624cdec71675bf42184d7fa29961 Mon Sep 17 00:00:00 2001 From: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:04:15 +0100 Subject: [PATCH 01/61] Modify rule S7007: Update example (#4418) While validating this rule, it was found that the noncompliant example in the RSPEC did not trigger. This is because the detection also looks for the secret ID, which is missing from the example. The example has now been updated to include a secret ID and it now correctly triggers the rule. --- rules/S7007/secrets/rule.adoc | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/rules/S7007/secrets/rule.adoc b/rules/S7007/secrets/rule.adoc index 1b41fbc76a2..d23d5b43774 100644 --- a/rules/S7007/secrets/rule.adoc +++ b/rules/S7007/secrets/rule.adoc @@ -27,11 +27,21 @@ include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples -:example_secret: 6YPElC5Wip6ECQcMHwv350RjkgONEMTn -:example_name: tencent.secret-key -:example_env: TENCENT_SECRET_KEY +==== Noncompliant code example -include::../../../shared_content/secrets/examples.adoc[] +[source,java,diff-id=1,diff-type=noncompliant,subs="attributes"] +---- +props.set("tencent.secret-id", "AKID6CtdYzpITwVpVj8rPUbVYoh8VexW0WOv"); +props.set("tencent.secret-key", "zPdkmi5UUKjqkXgJFsHf6HMOZsxNrgRk"); // Noncompliant +---- + +==== Compliant solution + +[source,java,diff-id=1,diff-type=compliant,subs="attributes"] +---- +props.set("tencent.secret-id", System.getenv("TENCENT_SECRET_ID")); +props.set("tencent.secret-key", System.getenv("TENCENT_SECRET_KEY")); +---- //=== How does this work? From 733ac96ca64a7afeda1f895185b823805cccc2d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Joly?= Date: Tue, 15 Oct 2024 22:29:53 +0200 Subject: [PATCH 02/61] Add guidelines to format references to code elements --- docs/description.adoc | 10 ++++++++++ docs/styling_guide.adoc | 14 ++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/docs/description.adoc b/docs/description.adoc index 0b159aee488..b0da5435c9a 100644 --- a/docs/description.adoc +++ b/docs/description.adoc @@ -271,6 +271,16 @@ tsql:: use `sql` In case no language is appropriate for a code block (for example shared examples between multiple languages), you can use `text` as the language. +=== References within code blocks + +When referencing a name within a comment in a code example, use double quotes to make it clear it refers to an existing element in the code. + +[source,cpp] +---- +int i = 0; +cout << noexcept(++i); // Noncompliant, "i" is not incremented +---- + === Diff view Additionally, you can also use two attributes to let the products know your code examples should be highlighted with a diff view when possible diff --git a/docs/styling_guide.adoc b/docs/styling_guide.adoc index 4b3dd42c2bc..6f8e6fd522f 100644 --- a/docs/styling_guide.adoc +++ b/docs/styling_guide.adoc @@ -109,3 +109,17 @@ Use it when referencing variable names, file names, tokens, and all kinds of spe Write:: Compiling source file `src/generic_file.py` breaks an `assert` call in pytest framework. Avoid:: Compiling source file "src/generic_file.py" breaks an `assert` call in `pytest` framework. +== Referencing elements from the code + +When referencing elements from the code within a normal sentence, use the `backticks` (```) to format it. This includes variable names, function names, class names, and so on. + +When referencing the same elements within a comment in a code block, surrpond it with double quotes. +[source,cpp] +---- +int i = 0; +// Write +cout << noexcept(++i); // Noncompliant, "i" is not incremented -> Double quotes +// Avoid +cout << noexcept(++i); // Noncompliant, i is not incremented -> No quotes +cout << noexcept(++i); // Noncompliant, `i` is not incremented -> Backticks +---- From 5570d7f9ea3286e7c4266ea50d821ceccd233a0a Mon Sep 17 00:00:00 2001 From: SonarTech Date: Wed, 16 Oct 2024 02:44:04 +0000 Subject: [PATCH 03/61] update coverage information --- frontend/public/covered_rules.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 57a506771e9..8a2adcc7ebf 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -101,7 +101,8 @@ }, "ANSIBLE": { "S1135": "sonar-iac-enterprise 1.37.0.12742", - "S2260": "sonar-iac-enterprise 1.37.0.12742" + "S2260": "sonar-iac-enterprise 1.37.0.12742", + "S6321": "sonar-iac-enterprise master" }, "APEX": { "S100": "sonar-apex 1.17.0.87", @@ -3318,7 +3319,7 @@ "S6646": "sonar-dataflow-bug-detection 1.17.0.4892", "S6649": "sonar-dataflow-bug-detection 1.17.0.4892", "S6651": "sonar-dataflow-bug-detection 1.17.0.4892", - "S6665": "sonar-java master", + "S6665": "sonar-java 8.5.0.37199", "S6707": "sonar-dataflow-bug-detection 1.17.0.4892", "S6780": "sonar-dataflow-bug-detection 1.19.0.6564", "S6804": "sonar-java 7.27.0.33463", From fab84d04b6f6417ad0cfa2ab097c499d4264e5cd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 09:34:32 +0000 Subject: [PATCH 04/61] Modify rule S1990: mark quick fix as "covered" (#4421) --- rules/S1990/cfamily/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S1990/cfamily/metadata.json b/rules/S1990/cfamily/metadata.json index fe9c437bec5..74e466f0430 100644 --- a/rules/S1990/cfamily/metadata.json +++ b/rules/S1990/cfamily/metadata.json @@ -6,5 +6,5 @@ "defaultQualityProfiles": [ "Sonar way" ], - "quickfix": "targeted" + "quickfix": "covered" } \ No newline at end of file From 44534bc94e42ab4bc61f1eec0a42e830b3bdb229 Mon Sep 17 00:00:00 2001 From: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Date: Wed, 16 Oct 2024 17:02:38 +0200 Subject: [PATCH 05/61] Modify rule S7024 & S7025: Update example to trigger the rule (#4424) --- rules/S7024/secrets/rule.adoc | 2 +- rules/S7025/secrets/rule.adoc | 18 ++++++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/rules/S7024/secrets/rule.adoc b/rules/S7024/secrets/rule.adoc index 6c64663d1f3..2868c7679b9 100644 --- a/rules/S7024/secrets/rule.adoc +++ b/rules/S7024/secrets/rule.adoc @@ -28,7 +28,7 @@ include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples :example_secret: 891c8ed850cddbece40760b800867f1231d43f2d2586 -:example_name: ibm-cloud.cos_hmac.secret-access-key +:example_name: ibm-cloud.cos_hmac.secret_access_key :example_env: COS_HMAC_SECRET_ACCESS_KEY include::../../../shared_content/secrets/examples.adoc[] diff --git a/rules/S7025/secrets/rule.adoc b/rules/S7025/secrets/rule.adoc index 005c8d95eb7..f2b95d9f8b2 100644 --- a/rules/S7025/secrets/rule.adoc +++ b/rules/S7025/secrets/rule.adoc @@ -28,11 +28,21 @@ include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples -:example_secret: 10db3f279df241bad2a9692a6a412f80bf3cadba00ace324a1cf6f159f00d019 -:example_name: cloudant.password -:example_env: CLOUDANT_PASSWORD +==== Noncompliant code example -include::../../../shared_content/secrets/examples.adoc[] +[source,java,diff-id=1,diff-type=noncompliant,subs="attributes"] +---- +props.set("cloudant.username", "name"); +props.set("cloudant.password", "10db3f279df241bad2a9692a6a412f80bf3cadba00ace324a1cf6f159f00d019"); // Noncompliant +---- + +==== Compliant solution + +[source,java,diff-id=1,diff-type=compliant,subs="attributes"] +---- +props.set("cloudant.username", System.getenv("CLOUDANT_USERNAME")); +props.set("cloudant.password", System.getenv("CLOUDANT_PASSWORD")); +---- //=== How does this work? From fd1d376848c128861a6f544935c8e3d42fa2b9f3 Mon Sep 17 00:00:00 2001 From: SonarTech Date: Fri, 18 Oct 2024 02:43:58 +0000 Subject: [PATCH 06/61] update coverage information --- frontend/public/covered_rules.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 8a2adcc7ebf..8ca6da53945 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -102,7 +102,10 @@ "ANSIBLE": { "S1135": "sonar-iac-enterprise 1.37.0.12742", "S2260": "sonar-iac-enterprise 1.37.0.12742", - "S6321": "sonar-iac-enterprise master" + "S4830": "sonar-iac-enterprise master", + "S5332": "sonar-iac-enterprise master", + "S6321": "sonar-iac-enterprise master", + "S6428": "sonar-iac-enterprise master" }, "APEX": { "S100": "sonar-apex 1.17.0.87", From 4d35623ab6d40fddc6f874dc1aa7204346632279 Mon Sep 17 00:00:00 2001 From: SonarTech Date: Sat, 19 Oct 2024 02:42:25 +0000 Subject: [PATCH 07/61] update coverage information --- frontend/public/covered_rules.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 8ca6da53945..1ac24d379a9 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -102,8 +102,10 @@ "ANSIBLE": { "S1135": "sonar-iac-enterprise 1.37.0.12742", "S2260": "sonar-iac-enterprise 1.37.0.12742", + "S2612": "sonar-iac-enterprise master", "S4830": "sonar-iac-enterprise master", "S5332": "sonar-iac-enterprise master", + "S5849": "sonar-iac-enterprise master", "S6321": "sonar-iac-enterprise master", "S6428": "sonar-iac-enterprise master" }, From 3837a175d3e9282bc31e91e70030bea115e30eba Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Mon, 21 Oct 2024 10:27:29 +0200 Subject: [PATCH 08/61] Convention: use colon as separator in comments within code blocks (#4425) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Loïc Joly --- docs/description.adoc | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/description.adoc b/docs/description.adoc index b0da5435c9a..4e91c5ba934 100644 --- a/docs/description.adoc +++ b/docs/description.adoc @@ -271,14 +271,22 @@ tsql:: use `sql` In case no language is appropriate for a code block (for example shared examples between multiple languages), you can use `text` as the language. -=== References within code blocks +=== Comments within code blocks + +Colon (`:`) should be used as separator between `Noncompliant`/`Compliant` comments and the text explanation that follows, if any. + +[source,cpp] +---- +int X = 2; // Noncompliant: variable should be in lowercase +---- + When referencing a name within a comment in a code example, use double quotes to make it clear it refers to an existing element in the code. [source,cpp] ---- int i = 0; -cout << noexcept(++i); // Noncompliant, "i" is not incremented +cout << noexcept(++i); // Noncompliant: "i" is not incremented ---- === Diff view From cfcc2e6ea968ed41fe496047a704f8580ef1a41b Mon Sep 17 00:00:00 2001 From: Guillaume Dequenne Date: Tue, 22 Oct 2024 14:40:59 +0200 Subject: [PATCH 09/61] Ensure issue severities are consistent between old model and CCT (#4428) --- rules/S6709/python/metadata.json | 2 +- rules/S6727/python/metadata.json | 2 +- rules/S6729/python/metadata.json | 2 +- rules/S6734/python/metadata.json | 2 +- rules/S6735/python/metadata.json | 2 +- rules/S6740/python/metadata.json | 2 +- rules/S6882/python/metadata.json | 2 +- rules/S6883/python/metadata.json | 2 +- rules/S6886/python/metadata.json | 2 +- rules/S6887/python/metadata.json | 2 +- rules/S6890/python/metadata.json | 2 +- rules/S6894/python/metadata.json | 2 +- rules/S6899/python/metadata.json | 2 +- rules/S6900/python/metadata.json | 2 +- rules/S6903/python/metadata.json | 2 +- rules/S6908/python/metadata.json | 2 +- rules/S6911/python/metadata.json | 2 +- rules/S6918/python/metadata.json | 2 +- rules/S6919/python/metadata.json | 2 +- rules/S6925/python/metadata.json | 2 +- rules/S6928/python/metadata.json | 2 +- rules/S6929/python/metadata.json | 2 +- rules/S6969/python/metadata.json | 2 +- rules/S6971/python/metadata.json | 2 +- rules/S6972/python/metadata.json | 2 +- rules/S6973/python/metadata.json | 2 +- rules/S6974/python/metadata.json | 2 +- rules/S6978/python/metadata.json | 2 +- rules/S6984/python/metadata.json | 2 +- rules/S6985/python/metadata.json | 2 +- 30 files changed, 30 insertions(+), 30 deletions(-) diff --git a/rules/S6709/python/metadata.json b/rules/S6709/python/metadata.json index 41869ab038b..1dd007f8630 100644 --- a/rules/S6709/python/metadata.json +++ b/rules/S6709/python/metadata.json @@ -25,7 +25,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH", + "MAINTAINABILITY": "MEDIUM", "RELIABILITY": "MEDIUM", "SECURITY": "LOW" }, diff --git a/rules/S6727/python/metadata.json b/rules/S6727/python/metadata.json index b0e8e800a17..794cfb8887e 100644 --- a/rules/S6727/python/metadata.json +++ b/rules/S6727/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6727", "sqKey": "S6727", "scope": "All", diff --git a/rules/S6729/python/metadata.json b/rules/S6729/python/metadata.json index 15ae580143d..cf99237b8ad 100644 --- a/rules/S6729/python/metadata.json +++ b/rules/S6729/python/metadata.json @@ -10,7 +10,7 @@ "numpy", "data-science" ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6729", "sqKey": "S6729", "scope": "All", diff --git a/rules/S6734/python/metadata.json b/rules/S6734/python/metadata.json index ca34e9f0fa6..300183adbf8 100644 --- a/rules/S6734/python/metadata.json +++ b/rules/S6734/python/metadata.json @@ -10,7 +10,7 @@ "pandas", "data-science" ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6734", "sqKey": "S6734", "scope": "All", diff --git a/rules/S6735/python/metadata.json b/rules/S6735/python/metadata.json index ac5a1d1ef0a..b30d280af45 100644 --- a/rules/S6735/python/metadata.json +++ b/rules/S6735/python/metadata.json @@ -18,7 +18,7 @@ "quickfix": "covered", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "MEDIUM" }, "attribute": "CLEAR" } diff --git a/rules/S6740/python/metadata.json b/rules/S6740/python/metadata.json index 384eb2d69e5..fb1cc7f26b9 100644 --- a/rules/S6740/python/metadata.json +++ b/rules/S6740/python/metadata.json @@ -18,7 +18,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH", + "MAINTAINABILITY": "MEDIUM", "RELIABILITY": "MEDIUM" }, "attribute": "CLEAR" diff --git a/rules/S6882/python/metadata.json b/rules/S6882/python/metadata.json index 7dfc9141962..11e58c38a29 100644 --- a/rules/S6882/python/metadata.json +++ b/rules/S6882/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6882", "sqKey": "S6882", "scope": "All", diff --git a/rules/S6883/python/metadata.json b/rules/S6883/python/metadata.json index d040b44b6a8..896196606a6 100644 --- a/rules/S6883/python/metadata.json +++ b/rules/S6883/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6883", "sqKey": "S6883", "scope": "All", diff --git a/rules/S6886/python/metadata.json b/rules/S6886/python/metadata.json index 5d5548f24c3..9a662a78e6c 100644 --- a/rules/S6886/python/metadata.json +++ b/rules/S6886/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6886", "sqKey": "S6886", "scope": "All", diff --git a/rules/S6887/python/metadata.json b/rules/S6887/python/metadata.json index a9a1d6a8948..9dda7bd0858 100644 --- a/rules/S6887/python/metadata.json +++ b/rules/S6887/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6887", "sqKey": "S6887", "scope": "All", diff --git a/rules/S6890/python/metadata.json b/rules/S6890/python/metadata.json index 2b11539286b..b0dea47a572 100644 --- a/rules/S6890/python/metadata.json +++ b/rules/S6890/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6890", "sqKey": "S6890", "scope": "All", diff --git a/rules/S6894/python/metadata.json b/rules/S6894/python/metadata.json index 42d835c9d30..5b20eda63c5 100644 --- a/rules/S6894/python/metadata.json +++ b/rules/S6894/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6894", "sqKey": "S6894", "scope": "All", diff --git a/rules/S6899/python/metadata.json b/rules/S6899/python/metadata.json index ed4a09d60f1..fcedc0852a5 100644 --- a/rules/S6899/python/metadata.json +++ b/rules/S6899/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6899", "sqKey": "S6899", "scope": "All", diff --git a/rules/S6900/python/metadata.json b/rules/S6900/python/metadata.json index 4acff9ac1c7..5dd48cc4649 100644 --- a/rules/S6900/python/metadata.json +++ b/rules/S6900/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6900", "sqKey": "S6900", "scope": "All", diff --git a/rules/S6903/python/metadata.json b/rules/S6903/python/metadata.json index 1c2a3aa650c..22d80c51348 100644 --- a/rules/S6903/python/metadata.json +++ b/rules/S6903/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6903", "sqKey": "S6903", "scope": "All", diff --git a/rules/S6908/python/metadata.json b/rules/S6908/python/metadata.json index 9da3903f0dc..c7235c2a5dd 100644 --- a/rules/S6908/python/metadata.json +++ b/rules/S6908/python/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S6911/python/metadata.json b/rules/S6911/python/metadata.json index b485daa91d4..13ae91cd387 100644 --- a/rules/S6911/python/metadata.json +++ b/rules/S6911/python/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S6918/python/metadata.json b/rules/S6918/python/metadata.json index e4abbd15786..e5cf74f7ad4 100644 --- a/rules/S6918/python/metadata.json +++ b/rules/S6918/python/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S6919/python/metadata.json b/rules/S6919/python/metadata.json index 66721e0bb72..e400f580653 100644 --- a/rules/S6919/python/metadata.json +++ b/rules/S6919/python/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH", + "MAINTAINABILITY": "MEDIUM", "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" diff --git a/rules/S6925/python/metadata.json b/rules/S6925/python/metadata.json index bbf5114a556..880e1eea853 100644 --- a/rules/S6925/python/metadata.json +++ b/rules/S6925/python/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH", + "MAINTAINABILITY": "MEDIUM", "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" diff --git a/rules/S6928/python/metadata.json b/rules/S6928/python/metadata.json index 6d5d300d70e..a6263134981 100644 --- a/rules/S6928/python/metadata.json +++ b/rules/S6928/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6928", "sqKey": "S6928", "scope": "All", diff --git a/rules/S6929/python/metadata.json b/rules/S6929/python/metadata.json index 6f7af7eb52c..db054b4916f 100644 --- a/rules/S6929/python/metadata.json +++ b/rules/S6929/python/metadata.json @@ -21,7 +21,7 @@ "code": { "impacts": { "MAINTAINABILITY": "MEDIUM", - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CLEAR" } diff --git a/rules/S6969/python/metadata.json b/rules/S6969/python/metadata.json index c91913ce32c..400d08f4d7a 100644 --- a/rules/S6969/python/metadata.json +++ b/rules/S6969/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-6969", "sqKey": "S6969", "scope": "All", diff --git a/rules/S6971/python/metadata.json b/rules/S6971/python/metadata.json index 9229df77824..87577771b6c 100644 --- a/rules/S6971/python/metadata.json +++ b/rules/S6971/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6971", "sqKey": "S6971", "scope": "All", diff --git a/rules/S6972/python/metadata.json b/rules/S6972/python/metadata.json index 35737770b95..13bbcd40880 100644 --- a/rules/S6972/python/metadata.json +++ b/rules/S6972/python/metadata.json @@ -16,7 +16,7 @@ "quickfix": "infeasible", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S6973/python/metadata.json b/rules/S6973/python/metadata.json index b7f9621a036..c9aeef668b2 100644 --- a/rules/S6973/python/metadata.json +++ b/rules/S6973/python/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH", + "MAINTAINABILITY": "MEDIUM", "RELIABILITY": "LOW" }, "attribute": "CONVENTIONAL" diff --git a/rules/S6974/python/metadata.json b/rules/S6974/python/metadata.json index eab4ce84308..21259fe2732 100644 --- a/rules/S6974/python/metadata.json +++ b/rules/S6974/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6974", "sqKey": "S6974", "scope": "All", diff --git a/rules/S6978/python/metadata.json b/rules/S6978/python/metadata.json index c00d1c92919..a56e0f40bf1 100644 --- a/rules/S6978/python/metadata.json +++ b/rules/S6978/python/metadata.json @@ -16,7 +16,7 @@ "quickfix": "targeted", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "LOGICAL" } diff --git a/rules/S6984/python/metadata.json b/rules/S6984/python/metadata.json index 596349da4dc..bfcdbd48e19 100644 --- a/rules/S6984/python/metadata.json +++ b/rules/S6984/python/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6984", "sqKey": "S6984", "scope": "All", diff --git a/rules/S6985/python/metadata.json b/rules/S6985/python/metadata.json index 85a9d41f6a1..7bfc183d260 100644 --- a/rules/S6985/python/metadata.json +++ b/rules/S6985/python/metadata.json @@ -10,7 +10,7 @@ "pytorch", "machine-learning" ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6985", "sqKey": "S6985", "scope": "All", From 0c1d492146b3c0baae2bd1e170114fb1903fd7a2 Mon Sep 17 00:00:00 2001 From: GabinL21 <67428953+GabinL21@users.noreply.github.com> Date: Tue, 22 Oct 2024 17:10:47 +0200 Subject: [PATCH 10/61] Modify rule S6473: Fix Kubernetes service code example (#4429) --- rules/S6473/kubernetes/rule.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/S6473/kubernetes/rule.adoc b/rules/S6473/kubernetes/rule.adoc index 6880ebc43ab..b18e462a282 100644 --- a/rules/S6473/kubernetes/rule.adoc +++ b/rules/S6473/kubernetes/rule.adoc @@ -34,7 +34,7 @@ spec: - name: applications image: my_image_with_ssh ports: - - containerPort: 22 # NonCompliant: Merely informative, removing this property does not + - containerPort: 22 # Noncompliant: Merely informative, removing this property does not # close port 22. ---- @@ -48,7 +48,7 @@ spec: type: LoadBalancer ports: - port: 8022 - targetPort: 22 # Compliant + targetPort: 22 # Noncompliant selector: app: example_app ---- From 0c4856149558661fdfd2855b06b1aea715c0d1e7 Mon Sep 17 00:00:00 2001 From: SonarTech Date: Wed, 23 Oct 2024 02:43:25 +0000 Subject: [PATCH 11/61] update coverage information --- frontend/public/covered_rules.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 1ac24d379a9..ab0c459f942 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -107,7 +107,8 @@ "S5332": "sonar-iac-enterprise master", "S5849": "sonar-iac-enterprise master", "S6321": "sonar-iac-enterprise master", - "S6428": "sonar-iac-enterprise master" + "S6428": "sonar-iac-enterprise master", + "S6437": "sonar-iac-enterprise master" }, "APEX": { "S100": "sonar-apex 1.17.0.87", From f4c4dd5a27601abeae4093d1fec1fc66de6d2500 Mon Sep 17 00:00:00 2001 From: Martin Strecker <103252490+martin-strecker-sonarsource@users.noreply.github.com> Date: Wed, 23 Oct 2024 11:27:29 +0200 Subject: [PATCH 12/61] Modify rule S3878: Add collection expression and collection params to the description (#4430) --- rules/S3878/csharp/rule.adoc | 48 +++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/rules/S3878/csharp/rule.adoc b/rules/S3878/csharp/rule.adoc index 1cd2ab963fb..054979fb7c4 100644 --- a/rules/S3878/csharp/rule.adoc +++ b/rules/S3878/csharp/rule.adoc @@ -1,37 +1,61 @@ == Why is this an issue? -There's no point in creating an array solely for the purpose of passing it to a `params` parameter. Simply pass the elements directly. They will be consolidated into an array automatically. +Creating an array or using a collection expression solely for the purpose of passing it to a `params` parameter is unnecessary. Simply pass the elements directly, and they will be automatically consolidated into the appropriate collection type. -=== Noncompliant code example +== How to fix it -[source,csharp] +=== Code examples + +==== Noncompliant code example + +[source,csharp,diff-id=1,diff-type=noncompliant] ---- public void Base() { - Method(new string[] { "s1", "s2" }); // Noncompliant: unnecessary - Method(new string[] { }); // Noncompliant - Method(new string[12]); // Compliant + Method(new string[] { "s1", "s2" }); // Noncompliant: resolves to string[] overload + Method(new string[] { }); // Noncompliant: resolves to string[] overload + Method(["s3", "s4"]); // Noncompliant: resolves to ReadOnlySpan overload + Method(new string[12]); // Compliant: resolves to string[] overload } public void Method(params string[] args) { // ... } + +public void Method(params ReadOnlySpan args) // C# 13 params collections +{ + // C# 13 params collection +} ---- -=== Compliant solution +==== Compliant solution -[source,csharp] +[source,csharp,diff-id=1,diff-type=compliant] ---- public void Base() { - Method("s1", "s2"); - Method(); - Method(new string[12]); + Method("s1", "s2"); // resolves to ReadOnlySpan overload + Method(); // resolves to ReadOnlySpan overload + Method("s3", "s4"); // resolves to ReadOnlySpan overload + Method(new string[12]); // resolves to string[] overload } public void Method(params string[] args) { - // ... + // .. +} + +public void Method(params ReadOnlySpan args) // C# 13 params collections +{ + // .. } ---- + +== Resources + +=== Documentation + +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/method-parameters#params-modifier[`params` modifier] +* Microsoft Learn - C# 13 https://learn.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-13#params-collections[`params` collections] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/collection-expressions[Collection expressions] From fa06fa27c0fec666cdbc387796dff363cf8a4276 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 14:46:20 +0200 Subject: [PATCH 13/61] Modify rule S1541: Add Dart language (#4423) Co-authored-by: antonioaversa --- rules/S1541/dart/metadata.json | 2 ++ rules/S1541/dart/rule.adoc | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 rules/S1541/dart/metadata.json create mode 100644 rules/S1541/dart/rule.adoc diff --git a/rules/S1541/dart/metadata.json b/rules/S1541/dart/metadata.json new file mode 100644 index 00000000000..7a73a41bfdf --- /dev/null +++ b/rules/S1541/dart/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S1541/dart/rule.adoc b/rules/S1541/dart/rule.adoc new file mode 100644 index 00000000000..c05dfab70df --- /dev/null +++ b/rules/S1541/dart/rule.adoc @@ -0,0 +1,30 @@ +include::../rule.adoc[] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +=== Parameters + +.threshold +**** + +---- +15 +---- + +The maximum authorized complexity. +**** + + +''' +== Comments And Links +(visible only on this page) + +include::../comments-and-links.adoc[] + +endif::env-github,rspecator-view[] From 3759f659cac4be52d3ae9cc00cee383b9ee42ce8 Mon Sep 17 00:00:00 2001 From: "Loris S." <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Wed, 23 Oct 2024 15:34:00 +0200 Subject: [PATCH 14/61] Modified S5144(C#): Use HttpClient instead of old WebRequest (#4431) --- rules/S5144/csharp/how-to-fix-it/dotnet.adoc | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/rules/S5144/csharp/how-to-fix-it/dotnet.adoc b/rules/S5144/csharp/how-to-fix-it/dotnet.adoc index 64086c821f1..df0b495826e 100644 --- a/rules/S5144/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S5144/csharp/how-to-fix-it/dotnet.adoc @@ -14,11 +14,14 @@ using System.Web.Mvc; public class ExampleController: Controller { [HttpGet] - public IActionResult ImageFetch(string location) + public async Task ImageFetch(string location) { - HttpWebRequest request = (HttpWebRequest)WebRequest.Create(location); + await using Stream stream = + await client.GetStreamAsync(location); // Noncompliant + var exampleImage = + await JsonSerializer.DeserializeAsync(stream); - return Ok(); + return Ok(example ?? new()); } } ---- @@ -36,7 +39,7 @@ public class ExampleController: Controller private readonly string[] allowedDomains = { "trusted1.example.com", "trusted2.example.com" }; [HttpGet] - public IActionResult ImageFetch(string location) + public async Task ImageFetch(string location) { Uri uri = new Uri(location); @@ -45,9 +48,12 @@ public class ExampleController: Controller return BadRequest(); } - HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uri); + await using Stream stream = + await client.GetStreamAsync(location); + var exampleImage = + await JsonSerializer.DeserializeAsync(stream); - return Ok(); + return Ok(example ?? new()); } } ---- From d1b2fe3283255ca62a59832c862d493ab2e14421 Mon Sep 17 00:00:00 2001 From: SonarTech Date: Thu, 24 Oct 2024 02:43:22 +0000 Subject: [PATCH 15/61] update coverage information --- frontend/public/covered_rules.json | 1 + 1 file changed, 1 insertion(+) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index ab0c459f942..06deafdbaaf 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -108,6 +108,7 @@ "S5849": "sonar-iac-enterprise master", "S6321": "sonar-iac-enterprise master", "S6428": "sonar-iac-enterprise master", + "S6430": "sonar-iac-enterprise master", "S6437": "sonar-iac-enterprise master" }, "APEX": { From 8f70320640a969f48f93ead50412c42aa361e629 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 24 Oct 2024 11:36:10 +0200 Subject: [PATCH 16/61] Create rule S6418 Split S2068 into password and secrets (new rule S6418) CPP-5813 --- rules/S2068/cfamily/metadata.json | 4 +++- rules/S2068/cfamily/rule.adoc | 7 +++---- rules/S6418/cfamily/metadata.json | 32 +++++++++++++++++++++++++++++++ rules/S6418/cfamily/rule.adoc | 31 ++++++++++++++++++++++++++++++ 4 files changed, 69 insertions(+), 5 deletions(-) create mode 100644 rules/S6418/cfamily/metadata.json create mode 100644 rules/S6418/cfamily/rule.adoc diff --git a/rules/S2068/cfamily/metadata.json b/rules/S2068/cfamily/metadata.json index 8b15ed00372..2b1f224f4c5 100644 --- a/rules/S2068/cfamily/metadata.json +++ b/rules/S2068/cfamily/metadata.json @@ -1,4 +1,5 @@ { + "title": "Hard-coded passwords are security-sensitive", "tags": [ "cwe", "cert" @@ -28,5 +29,6 @@ "3.5.2", "6.4.1" ] - } + }, + "quickfix": "infeasible" } diff --git a/rules/S2068/cfamily/rule.adoc b/rules/S2068/cfamily/rule.adoc index c612a90c282..bf4ae013e8f 100644 --- a/rules/S2068/cfamily/rule.adoc +++ b/rules/S2068/cfamily/rule.adoc @@ -1,4 +1,4 @@ -Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source. +Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for applications that are distributed or that are open-source. In the past, it has led to the following vulnerabilities: @@ -6,10 +6,10 @@ In the past, it has led to the following vulnerabilities: * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466] * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389] -Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets. +Passwords should be stored outside of the code in a configuration file, a database, or a management service for secrets. -This rule looks for hard-coded credentials in variable names that match any of the patterns from the provided list. +This rule looks for hard-coded passwords in variable names that match any of the patterns from the provided list. include::../ask-yourself.adoc[] @@ -36,7 +36,6 @@ dbi_conn_set_option(conn, "password", password.c_str()); // Compliant * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] -* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] * CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password] * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password] diff --git a/rules/S6418/cfamily/metadata.json b/rules/S6418/cfamily/metadata.json new file mode 100644 index 00000000000..1ca501ab27b --- /dev/null +++ b/rules/S6418/cfamily/metadata.json @@ -0,0 +1,32 @@ +{ + "tags": [ + "cwe", + "cert" + ], + "securityStandards": { + "CERT": [ + "MSC03-J." + ], + "CWE": [ + 798 + ], + "OWASP": [ + "A2" + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ] + }, + "quickfix": "infeasible" +} diff --git a/rules/S6418/cfamily/rule.adoc b/rules/S6418/cfamily/rule.adoc new file mode 100644 index 00000000000..772ce44b9f8 --- /dev/null +++ b/rules/S6418/cfamily/rule.adoc @@ -0,0 +1,31 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +[source,cpp] +---- +char const *mySecret = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37"; +---- + + + +include::../see.adoc[] + +* MSC - https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[MSC03-J - Never hard code sensitive information] + + +ifdef::env-github,rspecator-view[] +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +include::../parameters.adoc[] + +''' +endif::env-github,rspecator-view[] From 2a643a107e90c6c88f44250198b38ad2a2e52738 Mon Sep 17 00:00:00 2001 From: SonarTech Date: Fri, 25 Oct 2024 02:43:54 +0000 Subject: [PATCH 17/61] update coverage information --- frontend/public/covered_rules.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 06deafdbaaf..0a70ff6d5e3 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -109,7 +109,8 @@ "S6321": "sonar-iac-enterprise master", "S6428": "sonar-iac-enterprise master", "S6430": "sonar-iac-enterprise master", - "S6437": "sonar-iac-enterprise master" + "S6437": "sonar-iac-enterprise master", + "S6473": "sonar-iac-enterprise master" }, "APEX": { "S100": "sonar-apex 1.17.0.87", @@ -2055,6 +2056,7 @@ "S1206": "sonar-dart 0.1.0.1359", "S121": "sonar-dart 0.1.0.1359", "S1481": "sonar-dart 0.1.0.1359", + "S1541": "sonar-dart master", "S1578": "sonar-dart 0.1.0.1359", "S1679": "sonar-dart 0.1.0.1359", "S1854": "sonar-dart 0.1.0.1359", From 40d0b7b27102131397bf2b97773729dd22fc7f1d Mon Sep 17 00:00:00 2001 From: GabinL21 <67428953+GabinL21@users.noreply.github.com> Date: Fri, 25 Oct 2024 09:02:44 +0200 Subject: [PATCH 18/61] Modify rule S6473: Add parameter (#4434) --- rules/S6473/ansible/rule.adoc | 12 ++++++++++++ rules/S6473/docker/rule.adoc | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/rules/S6473/ansible/rule.adoc b/rules/S6473/ansible/rule.adoc index cc8406d72bf..10af75ae8c8 100644 --- a/rules/S6473/ansible/rule.adoc +++ b/rules/S6473/ansible/rule.adoc @@ -49,6 +49,18 @@ include::../message.adoc[] include::../highlighting.adoc[] +=== Parameters + +.ports +**** + +---- +22, 23, 3389, 5800, 5900 +---- + +Comma separated list of sensitive ports that expose administration services. +**** + ''' endif::env-github,rspecator-view[] diff --git a/rules/S6473/docker/rule.adoc b/rules/S6473/docker/rule.adoc index d07755d94f0..4c80198acef 100644 --- a/rules/S6473/docker/rule.adoc +++ b/rules/S6473/docker/rule.adoc @@ -56,6 +56,18 @@ include::../message.adoc[] include::../highlighting.adoc[] +=== Parameters + +.ports +**** + +---- +22, 23, 3389, 5800, 5900 +---- + +Comma separated list of sensitive ports that expose administration services. +**** + ''' endif::env-github,rspecator-view[] From 0da64f59616a213aae8c565c1536f04f31ef9ce8 Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Fri, 25 Oct 2024 10:50:13 +0200 Subject: [PATCH 19/61] Modify rule S2260: Improve title and description (#4440) --- rules/S2260/dart/metadata.json | 2 +- rules/S2260/dart/rule.adoc | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/S2260/dart/metadata.json b/rules/S2260/dart/metadata.json index 482b64883ff..ba8f1ca6d0a 100644 --- a/rules/S2260/dart/metadata.json +++ b/rules/S2260/dart/metadata.json @@ -1,5 +1,5 @@ { - "title": "Dart analyzer failure", + "title": "Dart build, compiler, or analyzer configuration errors", "remediation": { "func": "Constant\/Issue", "constantCost": "0min" diff --git a/rules/S2260/dart/rule.adoc b/rules/S2260/dart/rule.adoc index 678994837aa..0d3d6c60ad5 100644 --- a/rules/S2260/dart/rule.adoc +++ b/rules/S2260/dart/rule.adoc @@ -5,15 +5,16 @@ When the analysis succeeds, it doesn't mean that the analyzer was able to unders There are many reasons why analysis failures can happen, here are the common ones: * The code contains compile-time error(s). +* `flutter pub get`, `dart pub get`, or similar commands were not executed. * The types weren't resolved correctly (some dependencies are missing or files weren't generated). * Use of new language features that are not yet supported by our analyzer. -* Limitation in our analyzer. We are always working on improving this. How do they impact analysis? We cannot judge without looking at specific examples, as they contain a broad range of types of errors. There are three recommended ways to deal with analysis failures: * Fix compiler errors. +* Make sure you got all project dependencies, via `flutter pub get`, `dart pub get`, ... * Make sure all referenced generated files were generated before the analysis. * If you cannot fix them, let us know through the https://community.sonarsource.com/[Sonar Community forum]. From 77701ebe4c1157eb4d3d166236f18f59d631c718 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 11:34:51 +0200 Subject: [PATCH 20/61] Create rule S6868: Add Ansible (#4435) --- rules/S6868/ansible/metadata.json | 2 + rules/S6868/ansible/rule.adoc | 71 ++++++++++++++++++++++++ rules/S6868/kubernetes/description.adoc | 19 +++++++ rules/S6868/kubernetes/highlighting.adoc | 3 + rules/S6868/kubernetes/message.adoc | 3 + rules/S6868/kubernetes/metadata.json | 27 --------- rules/S6868/kubernetes/resources.adoc | 12 ++++ rules/S6868/kubernetes/rule.adoc | 41 ++------------ rules/S6868/metadata.json | 27 +++++++++ 9 files changed, 141 insertions(+), 64 deletions(-) create mode 100644 rules/S6868/ansible/metadata.json create mode 100644 rules/S6868/ansible/rule.adoc create mode 100644 rules/S6868/kubernetes/description.adoc create mode 100644 rules/S6868/kubernetes/highlighting.adoc create mode 100644 rules/S6868/kubernetes/message.adoc create mode 100644 rules/S6868/kubernetes/resources.adoc diff --git a/rules/S6868/ansible/metadata.json b/rules/S6868/ansible/metadata.json new file mode 100644 index 00000000000..7a73a41bfdf --- /dev/null +++ b/rules/S6868/ansible/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6868/ansible/rule.adoc b/rules/S6868/ansible/rule.adoc new file mode 100644 index 00000000000..ca9f155a855 --- /dev/null +++ b/rules/S6868/ansible/rule.adoc @@ -0,0 +1,71 @@ +include::../kubernetes/description.adoc[] + +== How to fix it + +=== Code examples + +==== Noncompliant code example + +[source,yaml,diff-id=1,diff-type=noncompliant] +---- +- name: Noncompliant example task + kubernetes.core.k8s: + state: present + definition: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + namespace: default + name: example-role + rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: [""] + resources: ["pods/exec"] # Noncompliant + verbs: ["create"] +---- + +==== Compliant solution + +[source,yaml,diff-id=1,diff-type=compliant] +---- +- name: Compliant example task + kubernetes.core.k8s: + state: present + definition: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + namespace: default + name: example-role + rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +---- + +=== How does this work? + +The `exec` permissions are set by allowing the `create` verb for the `pods/exec` resource. Removing this permission will prevent users and services from executing arbitrary commands within containers. + +//=== Pitfalls + +//=== Going the extra mile + + +include::../kubernetes/resources.adoc[] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../kubernetes/message.adoc[] + + +include::../kubernetes/highlighting.adoc[] + + +endif::env-github,rspecator-view[] diff --git a/rules/S6868/kubernetes/description.adoc b/rules/S6868/kubernetes/description.adoc new file mode 100644 index 00000000000..12c1691bf0c --- /dev/null +++ b/rules/S6868/kubernetes/description.adoc @@ -0,0 +1,19 @@ +== Why is this an issue? + +Allowing command execution (exec) for roles in a Kubernetes cluster can pose a significant security risk. This is because it provides the user with the ability to execute arbitrary commands within a container, potentially leading to unauthorized access or data breaches. + +In a production Kubernetes cluster, exec permissions are typically unnecessary due to the principle of least privilege, which suggests that a user or process should only have the minimum permissions necessary to perform its function. Additionally, containers in production are often treated as immutable infrastructure, meaning they should not be changed once deployed. Any changes should be made to the container image, which is then used to deploy a new container. + +=== What is the potential impact? + +==== Exploiting Vulnerabilities Within the Container + +If a user or service has the ability to execute commands within a container, they could potentially identify and exploit vulnerabilities within the container's software. This could include exploiting known vulnerabilities in outdated software versions, or finding and exploiting new vulnerabilities. This could lead to unauthorized access to the container, allowing the attacker to manipulate its operations or access its data. + +==== Installing Malicious Software + +Command execution permissions could also be used to install malicious software within a container. This could include malware, spyware, ransomware, or other types of harmful software. Once installed, this software could cause a wide range of issues, from data corruption or loss, to providing a backdoor for further attacks. It could also be used to create a botnet, using the compromised container to launch attacks on other systems. + +==== Extracting Sensitive Data + +If an attacker has the ability to execute commands within a container, they could potentially access and extract sensitive data. This could include user data, confidential business information, or other types of sensitive data. The extracted data could then be used for a wide range of malicious purposes, from identity theft to corporate espionage. This could lead to significant financial loss, damage to reputation, and potential legal consequences. diff --git a/rules/S6868/kubernetes/highlighting.adoc b/rules/S6868/kubernetes/highlighting.adoc new file mode 100644 index 00000000000..2c1365dea69 --- /dev/null +++ b/rules/S6868/kubernetes/highlighting.adoc @@ -0,0 +1,3 @@ +=== Highlighting + +* Highlight the `resources` property. diff --git a/rules/S6868/kubernetes/message.adoc b/rules/S6868/kubernetes/message.adoc new file mode 100644 index 00000000000..82999ea9330 --- /dev/null +++ b/rules/S6868/kubernetes/message.adoc @@ -0,0 +1,3 @@ +=== Message + +Remove the command execution permission for this role. diff --git a/rules/S6868/kubernetes/metadata.json b/rules/S6868/kubernetes/metadata.json index 2d7baf87744..2c63c085104 100644 --- a/rules/S6868/kubernetes/metadata.json +++ b/rules/S6868/kubernetes/metadata.json @@ -1,29 +1,2 @@ { - "title": "Allowing command execution is security sensitive", - "type": "VULNERABILITY", - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "5min" - }, - "tags": [ - ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-6868", - "sqKey": "S6868", - "scope": "All", - "securityStandards": { - "CWE": [ - 284 - ] - }, - "defaultQualityProfiles": ["Sonar way"], - "quickfix": "unknown", - "code": { - "impacts": { - "MAINTAINABILITY": "LOW", - "SECURITY": "LOW" - }, - "attribute": "COMPLETE" - } } diff --git a/rules/S6868/kubernetes/resources.adoc b/rules/S6868/kubernetes/resources.adoc new file mode 100644 index 00000000000..8bec4b85c2c --- /dev/null +++ b/rules/S6868/kubernetes/resources.adoc @@ -0,0 +1,12 @@ +== Resources +=== Documentation + +* Kubernetes Documentation - https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/[Get a Shell to a Running Container] + +//=== Articles & blog posts +//=== Conference presentations +=== Standards +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] + +//=== External coding guidelines +//=== Benchmarks diff --git a/rules/S6868/kubernetes/rule.adoc b/rules/S6868/kubernetes/rule.adoc index 510a4ebf5b6..6d8d3abbea3 100644 --- a/rules/S6868/kubernetes/rule.adoc +++ b/rules/S6868/kubernetes/rule.adoc @@ -1,22 +1,4 @@ -== Why is this an issue? - -Allowing command execution (exec) for roles in a Kubernetes cluster can pose a significant security risk. This is because it provides the user with the ability to execute arbitrary commands within a container, potentially leading to unauthorized access or data breaches. - -In a production Kubernetes cluster, exec permissions are typically unnecessary due to the principle of least privilege, which suggests that a user or process should only have the minimum permissions necessary to perform its function. Additionally, containers in production are often treated as immutable infrastructure, meaning they should not be changed once deployed. Any changes should be made to the container image, which is then used to deploy a new container. - -=== What is the potential impact? - -==== Exploiting Vulnerabilities Within the Container - -If a user or service has the ability to execute commands within a container, they could potentially identify and exploit vulnerabilities within the container's software. This could include exploiting known vulnerabilities in outdated software versions, or finding and exploiting new vulnerabilities. This could lead to unauthorized access to the container, allowing the attacker to manipulate its operations or access its data. - -==== Installing Malicious Software - -Command execution permissions could also be used to install malicious software within a container. This could include malware, spyware, ransomware, or other types of harmful software. Once installed, this software could cause a wide range of issues, from data corruption or loss, to providing a backdoor for further attacks. It could also be used to create a botnet, using the compromised container to launch attacks on other systems. - -==== Extracting Sensitive Data - -If an attacker has the ability to execute commands within a container, they could potentially access and extract sensitive data. This could include user data, confidential business information, or other types of sensitive data. The extracted data could then be used for a wide range of malicious purposes, from identity theft to corporate espionage. This could lead to significant financial loss, damage to reputation, and potential legal consequences. +include::description.adoc[] == How to fix it @@ -64,18 +46,7 @@ The `exec` permissions are set by allowing the `create` verb for the `pods/exec` //=== Going the extra mile -== Resources -=== Documentation - -* Kubernetes Documentation - https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/[Get a Shell to a Running Container] - -//=== Articles & blog posts -//=== Conference presentations -=== Standards -* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] - -//=== External coding guidelines -//=== Benchmarks +include::resources.adoc[] ifdef::env-github,rspecator-view[] @@ -83,14 +54,10 @@ ifdef::env-github,rspecator-view[] == Implementation Specification (visible only on this page) -=== Message - -Remove the command execution permission for this role. - +include::message.adoc[] -=== Highlighting -* Highlight the `resources` property. +include::highlighting.adoc[] endif::env-github,rspecator-view[] diff --git a/rules/S6868/metadata.json b/rules/S6868/metadata.json index 2c63c085104..2d7baf87744 100644 --- a/rules/S6868/metadata.json +++ b/rules/S6868/metadata.json @@ -1,2 +1,29 @@ { + "title": "Allowing command execution is security sensitive", + "type": "VULNERABILITY", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6868", + "sqKey": "S6868", + "scope": "All", + "securityStandards": { + "CWE": [ + 284 + ] + }, + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown", + "code": { + "impacts": { + "MAINTAINABILITY": "LOW", + "SECURITY": "LOW" + }, + "attribute": "COMPLETE" + } } From 5cd49b86a1825f7c3636bcef78ba0dc3d4d0d3a3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:25:52 +0200 Subject: [PATCH 21/61] Create rule S6429: Add Ansible (#4436) Create rule S6429: Add Ansible --- rules/S6429/ansible/metadata.json | 2 + rules/S6429/ansible/rule.adoc | 56 ++++++++++++++++++++ rules/S6429/common/message-highlighting.adoc | 8 +++ rules/S6429/common/see.adoc | 5 ++ rules/S6429/common/summary.adoc | 16 ++++++ rules/S6429/kubernetes/rule.adoc | 33 ++---------- 6 files changed, 90 insertions(+), 30 deletions(-) create mode 100644 rules/S6429/ansible/metadata.json create mode 100644 rules/S6429/ansible/rule.adoc create mode 100644 rules/S6429/common/message-highlighting.adoc create mode 100644 rules/S6429/common/see.adoc create mode 100644 rules/S6429/common/summary.adoc diff --git a/rules/S6429/ansible/metadata.json b/rules/S6429/ansible/metadata.json new file mode 100644 index 00000000000..7a73a41bfdf --- /dev/null +++ b/rules/S6429/ansible/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6429/ansible/rule.adoc b/rules/S6429/ansible/rule.adoc new file mode 100644 index 00000000000..d7dd1f7525d --- /dev/null +++ b/rules/S6429/ansible/rule.adoc @@ -0,0 +1,56 @@ +include::../common/summary.adoc[] + + +== Sensitive Code Example +[source,yaml] +---- +- name: Create Pod + kubernetes.core.k8s: + definition: + apiVersion: v1 + kind: Pod + metadata: + name: test + spec: + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /var/run/docker.sock + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var/run/docker.sock # Sensitive + type: Socket +---- + +== Compliant Solution +[source,yaml] +---- +- name: Create Pod + kubernetes.core.k8s: + definition: + apiVersion: v1 + kind: Pod + metadata: + name: test + spec: + containers: + - image: k8s.gcr.io/test-webserver + name: test-container +---- + +include::../common/see.adoc[] + + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../common/message-highlighting.adoc[] + + +endif::env-github,rspecator-view[] diff --git a/rules/S6429/common/message-highlighting.adoc b/rules/S6429/common/message-highlighting.adoc new file mode 100644 index 00000000000..8790c8b6f65 --- /dev/null +++ b/rules/S6429/common/message-highlighting.adoc @@ -0,0 +1,8 @@ +=== Message + +Make sure exposing the Docker socket is safe here. + + +=== Highlighting + +* Highlight the whole path if not empty. diff --git a/rules/S6429/common/see.adoc b/rules/S6429/common/see.adoc new file mode 100644 index 00000000000..7a9442d9b5f --- /dev/null +++ b/rules/S6429/common/see.adoc @@ -0,0 +1,5 @@ +== See + +* https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[Kubernetes Documentation] - Volumes +* https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option[Docker Documention] - Daemon socket option +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] diff --git a/rules/S6429/common/summary.adoc b/rules/S6429/common/summary.adoc new file mode 100644 index 00000000000..800f372612a --- /dev/null +++ b/rules/S6429/common/summary.adoc @@ -0,0 +1,16 @@ +Exposing Docker sockets can lead to compromise of the host systems. + +The Docker daemon provides an API to access its functionality, for example through a UNIX domain socket. +Mounting the Docker socket into a container allows the container to control the Docker daemon of the host system, resulting in full access over the whole system. +A compromised or rogue container with access to the Docker socket could endanger the integrity of the whole Kubernetes cluster. + +== Ask Yourself Whether + +* The Pod is untrusted or might contain vulnerabilities. + +There is a risk if you answered yes to this question. + + +== Recommended Secure Coding Practices + +It is recommended to never add a Docker socket as a volume to a Pod. diff --git a/rules/S6429/kubernetes/rule.adoc b/rules/S6429/kubernetes/rule.adoc index c3169c5e902..50acea82713 100644 --- a/rules/S6429/kubernetes/rule.adoc +++ b/rules/S6429/kubernetes/rule.adoc @@ -1,20 +1,4 @@ -Exposing Docker sockets can lead to compromise of the host systems. - -The Docker daemon provides an API to access its functionality, for example through a UNIX domain socket. -Mounting the Docker socket into a container allows the container to control the Docker daemon of the host system, resulting in full access over the whole system. -A compromised or rogue container with access to the Docker socket could endanger the integrity of the whole Kubernetes cluster. - - -== Ask Yourself Whether - -* The Pod is untrusted or might contain vulnerabilities. - -There is a risk if you answered yes to any of those questions. - - -== Recommended Secure Coding Practices - -It is recommended to never add a Docker socket as a volume to a Pod. +include::../common/summary.adoc[] == Sensitive Code Example @@ -51,11 +35,7 @@ spec: name: test-container ---- -== See - -* https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[Kubernetes Documentation] - Volumes -* https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option[Docker Documention] - Daemon socket option -* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +include::../common/see.adoc[] ifdef::env-github,rspecator-view[] @@ -64,14 +44,7 @@ ifdef::env-github,rspecator-view[] == Implementation Specification (visible only on this page) -=== Message - -Make sure exposing the Docker socket is safe here. - - -=== Highlighting - -* Highlight the whole path if not empty. +include::../common/message-highlighting.adoc[] endif::env-github,rspecator-view[] From 11089511c632399678ce8feeb96b70305b0ee2a7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:32:57 +0200 Subject: [PATCH 22/61] Create rule S6431: Add Ansible (#4437) --- rules/S6431/ansible/metadata.json | 2 + rules/S6431/ansible/rule.adoc | 65 ++++++++++++++++++++++++ rules/S6431/kubernetes/description.adoc | 31 +++++++++++ rules/S6431/kubernetes/highlighting.adoc | 3 ++ rules/S6431/kubernetes/message.adoc | 3 ++ rules/S6431/kubernetes/resources.adoc | 3 ++ rules/S6431/kubernetes/rule.adoc | 48 +++-------------- 7 files changed, 113 insertions(+), 42 deletions(-) create mode 100644 rules/S6431/ansible/metadata.json create mode 100644 rules/S6431/ansible/rule.adoc create mode 100644 rules/S6431/kubernetes/description.adoc create mode 100644 rules/S6431/kubernetes/highlighting.adoc create mode 100644 rules/S6431/kubernetes/message.adoc create mode 100644 rules/S6431/kubernetes/resources.adoc diff --git a/rules/S6431/ansible/metadata.json b/rules/S6431/ansible/metadata.json new file mode 100644 index 00000000000..7a73a41bfdf --- /dev/null +++ b/rules/S6431/ansible/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6431/ansible/rule.adoc b/rules/S6431/ansible/rule.adoc new file mode 100644 index 00000000000..d12dddf7dd1 --- /dev/null +++ b/rules/S6431/ansible/rule.adoc @@ -0,0 +1,65 @@ +include::../kubernetes/description.adoc[] + +== Sensitive Code Example + +[source,yaml,diff-id=1,diff-type=noncompliant] +---- +- name: Create a Pod + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Pod + metadata: + name: example + spec: + containers: + - name: web + image: nginx + ports: + - name: web + containerPort: 80 + protocol: TCP + hostPID: true # Sensitive + hostIPC: true # Sensitive + hostNetwork: true # Sensitive +---- + +== Compliant Solution + +[source,yaml,diff-id=1,diff-type=compliant] +---- +- name: Create a Pod + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Pod + metadata: + name: example + spec: + containers: + - name: web + image: nginx + ports: + - name: web + containerPort: 80 + protocol: TCP + hostPID: false + hostIPC: false + hostNetwork: false +---- + +include::../kubernetes/resources.adoc[] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../kubernetes/message.adoc[] + +include::../kubernetes/highlighting.adoc[] + +endif::env-github,rspecator-view[] diff --git a/rules/S6431/kubernetes/description.adoc b/rules/S6431/kubernetes/description.adoc new file mode 100644 index 00000000000..77e7f9a62a8 --- /dev/null +++ b/rules/S6431/kubernetes/description.adoc @@ -0,0 +1,31 @@ +Using host operating system namespaces can lead to compromise of the host systems. + +These attacks would target: + +* host processes +* host inter-process communication (IPC) mechanisms +* network services of the local host system + +These three items likely include systems that support either the internal +operation of the Kubernetes cluster or the enterprise's internal +infrastructure. + +Opening these points to containers opens new attack surfaces for attackers who +have already successfully exploited services exposed by containers. Depending +on how resilient the cluster is, attackers can extend their attack to the +cluster by compromising the nodes from which the cluster started the process. + +Host network sharing could provide a significant performance advantage for +workloads that require critical network performance. However, the successful +exploitation of this attack vector could have a catastrophic impact on +confidentiality within the cluster. + +== Ask Yourself Whether + +* The services of this Pod are accessible to people who are not administrators of the Kubernetes cluster. +* The cluster's services performances do *not* rely on operating system namespaces. + +There is a risk if you answered yes to any of those questions. + +== Recommended Secure Coding Practices + +Do not use host operating system namespaces. diff --git a/rules/S6431/kubernetes/highlighting.adoc b/rules/S6431/kubernetes/highlighting.adoc new file mode 100644 index 00000000000..2e77809f7d0 --- /dev/null +++ b/rules/S6431/kubernetes/highlighting.adoc @@ -0,0 +1,3 @@ +=== Highlighting + +Highlight ``++host___: true++``. diff --git a/rules/S6431/kubernetes/message.adoc b/rules/S6431/kubernetes/message.adoc new file mode 100644 index 00000000000..41d5041f919 --- /dev/null +++ b/rules/S6431/kubernetes/message.adoc @@ -0,0 +1,3 @@ +=== Message + +Make sure it is safe to use host operating system namespaces here. \ No newline at end of file diff --git a/rules/S6431/kubernetes/resources.adoc b/rules/S6431/kubernetes/resources.adoc new file mode 100644 index 00000000000..ad2e6cc17f0 --- /dev/null +++ b/rules/S6431/kubernetes/resources.adoc @@ -0,0 +1,3 @@ +== See + +* CWE - https://cwe.mitre.org/data/definitions/653[CWE-653 - Improper Isolation or Compartmentalization] \ No newline at end of file diff --git a/rules/S6431/kubernetes/rule.adoc b/rules/S6431/kubernetes/rule.adoc index 685fe11d3bc..d9955a1d022 100644 --- a/rules/S6431/kubernetes/rule.adoc +++ b/rules/S6431/kubernetes/rule.adoc @@ -1,38 +1,8 @@ -Using host operating system namespaces can lead to compromise of the host systems. + -These attacks would target: - -* host processes -* host inter-process communication (IPC) mechanisms -* network services of the local host system - -These three items likely include systems that support either the internal -operation of the Kubernetes cluster or the enterprise's internal -infrastructure. - -Opening these points to containers opens new attack surfaces for attackers who -have already successfully exploited services exposed by containers. Depending -on how resilient the cluster is, attackers can extend their attack to the -cluster by compromising the nodes from which the cluster started the process. - -Host network sharing could provide a significant performance advantage for -workloads that require critical network performance. However, the successful -exploitation of this attack vector could have a catastrophic impact on -confidentiality within the cluster. - -== Ask Yourself Whether - -* The services of this Pod are accessible to people who are not administrators of the Kubernetes cluster. -* The cluster's services performances do *not* rely on operating system namespaces. - -There is a risk if you answered yes to any of those questions. - -== Recommended Secure Coding Practices - -Do not use host operating system namespaces. +include::description.adoc[] == Sensitive Code Example -[source,yaml] +[source,yaml,diff-id=1,diff-type=noncompliant] ---- apiVersion: v1 kind: Pod @@ -53,7 +23,7 @@ spec: == Compliant Solution -[source,yaml] +[source,yaml,diff-id=1,diff-type=compliant] ---- apiVersion: v1 kind: Pod @@ -72,9 +42,7 @@ spec: hostNetwork: false ---- -== See - -* CWE - https://cwe.mitre.org/data/definitions/653[CWE-653 - Improper Isolation or Compartmentalization] +include::resources.adoc[] ifdef::env-github,rspecator-view[] @@ -82,13 +50,9 @@ ifdef::env-github,rspecator-view[] == Implementation Specification (visible only on this page) -=== Message - -Make sure it is safe to use host operating system namespaces here. - -=== Highlighting +include::message.adoc[] -Highlight ``++host___: true++``. +include::highlighting.adoc[] endif::env-github,rspecator-view[] From 3d0af4f45c14074d0d0a4d4fa343d6d2191d4b90 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:06:43 +0200 Subject: [PATCH 23/61] Create rule S6867: Add Ansible (#4441) --- rules/S6867/ansible/metadata.json | 2 + rules/S6867/ansible/rule.adoc | 67 ++++++++++++++++++++++++ rules/S6867/kubernetes/description.adoc | 11 ++++ rules/S6867/kubernetes/highlighting.adoc | 3 ++ rules/S6867/kubernetes/message.adoc | 3 ++ rules/S6867/kubernetes/metadata.json | 27 ---------- rules/S6867/kubernetes/resources.adoc | 14 +++++ rules/S6867/kubernetes/rule.adoc | 36 ++----------- rules/S6867/metadata.json | 27 ++++++++++ 9 files changed, 132 insertions(+), 58 deletions(-) create mode 100644 rules/S6867/ansible/metadata.json create mode 100644 rules/S6867/ansible/rule.adoc create mode 100644 rules/S6867/kubernetes/description.adoc create mode 100644 rules/S6867/kubernetes/highlighting.adoc create mode 100644 rules/S6867/kubernetes/message.adoc create mode 100644 rules/S6867/kubernetes/resources.adoc diff --git a/rules/S6867/ansible/metadata.json b/rules/S6867/ansible/metadata.json new file mode 100644 index 00000000000..7a73a41bfdf --- /dev/null +++ b/rules/S6867/ansible/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6867/ansible/rule.adoc b/rules/S6867/ansible/rule.adoc new file mode 100644 index 00000000000..7a4d8666257 --- /dev/null +++ b/rules/S6867/ansible/rule.adoc @@ -0,0 +1,67 @@ +include::../kubernetes/description.adoc[] + +== How to fix it + +=== Code examples + +==== Noncompliant code example + +[source,yaml,diff-id=1,diff-type=noncompliant] +---- +- name: Noncompliant example task + kubernetes.core.k8s: + state: present + definition: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + namespace: default + name: example-role + rules: + - apiGroups: [""] + resources: ["*"] # Noncompliant + verbs: ["get", "list"] +---- + +==== Compliant solution + +[source,yaml,diff-id=1,diff-type=compliant] +---- +- name: Compliant example task + kubernetes.core.k8s: + state: present + definition: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + namespace: default + name: example-role + rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +---- + +=== How does this work? + +When defining RBAC permissions, it is important to follow the principle of least privilege. By explicitly specifying the verbs and resources a user should have access to instead of using wildcards, it can be ensured that users have only the permissions they need to perform their job function. + +//=== Pitfalls + +//=== Going the extra mile + + +include::../kubernetes/resources.adoc[] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../kubernetes/message.adoc[] + + +include::../kubernetes/highlighting.adoc[] + +endif::env-github,rspecator-view[] diff --git a/rules/S6867/kubernetes/description.adoc b/rules/S6867/kubernetes/description.adoc new file mode 100644 index 00000000000..5feed349e8a --- /dev/null +++ b/rules/S6867/kubernetes/description.adoc @@ -0,0 +1,11 @@ +== Why is this an issue? + +Using wildcards when defining Role-Based Access Control (RBAC) permissions in Kubernetes can lead to significant security issues. This is because it grants overly broad permissions, potentially allowing access to sensitive resources. + + +RBAC is designed to limit the access rights of users within the system by assigning roles to them. These roles define what actions a user can perform and on which resources. When a wildcard is used, it means that the role has access to all resources/verbs, bypassing the principle of least privilege. This principle states that users should have only the minimal permissions they need to perform their job function. + + +=== What is the potential impact? + +If an attacker gains access to a role with wildcard permissions, they could potentially read, modify, or delete any resource in the Kubernetes cluster, leading to data breaches, service disruptions, or other malicious activities. diff --git a/rules/S6867/kubernetes/highlighting.adoc b/rules/S6867/kubernetes/highlighting.adoc new file mode 100644 index 00000000000..78fff622aa3 --- /dev/null +++ b/rules/S6867/kubernetes/highlighting.adoc @@ -0,0 +1,3 @@ +=== Highlighting + +* Highlight the property that was set using a wildcart. diff --git a/rules/S6867/kubernetes/message.adoc b/rules/S6867/kubernetes/message.adoc new file mode 100644 index 00000000000..76978a1ef18 --- /dev/null +++ b/rules/S6867/kubernetes/message.adoc @@ -0,0 +1,3 @@ +=== Message + +Replace this wildcard with a clear list of allowed resources. diff --git a/rules/S6867/kubernetes/metadata.json b/rules/S6867/kubernetes/metadata.json index 96725154d34..2c63c085104 100644 --- a/rules/S6867/kubernetes/metadata.json +++ b/rules/S6867/kubernetes/metadata.json @@ -1,29 +1,2 @@ { - "title": "Wildcards should not be used to define RBAC permissions", - "type": "VULNERABILITY", - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "5min" - }, - "tags": [ - ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-6867", - "sqKey": "S6864", - "scope": "All", - "securityStandards": { - "CWE": [ - 284 - ] - }, - "defaultQualityProfiles": ["Sonar way"], - "quickfix": "unknown", - "code": { - "impacts": { - "MAINTAINABILITY": "MEDIUM", - "SECURITY": "MEDIUM" - }, - "attribute": "COMPLETE" - } } diff --git a/rules/S6867/kubernetes/resources.adoc b/rules/S6867/kubernetes/resources.adoc new file mode 100644 index 00000000000..2711be9bafa --- /dev/null +++ b/rules/S6867/kubernetes/resources.adoc @@ -0,0 +1,14 @@ +== Resources +=== Documentation + +* Kubernetes Documentation - https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] + + +//=== Articles & blog posts +//=== Conference presentations +=== Standards + +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] + +//=== External coding guidelines +//=== Benchmarks diff --git a/rules/S6867/kubernetes/rule.adoc b/rules/S6867/kubernetes/rule.adoc index dd3859e9248..28ddac2a2a3 100644 --- a/rules/S6867/kubernetes/rule.adoc +++ b/rules/S6867/kubernetes/rule.adoc @@ -1,14 +1,4 @@ -== Why is this an issue? - -Using wildcards when defining Role-Based Access Control (RBAC) permissions in Kubernetes can lead to significant security issues. This is because it grants overly broad permissions, potentially allowing access to sensitive resources. - - -RBAC is designed to limit the access rights of users within the system by assigning roles to them. These roles define what actions a user can perform and on which resources. When a wildcard is used, it means that the role has access to all resources/verbs, bypassing the principle of least privilege. This principle states that users should have only the minimal permissions they need to perform their job function. - - -=== What is the potential impact? - -If an attacker gains access to a role with wildcard permissions, they could potentially read, modify, or delete any resource in the Kubernetes cluster, leading to data breaches, service disruptions, or other malicious activities. +include::description.adoc[] == How to fix it @@ -53,20 +43,7 @@ When defining RBAC permissions, it is important to follow the principle of least //=== Going the extra mile -== Resources -=== Documentation - -* Kubernetes Documentation - https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] - - -//=== Articles & blog posts -//=== Conference presentations -=== Standards - -* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] - -//=== External coding guidelines -//=== Benchmarks +include::resources.adoc[] ifdef::env-github,rspecator-view[] @@ -74,12 +51,9 @@ ifdef::env-github,rspecator-view[] == Implementation Specification (visible only on this page) -=== Message - -Replace this wildcard with a clear list of allowed resources. +include::message.adoc[] -=== Highlighting +include::highlighting.adoc[] -* Highlight the property that was set using a wildcart. -endif::env-github,rspecator-view[] \ No newline at end of file +endif::env-github,rspecator-view[] diff --git a/rules/S6867/metadata.json b/rules/S6867/metadata.json index 2c63c085104..96725154d34 100644 --- a/rules/S6867/metadata.json +++ b/rules/S6867/metadata.json @@ -1,2 +1,29 @@ { + "title": "Wildcards should not be used to define RBAC permissions", + "type": "VULNERABILITY", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6867", + "sqKey": "S6864", + "scope": "All", + "securityStandards": { + "CWE": [ + 284 + ] + }, + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown", + "code": { + "impacts": { + "MAINTAINABILITY": "MEDIUM", + "SECURITY": "MEDIUM" + }, + "attribute": "COMPLETE" + } } From b835eba04da7ca45749ed411d857305538435a69 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:50:41 +0200 Subject: [PATCH 24/61] Create rule S6596 add Ansible (#4442) * Add ansible to rule S6596 * Create rule S6596 add Ansible --------- Co-authored-by: mstachniuk Co-authored-by: Marcin Stachniuk --- rules/S6596/ansible/metadata.json | 2 ++ rules/S6596/ansible/rule.adoc | 56 +++++++++++++++++++++++++++++++ rules/S6596/common/resources.adoc | 6 ++++ rules/S6596/kubernetes/rule.adoc | 13 +++---- 4 files changed, 68 insertions(+), 9 deletions(-) create mode 100644 rules/S6596/ansible/metadata.json create mode 100644 rules/S6596/ansible/rule.adoc create mode 100644 rules/S6596/common/resources.adoc diff --git a/rules/S6596/ansible/metadata.json b/rules/S6596/ansible/metadata.json new file mode 100644 index 00000000000..7a73a41bfdf --- /dev/null +++ b/rules/S6596/ansible/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6596/ansible/rule.adoc b/rules/S6596/ansible/rule.adoc new file mode 100644 index 00000000000..fc3dbd45b9d --- /dev/null +++ b/rules/S6596/ansible/rule.adoc @@ -0,0 +1,56 @@ +:image_type: container + +include::../common/description.adoc[] + +== How to fix it + +include::../common/how-to-fix.adoc[] + +=== Code examples + +==== Noncompliant code example +[source,yaml,diff-id=1,diff-type=noncompliant] +---- +- name: Create Pod + kubernetes.core.k8s: + definition: + apiVersion: v1 + kind: Pod + metadata: + name: example + spec: + containers: + - name: nginx + image: nginx # Noncompliant + + - name: nginx + image: nginx:latest # Noncompliant +---- + +==== Compliant solution + +[source,yaml,diff-id=1,diff-type=compliant] +---- +- name: Create Pod + kubernetes.core.k8s: + definition: + apiVersion: v1 + kind: Pod + metadata: + name: example + spec: + containers: + - name: nginx + image: nginx:1.14.2 # Compliant, fixed tag + + - name: nginx + image: nginx@sha256:b0ad43f7ee5edbc0effbc14645ae7055e21bc1973aee5150745632a24a752661 # Compliant, SHA of the image +---- + +include::../common/how-does-this-work.adoc[] + +include::../common/extra-mile.adoc[] + +include::../common/resources.adoc[] + +include::../common/implementation-specific.adoc[] diff --git a/rules/S6596/common/resources.adoc b/rules/S6596/common/resources.adoc new file mode 100644 index 00000000000..d32a768d041 --- /dev/null +++ b/rules/S6596/common/resources.adoc @@ -0,0 +1,6 @@ +== Resources +=== Documentation + +* https://helm.sh/docs/chart_best_practices/pods/#images[Helm chart best practices - Images] +* https://kubernetes.io/docs/concepts/containers/images/[Kubernetes - Images] +* https://docs.docker.com/engine/reference/commandline/image_pull/#pull-an-image-by-digest-immutable-identifier[Pull an image by digest (immutable identifier)] diff --git a/rules/S6596/kubernetes/rule.adoc b/rules/S6596/kubernetes/rule.adoc index b43715a1788..e3ac79bd06a 100644 --- a/rules/S6596/kubernetes/rule.adoc +++ b/rules/S6596/kubernetes/rule.adoc @@ -2,14 +2,14 @@ include::../common/description.adoc[] -== How to fix it in Helm +== How to fix it include::../common/how-to-fix.adoc[] === Code examples ==== Noncompliant code example -[source,text,diff-id=1,diff-type=noncompliant] +[source,yaml,diff-id=1,diff-type=noncompliant] ---- apiVersion: v1 kind: Pod @@ -26,7 +26,7 @@ spec: ==== Compliant solution -[source,text,diff-id=1,diff-type=compliant] +[source,yaml,diff-id=1,diff-type=compliant] ---- apiVersion: v1 kind: Pod @@ -45,11 +45,6 @@ include::../common/how-does-this-work.adoc[] include::../common/extra-mile.adoc[] -== Resources -=== Documentation - -* https://helm.sh/docs/chart_best_practices/pods/#images[Helm chart best practices - Images] -* https://kubernetes.io/docs/concepts/containers/images/[Kubernetes - Images] -* https://docs.docker.com/engine/reference/commandline/image_pull/#pull-an-image-by-digest-immutable-identifier[Pull an image by digest (immutable identifier)] +include::../common/resources.adoc[] include::../common/implementation-specific.adoc[] From 2d59cc5136bc09c2d5cc68e6eb06d628f7cc267d Mon Sep 17 00:00:00 2001 From: SonarTech Date: Sat, 26 Oct 2024 02:41:23 +0000 Subject: [PATCH 25/61] update coverage information --- frontend/public/covered_rules.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 0a70ff6d5e3..343d255c6e3 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -108,9 +108,15 @@ "S5849": "sonar-iac-enterprise master", "S6321": "sonar-iac-enterprise master", "S6428": "sonar-iac-enterprise master", + "S6429": "sonar-iac-enterprise master", "S6430": "sonar-iac-enterprise master", + "S6431": "sonar-iac-enterprise master", + "S6433": "sonar-iac-enterprise master", "S6437": "sonar-iac-enterprise master", - "S6473": "sonar-iac-enterprise master" + "S6473": "sonar-iac-enterprise master", + "S6596": "sonar-iac-enterprise master", + "S6867": "sonar-iac-enterprise master", + "S6868": "sonar-iac-enterprise master" }, "APEX": { "S100": "sonar-apex 1.17.0.87", @@ -451,6 +457,7 @@ "S5982": "sonar-cpp 6.13.0.22261", "S6069": "sonar-cpp 6.14.0.23970", "S6200": "sonar-cpp 6.27.0.38122", + "S6418": "sonar-cpp master", "S6655": "sonar-cpp 6.47.0.62356", "S6871": "sonar-cpp 6.53.0.67215", "S6936": "sonar-cpp 6.54.0.69031", @@ -1284,6 +1291,7 @@ "S6369": "sonar-cpp 6.29.0.41127", "S6372": "sonar-cpp 6.29.0.41127", "S6391": "sonar-cpp 6.29.0.41127", + "S6418": "sonar-cpp master", "S6427": "sonar-cpp 6.35.0.50389", "S6456": "sonar-cpp 6.40.0.60592", "S6458": "sonar-cpp 6.40.0.60592", @@ -4358,6 +4366,7 @@ "S5982": "sonar-cpp 6.13.0.22261", "S6069": "sonar-cpp 6.14.0.23970", "S6200": "sonar-cpp 6.27.0.38122", + "S6418": "sonar-cpp master", "S6871": "sonar-cpp 6.53.0.67215", "S6936": "sonar-cpp 6.54.0.69031", "S6991": "sonar-cpp 6.57.0.73017", From 3dd031e4f9472a123e75bb07bcd911112c6a0fae Mon Sep 17 00:00:00 2001 From: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Date: Mon, 28 Oct 2024 16:09:05 +0100 Subject: [PATCH 26/61] Modify rule S6870: Improve description (#4443) --- rules/S6870/kubernetes/rule.adoc | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/rules/S6870/kubernetes/rule.adoc b/rules/S6870/kubernetes/rule.adoc index fd82baf85e9..582eded45a5 100644 --- a/rules/S6870/kubernetes/rule.adoc +++ b/rules/S6870/kubernetes/rule.adoc @@ -1,14 +1,14 @@ == Why is this an issue? -Ephemeral storage is a type of storage that is temporary and non-persistent, -meaning it does not retain data once the process is terminated. In the context -of Kubernetes, ephemeral storage is used for storing temporary files that a -running container can write and read. +Ephemeral storage in Kubernetes refers to temporary storage that is non-persistent, +meaning it does not retain data once the container or pod is terminated. This +type of storage is typically used for storing temporary files that a running +container can write and read. Examples of ephemeral storage include the container's +writable layer, emptyDir volumes, and log files. -The issue at hand pertains to the creation of a container without any defined -limits for this ephemeral storage. This means that the container can potentially -consume as much ephemeral storage as is available on the node where it is -running. +The issue arises when a container is created without any defined limits for its +ephemeral storage usage. Without these limits, the container can potentially +consume all available ephemeral storage on the node where it is running. === What is the potential impact? @@ -28,6 +28,12 @@ exhibit other unexpected behaviors. == How to fix it +To prevent these issues, it is important to set limits on the amount of ephemeral +storage a container can use. This can be done through the +`resources.limits.ephemeral-storage` property of a container. Additionally, a +default limit for a namespace can be set using a `LimitRange` object through +`spec.limits[].default.ephemeral-storage`. + === Code examples ==== Noncompliant code example @@ -111,9 +117,9 @@ spec: === How does this work? -A limit can be set through the property `resources.limits.ephemeral-storage` of -a container. Alternatively, a default limit for a namespace can be set with -`LimitRange` through `spec.limits[].default.ephemeral-storage`. +By setting a limit on ephemeral storage, you ensure that a container cannot +consume more than the specified amount of temporary storage. This helps prevent +resource exhaustion and ensures more predictable application behavior. == Resources From 57b08f634320aa74d488cda68e7bf5a692147d50 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 16:10:14 +0000 Subject: [PATCH 27/61] Create rule S7127: "std::size" should be used to determine the size of arrays (CPP-5791) --- rules/S7127/cfamily/metadata.json | 23 +++++ rules/S7127/cfamily/rule.adoc | 148 ++++++++++++++++++++++++++++++ rules/S7127/metadata.json | 2 + 3 files changed, 173 insertions(+) create mode 100644 rules/S7127/cfamily/metadata.json create mode 100644 rules/S7127/cfamily/rule.adoc create mode 100644 rules/S7127/metadata.json diff --git a/rules/S7127/cfamily/metadata.json b/rules/S7127/cfamily/metadata.json new file mode 100644 index 00000000000..fd1597ed1a2 --- /dev/null +++ b/rules/S7127/cfamily/metadata.json @@ -0,0 +1,23 @@ +{ + "title": "\"std::size\" should be used to determine the size of arrays", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + ], + "defaultSeverity": "Minor", + "ruleSpecification": "RSPEC-7127", + "sqKey": "S7127", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "covered", + "code": { + "impacts": { + "MAINTAINABILITY": "MEDIUM" + }, + "attribute": "CONVENTIONAL" + } +} diff --git a/rules/S7127/cfamily/rule.adoc b/rules/S7127/cfamily/rule.adoc new file mode 100644 index 00000000000..c23ce908eba --- /dev/null +++ b/rules/S7127/cfamily/rule.adoc @@ -0,0 +1,148 @@ +This rule raises an issue if a division of `sizeof` is used to compute the size of an array, +that could be replaced with `std::size` or `std::ranges::size` (since {cpp}20). + +== Why is this an issue? + +C-arrays do not expose their number of elements as a data member or a member function. +This information is present in the type system. + +In {cpp} it can be extracted by calling `std::size` (introduced in {cpp}17) or `std::ranges::size` (introduced in {cpp}20), +as these functions support C-arrays in addition to containers and ranges. + +The historical way, inherited from C, is to divide the size of the array by the size of the element type. +However, using this solution does not convey the intent of the code as clearly, +and is prone to producing incorrect values when: + + * the element type is changed but the `sizeof` code was not updated, + * `sizeof` was applied to pointer produced from array decay instead of the array itself. + +This rule raises an issue when the division of `sizeof` is used to compute the number of elements in an array. + +=== Code examples + +==== Noncompliant code example + +[source,cpp,diff-id=1,diff-type=noncompliant] +---- +int carr[10]; + +void process() { + std::size_t size = sizeof(carr) / sizeof(int); // Noncompliant +} +---- + +==== Compliant solution + +[source,cpp,diff-id=1,diff-type=compliant] +---- +int carr[10]; + +void process() { + std::size_t size = std::size(carr); // Compliant +} +---- + +The rule also detects cases where the `sizeof` division is expanded from a macro: + +==== Noncompliant code example + +[source,cpp,diff-id=2,diff-type=noncompliant] +---- +#define ARRAY_SIZE(arr) sizeof(arr) / sizeof((arr)[0]) + +int carr[10]; + +void process() { + std::size_t size = ARRAY_SIZE(carr); // Noncompliant +} +---- + +==== Compliant solution + +[source,cpp,diff-id=2,diff-type=compliant] +---- +#define ARRAY_SIZE(arr) sizeof(arr) / sizeof((arr)[0]) + +int carr[10]; + +void process() { + std::size_t size = std::size(carr); // Compliant +} +---- + +Once all uses of the `ARRAY_SIZE` macro have been removed, the macro should also be removed. +However doing so is not required to address the issues raised by this rule, +as this allows code the be fixed incrementally. + +=== `std::array` is also covered + +This rule will also raise an issue when the `sizeof` division, +is used to compute the size of the `std::array` type. + +Such code may be leftover from the replacement of C-array, +without updating all necessary call sites (see S5954). + +==== Noncompliant code example + +[source,cpp,diff-id=3,diff-type=noncompliant] +---- +#define ARRAY_SIZE(arr) sizeof(arr) / sizeof((arr)[0]) + +std::array arr; + +void process() { + std::size_t size1 = sizeof(arr) / sizeof(int); // Noncompliant + std::size_t size2 = ARRAY_SIZE(arr); // Noncompliant +} +---- + +==== Compliant solution + +[source,cpp,diff-id=3,diff-type=compliant] +---- +#define ARRAY_SIZE(arr) sizeof(arr) / sizeof((arr)[0]) + +std::array arr; + +void process() { + std::size_t size1 = std::size(arr); // Compliant + std::size_t size2 = std::size(arr); // Compliant +} +---- + +Alternatively, the `size` member function may be invoked in a non-generic code. + +[source,cpp] +---- +#define ARRAY_SIZE(arr) sizeof(arr) / sizeof((arr)[0]) + +std::array arr; + +void process() { + std::size_t size1 = arr.size(); // Compliant + std::size_t size2 = arr.size(); // Compliant +} +---- + +=== How does this work? + +The implementation of `std::size` for arrays relies on template argument deduction +to deduce the size of the array from the parameter that references an array type: + +[source,cpp] +---- +template +constexpr N my_size(T const& (arr)[N]) { + return N; +} + +int arr[10]; +std::size_t s = my_size(arr); // Deduces: "N" == 10 +---- + +== Resources + +=== Related rules + +* S5945 - suggest replacing C-arrays with `std::array` and `std::vector` + diff --git a/rules/S7127/metadata.json b/rules/S7127/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7127/metadata.json @@ -0,0 +1,2 @@ +{ +} From a3028b8b58022252c7b51d9b38157671193a21f1 Mon Sep 17 00:00:00 2001 From: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Date: Tue, 29 Oct 2024 10:36:18 +0100 Subject: [PATCH 28/61] Modify rule S2245: Clarify the naming of random number generators (#4446) * Clarify the naming of random number generators --- rules/S2245/ask-yourself.adoc | 2 +- rules/S2245/cfamily/rule.adoc | 19 ++++++------------- rules/S2245/csharp/rule.adoc | 13 +++---------- rules/S2245/description.adoc | 8 ++++++-- rules/S2245/go/rule.adoc | 4 ++-- rules/S2245/java/rule.adoc | 18 +++++------------- rules/S2245/javascript/rule.adoc | 15 ++++----------- rules/S2245/kotlin/rule.adoc | 2 +- rules/S2245/php/rule.adoc | 20 +++++++------------- rules/S2245/see.adoc | 3 ++- 10 files changed, 37 insertions(+), 67 deletions(-) diff --git a/rules/S2245/ask-yourself.adoc b/rules/S2245/ask-yourself.adoc index 57e9d5bc9ec..8040e53ab88 100644 --- a/rules/S2245/ask-yourself.adoc +++ b/rules/S2245/ask-yourself.adoc @@ -1,7 +1,7 @@ == Ask Yourself Whether * the code using the generated value requires it to be unpredictable. It is the case for all encryption mechanisms or when a secret value, such as a password, is hashed. -* the function you use generates a value which can be predicted (pseudo-random). +* the function you use is a non-cryptographic PRNG. * the generated value is used multiple times. * an attacker can access the generated value. diff --git a/rules/S2245/cfamily/rule.adoc b/rules/S2245/cfamily/rule.adoc index 8a1288cc702..fc71c968cd7 100644 --- a/rules/S2245/cfamily/rule.adoc +++ b/rules/S2245/cfamily/rule.adoc @@ -1,18 +1,10 @@ -Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities: - -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386[CVE-2013-6386] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419[CVE-2006-3419] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102[CVE-2008-4102] - -When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. - -As the functions rely on a pseudorandom number generator, they should not be used for security-critical applications or for protecting sensitive data. +include::../description.adoc[] include::../ask-yourself.adoc[] == Recommended Secure Coding Practices -* Use functions which rely on a strong random number generator such as ``++randombytes_uniform()++`` or ``++randombytes_buf()++`` from ``++libsodium++``, or ``++randomize()++`` from Botan. +* Use functions which rely on a cryptographically secure pseudorandom number generator (CSPRNG) such as ``++randombytes_uniform()++`` or ``++randombytes_buf()++`` from ``++libsodium++``, or ``++randomize()++`` from Botan. * Use the generated random values only once. * You should not expose the generated random value. If you have to store it, make sure that the database or file is secure. @@ -37,17 +29,18 @@ void f() { void f() { char random_chars[10]; - randombytes_buf(random_chars, 10); // Compliant - uint32_t random_int = randombytes_uniform(10); // Compliant + randombytes_buf(random_chars, 10); + uint32_t random_int = randombytes_uniform(10); uint8_t random_chars[10]; Botan::System_RNG system; - system.randomize(random_chars, 10); // Compliant + system.randomize(random_chars, 10); } ---- == See +* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] diff --git a/rules/S2245/csharp/rule.adoc b/rules/S2245/csharp/rule.adoc index 1ddea8760c1..38cd69f59b0 100644 --- a/rules/S2245/csharp/rule.adoc +++ b/rules/S2245/csharp/rule.adoc @@ -1,13 +1,6 @@ -Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities: +include::../description.adoc[] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386[CVE-2013-6386] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419[CVE-2006-3419] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102[CVE-2008-4102] - -When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. - - -As the ``++System.Random++`` class relies on a pseudorandom number generator, it should not be used for security-critical applications or for protecting sensitive data. In such context, the ``++System.Cryptography.RandomNumberGenerator++`` class which relies on a cryptographically strong random number generator (RNG) should be used in place. +As the ``++System.Random++`` class relies on a non-cryptographic pseudorandom number generator, it should not be used for security-critical applications or for protecting sensitive data. In such context, the ``++System.Cryptography.RandomNumberGenerator++`` class which relies on a CSPRNG should be used in place. include::../ask-yourself.adoc[] @@ -28,7 +21,7 @@ return BitConverter.ToString(data); // Check if this value is used for hashing o ---- using System.Security.Cryptography; ... -var randomGenerator = RandomNumberGenerator.Create(); // Compliant for security-sensitive use cases +var randomGenerator = RandomNumberGenerator.Create(); byte[] data = new byte[16]; randomGenerator.GetBytes(data); return BitConverter.ToString(data); diff --git a/rules/S2245/description.adoc b/rules/S2245/description.adoc index be5b73c0094..6108c2931bf 100644 --- a/rules/S2245/description.adoc +++ b/rules/S2245/description.adoc @@ -1,7 +1,11 @@ -Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities: +PRNGs are algorithms that produce sequences of numbers that only approximate true randomness. While they are suitable for applications like simulations or modeling, they are not appropriate for security-sensitive contexts because their outputs can be predictable if the internal state is known. + +In contrast, cryptographically secure pseudorandom number generators (CSPRNGs) are designed to be secure against prediction attacks. CSPRNGs use cryptographic algorithms to ensure that the generated sequences are not only random but also unpredictable, even if part of the sequence or the internal state becomes known. This unpredictability is crucial for security-related tasks such as generating encryption keys, tokens, or any other values that must remain confidential and resistant to guessing attacks. + +For example, the use of non-cryptographic PRNGs has led to vulnerabilities such as: * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386[CVE-2013-6386] * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419[CVE-2006-3419] * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102[CVE-2008-4102] -When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. +When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. Therefore, it is critical to use CSPRNGs in any security-sensitive application to ensure the robustness and security of the system. diff --git a/rules/S2245/go/rule.adoc b/rules/S2245/go/rule.adoc index 4ad13cd6fa2..c4307764a6f 100644 --- a/rules/S2245/go/rule.adoc +++ b/rules/S2245/go/rule.adoc @@ -30,7 +30,7 @@ num := rand.Intn(100) // Sensitive import "crypto/rand" a := make([]byte, 10) -_, err := rand.Read(a) // Compliant +_, err := rand.Read(a) if err != nil { panic(err) } @@ -40,7 +40,7 @@ if err != nil { ---- import "crypto/rand" -temp, err := rand.Int(rand.Reader, big.NewInt(100)) // Compliant +temp, err := rand.Int(rand.Reader, big.NewInt(100)) if err != nil { panic(err) } diff --git a/rules/S2245/java/rule.adoc b/rules/S2245/java/rule.adoc index 65966f352cb..7f803eaa030 100644 --- a/rules/S2245/java/rule.adoc +++ b/rules/S2245/java/rule.adoc @@ -1,19 +1,12 @@ -Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities: +include::../description.adoc[] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386[CVE-2013-6386] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419[CVE-2006-3419] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102[CVE-2008-4102] - -When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. - - -As the ``++java.util.Random++`` class relies on a pseudorandom number generator, this class and relating ``++java.lang.Math.random()++`` method should not be used for security-critical applications or for protecting sensitive data. In such context, the ``++java.security.SecureRandom++`` class which relies on a cryptographically strong random number generator (RNG) should be used in place. +As the ``++java.util.Random++`` class relies on a non-cryptographic pseudorandom number generator, this class and relating ``++java.lang.Math.random()++`` method should not be used for security-critical applications or for protecting sensitive data. In such context, the ``++java.security.SecureRandom++`` class which relies on a CSPRNG should be used in place. include::../ask-yourself.adoc[] == Recommended Secure Coding Practices -* Use a cryptographically strong random number generator (RNG) like "java.security.SecureRandom" in place of this PRNG. +* Use a cryptographically secure pseudo random number generator (CSPRNG) like "java.security.SecureRandom" in place of a non-cryptographic PRNG. * Use the generated random values only once. * You should not expose the generated random value. If you have to store it, make sure that the database or file is secure. @@ -29,13 +22,14 @@ random.nextBytes(bytes); // Check if bytes is used for hashing, encryption, etc. [source,java] ---- -SecureRandom random = new SecureRandom(); // Compliant for security-sensitive use cases +SecureRandom random = new SecureRandom(); byte bytes[] = new byte[20]; random.nextBytes(bytes); ---- == See +* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] @@ -45,8 +39,6 @@ random.nextBytes(bytes); * CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] * CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] * https://wiki.sei.cmu.edu/confluence/x/oTdGBQ[CERT, MSC02-J.] - Generate strong random numbers -* https://wiki.sei.cmu.edu/confluence/x/UNcxBQ[CERT, MSC30-C.] - Do not use the rand() function for generating pseudorandom numbers -* https://wiki.sei.cmu.edu/confluence/x/2ns-BQ[CERT, MSC50-CPP.] - Do not use std::rand() for generating pseudorandom numbers * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator] ifdef::env-github,rspecator-view[] diff --git a/rules/S2245/javascript/rule.adoc b/rules/S2245/javascript/rule.adoc index aaab7159e60..455879b7c5c 100644 --- a/rules/S2245/javascript/rule.adoc +++ b/rules/S2245/javascript/rule.adoc @@ -1,11 +1,4 @@ -Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities: - -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386[CVE-2013-6386] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419[CVE-2006-3419] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102[CVE-2008-4102] - -When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. - +include::../description.adoc[] As the ``++Math.random()++`` function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead. @@ -13,7 +6,7 @@ include::../ask-yourself.adoc[] == Recommended Secure Coding Practices -* Use a cryptographically strong pseudorandom number generator (CSPRNG) like ``++crypto.getRandomValues()++``. +* Use a cryptographically secure pseudorandom number generator (CSPRNG) like ``++crypto.getRandomValues()++``. * Use the generated random values only once. * You should not expose the generated random value. If you have to store it, make sure that the database or file is secure. @@ -31,11 +24,11 @@ const val = Math.random(); // Sensitive // === Client side === const crypto = window.crypto || window.msCrypto; var array = new Uint32Array(1); -crypto.getRandomValues(array); // Compliant for security-sensitive use cases +crypto.getRandomValues(array); // === Server side === const crypto = require('crypto'); -const buf = crypto.randomBytes(1); // Compliant for security-sensitive use cases +const buf = crypto.randomBytes(1); ---- include::../see.adoc[] diff --git a/rules/S2245/kotlin/rule.adoc b/rules/S2245/kotlin/rule.adoc index 099e5773f3e..5ecb09225d8 100644 --- a/rules/S2245/kotlin/rule.adoc +++ b/rules/S2245/kotlin/rule.adoc @@ -16,7 +16,7 @@ random.nextBytes(bytes) [source,kotlin] ---- -val random = SecureRandom() // Compliant +val random = SecureRandom() val bytes = ByteArray(20) random.nextBytes(bytes) ---- diff --git a/rules/S2245/php/rule.adoc b/rules/S2245/php/rule.adoc index b73f370c842..c87812af9d9 100644 --- a/rules/S2245/php/rule.adoc +++ b/rules/S2245/php/rule.adoc @@ -1,34 +1,28 @@ -Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities: +include::../description.adoc[] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386[CVE-2013-6386] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419[CVE-2006-3419] -* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102[CVE-2008-4102] - -When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. - -As the ``++rand()++`` and ``++mt_rand()++`` functions rely on a pseudorandom number generator, it should not be used for security-critical applications or for protecting sensitive data. +As the ``++rand()++`` and ``++mt_rand()++`` functions are no CSPRNGs, they should not be used for security-critical applications or for protecting sensitive data. include::../ask-yourself.adoc[] == Recommended Secure Coding Practices -* Use functions which rely on a cryptographically strong random number generator such as ``++random_int()++`` or ``++random_bytes()++`` or ``++openssl_random_pseudo_bytes()++`` -* When using ``++openssl_random_pseudo_bytes()++``, provide and check the ``++crypto_strong++`` parameter +* Use functions which rely on a cryptographically secure pseudo random number generator (CSPRNG) such as ``++random_int()++`` or ``++random_bytes()++`` or ``++openssl_random_pseudo_bytes()++``. +* When using ``++openssl_random_pseudo_bytes()++``, provide and check the ``++crypto_strong++`` parameter. * Use the generated random values only once. * You should not expose the generated random value. If you have to store it, make sure that the database or file is secure. == Sensitive Code Example ---- -$random = rand(); -$random2 = mt_rand(0, 99); +$random = rand(); // Sensitive +$random2 = mt_rand(0, 99); // Sensitive ---- == Compliant Solution [source,php] ---- -$randomInt = random_int(0,99); // Compliant; generates a cryptographically secure random integer +$randomInt = random_int(0,99); ---- include::../see.adoc[] diff --git a/rules/S2245/see.adoc b/rules/S2245/see.adoc index f725b4ca8ba..de5e28b4ccb 100644 --- a/rules/S2245/see.adoc +++ b/rules/S2245/see.adoc @@ -1,8 +1,9 @@ == See +* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] * CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] * CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] From 4b89a9dddfb3ed5e2e66ab4d416eade57f382c27 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 29 Oct 2024 10:41:43 +0100 Subject: [PATCH 29/61] Create rule S6418 add PHP (#4447) --- rules/S6418/php/metadata.json | 2 ++ rules/S6418/php/rule.adoc | 56 +++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 rules/S6418/php/metadata.json create mode 100644 rules/S6418/php/rule.adoc diff --git a/rules/S6418/php/metadata.json b/rules/S6418/php/metadata.json new file mode 100644 index 00000000000..7a73a41bfdf --- /dev/null +++ b/rules/S6418/php/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6418/php/rule.adoc b/rules/S6418/php/rule.adoc new file mode 100644 index 00000000000..148341226e4 --- /dev/null +++ b/rules/S6418/php/rule.adoc @@ -0,0 +1,56 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +[source,php,diff-id=1,diff-type=noncompliant] +---- +$secret = '47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37'; +MyClass->callMyService($secret); +---- + +== Compliant Solution + +Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/secretsmanager[AWS Secrets Manager]: + +[source,php,diff-id=1,diff-type=compliant] +---- +use Aws\SecretsManager\SecretsManagerClient; +use Aws\Exception\AwsException; +$client = new SecretsManagerClient(...); +$secretName = 'example'; +doSomething($client, $secretName) +function doSomething($client, $secretName) { + try { + $result = $client->getSecretValue([ + 'SecretId' => $secretName, + ]); + } catch (AwsException $e) { + ... + } + if (isset($result['SecretString'])) { + $secret = $result['SecretString']; + } else { + $secret = base64_decode($result['SecretBinary']); + } + // do something with the secret + MyClass->callMyService($secret); +} +---- + +include::../see.adoc[] + +ifdef::env-github,rspecator-view[] +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +include::../parameters.adoc[] + +''' +endif::env-github,rspecator-view[] From 823fcb14f6ffc3fdecf7a9d342f12280561e438e Mon Sep 17 00:00:00 2001 From: Martin Strecker <103252490+martin-strecker-sonarsource@users.noreply.github.com> Date: Tue, 29 Oct 2024 12:33:52 +0100 Subject: [PATCH 30/61] Modify rule S6602: Update benchmark (#4438) * Update benchmark * Update why-dotnet.adoc * Remove from SonarWay * Apply suggestions from code review Co-authored-by: Cristian <67206480+CristianAmbrosini@users.noreply.github.com> --------- Co-authored-by: Cristian <67206480+CristianAmbrosini@users.noreply.github.com> --- rules/S6602/metadata.json | 2 +- rules/S6602/resources-dotnet.adoc | 99 ++++++++++++++++++++----------- rules/S6602/why-dotnet.adoc | 6 +- 3 files changed, 71 insertions(+), 36 deletions(-) diff --git a/rules/S6602/metadata.json b/rules/S6602/metadata.json index 64b2f1b8beb..ce6f45bc59d 100644 --- a/rules/S6602/metadata.json +++ b/rules/S6602/metadata.json @@ -21,6 +21,6 @@ "ruleSpecification": "RSPEC-6602", "sqKey": "S6602", "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "defaultQualityProfiles": [], "quickfix": "targeted" } diff --git a/rules/S6602/resources-dotnet.adoc b/rules/S6602/resources-dotnet.adoc index 8a8adec2bf0..3a480fb3ebd 100644 --- a/rules/S6602/resources-dotnet.adoc +++ b/rules/S6602/resources-dotnet.adoc @@ -11,11 +11,33 @@ [options="header"] |=== -| Method | Runtime | Mean | Standard Deviation | Allocated -| FirstOrDefault | .NET 7.0 | 5.373 ms | 0.1049 ms | 125 KB -| Find | .NET 7.0 | 1.691 ms | 0.0334 ms | 85.94 KB -| FirstOrDefault | .NET Framework 4.6.2 | 5.035 ms | 0.0421 ms | 125.38 KB -| Find | .NET Framework 4.6.2 | 1.779 ms | 0.0107 ms | 86.2 KB +| Method | Runtime | Categories | Mean | Standard Deviation | Allocated +| ArrayFirstOrDefault | .NET 8.0 | Array | 10.515 μs | 0.1410 μs | 32 B +| ArrayFind | .NET 8.0 | Array | 4.417 μs | 0.0729 μs | - +| | | | | | +| ArrayFirstOrDefault | .NET 9.0 | Array | 2.262 μs | 0.0135 μs | - +| ArrayFind | .NET 9.0 | Array | 3.428 μs | 0.0206 μs | - +| | | | | | +| ArrayFirstOrDefault | .NET Framework 4.8.1 | Array | 45.074 μs | 0.7517 μs | 32 B +| ArrayFind | .NET Framework 4.8.1 | Array | 13.948 μs | 0.1496 μs | - +| | | | | | +| ImmutableListFirstOrDefault | .NET 8.0 | ImmutableList<T> | 83.796 μs | 1.3199 μs | 72 B +| ImmutableListFind | .NET 8.0 | ImmutableList<T> | 59.720 μs | 1.0723 μs | - +| | | | | | +| ImmutableListFirstOrDefault | .NET 9.0 | ImmutableList<T> | 81.984 μs | 1.0886 μs | 72 B +| ImmutableListFind | .NET 9.0 | ImmutableList<T> | 58.288 μs | 0.8079 μs | - +| | | | | | +| ImmutableListFirstOrDefault | .NET Framework 4.8.1 | ImmutableList<T> | 446.893 μs | 9.8430 μs | 76 B +| ImmutableListFind | .NET Framework 4.8.1 | ImmutableList<T> | 427.476 μs | 3.3371 μs | - +| | | | | | +| ListFirstOrDefault | .NET 8.0 | List<T> | 14.808 μs | 0.1723 μs | 40 B +| ListFind | .NET 8.0 | List<T> | 6.040 μs | 0.1104 μs | - +| | | | | | +| ListFirstOrDefault | .NET 9.0 | List<T> | 2.233 μs | 0.0154 μs | - +| ListFind | .NET 9.0 | List<T> | 4.458 μs | 0.0745 μs | - +| | | | | | +| ListFirstOrDefault | .NET Framework 4.8.1 | List<T> | 57.290 μs | 1.0494 μs | 40 B +| ListFind | .NET Framework 4.8.1 | List<T> | 18.476 μs | 0.0504 μs | - |=== ==== Glossary @@ -28,44 +50,55 @@ The results were generated by running the following snippet with https://github. [source,csharp] ---- -private List data; -private Random random = new Random(); - -[Params(1_000)] -public int N { get; set; } +// Explicitly cache the delegates to avoid allocations inside the benchmark. +private readonly static Func ConditionFunc = static x => x == 1; +private readonly static Predicate ConditionPredicate = static x => x == 1; +private List list; +private ImmutableList immutableList; +private int[] array; +public const int N = 10_000; [GlobalSetup] -public void Setup() => - data = Enumerable.Range(0, N).Select(x => Guid.NewGuid().ToString()).ToList(); - -[Benchmark(Baseline = true)] -public void FirstOrDefault() +public void GlobalSetup() { - for (var i = 0; i < N; i++) - { - var value = data[random.Next(N - 1)]; - _ = data.FirstOrDefault(x => x == value); // Enumerable.FirstOrDefault() - } + list = Enumerable.Range(0, N).Select(x => N - x).ToList(); + immutableList = ImmutableList.CreateRange(list); + array = list.ToArray(); } -[Benchmark] -public void Find() -{ - for (var i = 0; i < N; i++) - { - var value = data[random.Next(N - 1)]; - _ = data.Find(x => x == value); // List.Find() - } -} +[BenchmarkCategory("List"), Benchmark(Baseline = true)] +public int ListFirstOrDefault() => + list.FirstOrDefault(ConditionFunc); + +[BenchmarkCategory("List"), Benchmark] +public int ListFind() => + list.Find(ConditionPredicate); + +[BenchmarkCategory("ImmutableList"), Benchmark(Baseline = true)] +public int ImmutableListFirstOrDefault() => + immutableList.FirstOrDefault(ConditionFunc); + +[BenchmarkCategory("ImmutableList"), Benchmark] +public int ImmutableListFind() => + immutableList.Find(ConditionPredicate); + +[BenchmarkCategory("Array"), Benchmark(Baseline = true)] +public int ArrayFirstOrDefault() => + array.FirstOrDefault(ConditionFunc); + +[BenchmarkCategory("Array"), Benchmark] +public int ArrayFind() => + Array.Find(array, ConditionPredicate); ---- Hardware configuration: [source] ---- -BenchmarkDotNet=v0.13.5, OS=Windows 10 (10.0.19045.2846/22H2/2022Update) +BenchmarkDotNet v0.14.0, Windows 11 (10.0.22631.4317/23H2/2023Update/SunValley3) 11th Gen Intel Core i7-11850H 2.50GHz, 1 CPU, 16 logical and 8 physical cores - [Host] : .NET Framework 4.8 (4.8.4614.0), X64 RyuJIT VectorSize=256 - .NET 7.0 : .NET 7.0.5 (7.0.523.17405), X64 RyuJIT AVX2 - .NET Framework 4.6.2 : .NET Framework 4.8 (4.8.4614.0), X64 RyuJIT VectorSize=256 + [Host] : .NET Framework 4.8.1 (4.8.9277.0), X64 RyuJIT VectorSize=256 + .NET 8.0 : .NET 8.0.10 (8.0.1024.46610), X64 RyuJIT AVX-512F+CD+BW+DQ+VL+VBMI + .NET 9.0 : .NET 9.0.0 (9.0.24.47305), X64 RyuJIT AVX-512F+CD+BW+DQ+VL+VBMI + .NET Framework 4.8.1 : .NET Framework 4.8.1 (4.8.9277.0), X64 RyuJIT VectorSize=256 ---- diff --git a/rules/S6602/why-dotnet.adoc b/rules/S6602/why-dotnet.adoc index 416bed6fae7..24bc0f7afe4 100644 --- a/rules/S6602/why-dotnet.adoc +++ b/rules/S6602/why-dotnet.adoc @@ -1,9 +1,11 @@ == Why is this an issue? -Both the `List.Find` method and `IEnumerable.FirstOrDefault` method can be used to find the first element that satisfies a given condition in a collection. However, `List.Find` can be faster than `IEnumerable.FirstOrDefault` for `List` objects. For small collections, the performance difference may be minor, but for large collections, it can make a noticeable difference. The same applies for `ImmutableList` and arrays too. +Both the `List.Find` method and the `Enumerable.FirstOrDefault` method can be used to locate the first element that meets a specified condition within a collection. However, for `List` objects, `List.Find` may offer superior performance compared to `Enumerable.FirstOrDefault`. While the performance difference might be negligible for small collections, it can become significant for larger collections. This observation also holds true for `ImmutableList` and arrays. + +It is important to enable this rule with caution, as performance outcomes can vary significantly across different runtimes. Notably, the https://devblogs.microsoft.com/dotnet/performance-improvements-in-net-9/#collections[performance improvements in .NET 9] have brought `FirstOrDefault` closer to the performance of collection-specific `Find` methods in most scenarios. *Applies to* * https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1.find[List] * https://learn.microsoft.com/en-us/dotnet/api/system.array.find[Array] -* https://learn.microsoft.com/en-us/dotnet/api/system.collections.immutable.immutablelist-1.find[ImmutableList] \ No newline at end of file +* https://learn.microsoft.com/en-us/dotnet/api/system.collections.immutable.immutablelist-1.find[ImmutableList] From 3e93c74572a10f7e60b9287e5e8996758699d6ba Mon Sep 17 00:00:00 2001 From: Martin Strecker <103252490+martin-strecker-sonarsource@users.noreply.github.com> Date: Tue, 29 Oct 2024 12:39:01 +0100 Subject: [PATCH 31/61] NET-407 Update S2551 rule description. (#4445) * Update S2551 rule description. * Add new line * Newlines --- rules/S2551/csharp/rule.adoc | 19 +++++++++++-------- rules/S2551/resources-dotnet.adoc | 12 ++++++------ rules/S2551/vbnet/rule.adoc | 10 +++++----- rules/S2551/why-dotnet.adoc | 6 ++++-- 4 files changed, 26 insertions(+), 21 deletions(-) diff --git a/rules/S2551/csharp/rule.adoc b/rules/S2551/csharp/rule.adoc index 1d5a73ca01f..4433a6fe4b9 100644 --- a/rules/S2551/csharp/rule.adoc +++ b/rules/S2551/csharp/rule.adoc @@ -1,10 +1,8 @@ -include::../why-dotnet.adoc[] - -For example, a `string` should never be used for locking. When a `string` is https://en.wikipedia.org/wiki/Interning_(computer_science)[interned] by the runtime, it can be shared by multiple threads, breaking the locking mechanism. +The instance passed to the https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/statements/lock[`lock` statement] should be a dedicated private field. -Instead, a dedicated private `object` instance should be used for each shared resource. This minimizes access to the lock instance, avoiding deadlocks and lock contention. +include::../why-dotnet.adoc[] -The following objects are considered as shared resources: +The following objects are considered potentially prone to accidental lock sharing: * a reference to https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/this[this]: if the instance is publicly accessibly, the lock might be shared * a https://learn.microsoft.com/en-us/dotnet/api/system.type[Type] object: if the type class is publicly accessibly, the lock might be shared @@ -27,12 +25,16 @@ void MyLockingMethod() } ---- - ==== Compliant solution [source,csharp,diff-id=1,diff-type=compliant] ---- -private readonly object lockObj = new object(); +#if NET9_0_OR_GREATER +private readonly Lock lockObj = new(); +#else +private readonly object lockObj = new(); +#endif + void MyLockingMethod() { lock (lockObj) @@ -42,7 +44,8 @@ void MyLockingMethod() } ---- - include::../resources-dotnet.adoc[] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/statements/lock[The lock statement - ensure exclusive access to a shared resource] + include::../rspecator.adoc[] diff --git a/rules/S2551/resources-dotnet.adoc b/rules/S2551/resources-dotnet.adoc index 78caea3ead9..8716c168b75 100644 --- a/rules/S2551/resources-dotnet.adoc +++ b/rules/S2551/resources-dotnet.adoc @@ -2,9 +2,9 @@ === Documentation -* https://en.wikipedia.org/wiki/Thread_(computing)[Thread] -* https://en.wikipedia.org/wiki/Lock_(computer_science)[Locking] -* https://en.wikipedia.org/wiki/Deadlock[Deadlock] -* https://en.wikipedia.org/wiki/Interning_(computer_science)[Interning] -* https://learn.microsoft.com/en-us/dotnet/api/system.string.intern#remarks[String interning by the runtime] -* https://docs.microsoft.com/en-us/dotnet/standard/threading/managed-threading-best-practices[Managed Threading Best Practices] \ No newline at end of file +* Wikipedia - https://en.wikipedia.org/wiki/Thread_(computing)[Thread] +* Wikipedia - https://en.wikipedia.org/wiki/Lock_(computer_science)[Locking] +* Wikipedia - https://en.wikipedia.org/wiki/Deadlock[Deadlock] +* Wikipedia - https://en.wikipedia.org/wiki/Interning_(computer_science)[Interning] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.string.intern#remarks[String interning by the runtime] +* Microsoft Learn - https://docs.microsoft.com/en-us/dotnet/standard/threading/managed-threading-best-practices[Managed Threading Best Practices] \ No newline at end of file diff --git a/rules/S2551/vbnet/rule.adoc b/rules/S2551/vbnet/rule.adoc index 6f4f2d4fdd9..3f2495e99ac 100644 --- a/rules/S2551/vbnet/rule.adoc +++ b/rules/S2551/vbnet/rule.adoc @@ -1,10 +1,8 @@ -include::../why-dotnet.adoc[] - -For example, a `String` should never be used for locking. When a `String` is https://en.wikipedia.org/wiki/Interning_(computer_science)[interned] by the runtime, it can be shared by multiple threads, breaking the locking mechanism. +The instance passed to the https://learn.microsoft.com/en-us/dotnet/visual-basic/language-reference/statements/synclock-statement[`SyncLock` statement] should be a dedicated private field. -Instead, a dedicated private `Object` instance should be used for each shared resource. This minimizes access to the lock instance, avoiding deadlocks and lock contention. +include::../why-dotnet.adoc[] -The following objects are considered as shared resources: +The following objects are considered potentially prone to accidental lock sharing: * a reference to https://learn.microsoft.com/en-us/dotnet/visual-basic/programming-guide/program-structure/me-my-mybase-and-myclass#me[Me]: if the instance is publicly accessible, the lock might be shared * a https://learn.microsoft.com/en-us/dotnet/api/system.type[Type] object: if the type class is publicly accessible, the lock might be shared @@ -39,4 +37,6 @@ End Sub include::../resources-dotnet.adoc[] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/visual-basic/language-reference/statements/synclock-statement[SyncLock Statement] + include::../rspecator.adoc[] diff --git a/rules/S2551/why-dotnet.adoc b/rules/S2551/why-dotnet.adoc index 03c390434c7..379c23fb475 100644 --- a/rules/S2551/why-dotnet.adoc +++ b/rules/S2551/why-dotnet.adoc @@ -1,5 +1,7 @@ == Why is this an issue? -A shared resource refers to a resource or data that can be accessed or modified by multiple https://en.wikipedia.org/wiki/Thread_(computing)[threads] or concurrent parts of a program. It could be any piece of data, object, file, database connection, or system resource that needs to be accessed or manipulated by multiple parts of a program at the same time. +If the instance representing an exclusively acquired lock is publicly accessible, another thread in another part of the program could accidentally attempt to acquire the same lock. This increases the likelihood of https://en.wikipedia.org/wiki/Deadlock[deadlocks]. -Shared resources should not be used for https://en.wikipedia.org/wiki/Lock_(computer_science)[locking] because it increases the chance of https://en.wikipedia.org/wiki/Deadlock[deadlocks]. Any other thread could acquire (or attempt to acquire) the same lock while doing some operation, without knowing that the resource is meant to be used for locking purposes. +For example, a `string` should never be used for locking. When a `string` is https://en.wikipedia.org/wiki/Interning_(computer_science)[interned] by the runtime, it can be shared by multiple threads, breaking the locking mechanism. + +Instead, a dedicated private https://learn.microsoft.com/en-us/dotnet/api/system.threading.lock?view=net-9.0[`Lock`] object instance (or `object` instance, for frameworks before .Net 9) should be used for locking. This minimizes access to the lock instance and therefore prevents accidential lock sharing. From 8beccff292775a8c1c595e870990d7126e1624e2 Mon Sep 17 00:00:00 2001 From: Martin Strecker <103252490+martin-strecker-sonarsource@users.noreply.github.com> Date: Tue, 29 Oct 2024 15:53:02 +0100 Subject: [PATCH 32/61] Remove from SoanrWay and update benchmarks (#4450) --- rules/S6603/metadata.json | 2 +- rules/S6603/resources-dotnet.adoc | 128 ++++++++++++++++++++++-------- rules/S6603/why-dotnet.adoc | 2 + 3 files changed, 96 insertions(+), 36 deletions(-) diff --git a/rules/S6603/metadata.json b/rules/S6603/metadata.json index a3028e7d8aa..4573cfb7b52 100644 --- a/rules/S6603/metadata.json +++ b/rules/S6603/metadata.json @@ -19,7 +19,7 @@ "ruleSpecification": "RSPEC-6603", "sqKey": "S6603", "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "defaultQualityProfiles": [], "quickfix": "targeted" } \ No newline at end of file diff --git a/rules/S6603/resources-dotnet.adoc b/rules/S6603/resources-dotnet.adoc index 58513b4ab12..198701610d5 100644 --- a/rules/S6603/resources-dotnet.adoc +++ b/rules/S6603/resources-dotnet.adoc @@ -2,21 +2,52 @@ === Documentation -* https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1.trueforall[List.TrueForAll(Predicate)] -* https://learn.microsoft.com/en-us/dotnet/api/system.array.trueforall[Array.TrueForAll(T[\], Predicate)] -* https://learn.microsoft.com/en-us/dotnet/api/system.collections.immutable.immutablelist-1.trueforall[ImmutableList.TrueForAll(Predicate)] -* https://learn.microsoft.com/en-us/dotnet/api/system.collections.immutable.immutablelist-1.builder.trueforall[ImmutableList.Builder.TrueForAll(Predicate)] -* https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.all[Enumerable.All] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1.trueforall[List.TrueForAll(Predicate)] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.array.trueforall[Array.TrueForAll(T[\], Predicate)] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.collections.immutable.immutablelist-1.trueforall[ImmutableList.TrueForAll(Predicate)] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.collections.immutable.immutablelist-1.builder.trueforall[ImmutableList.Builder.TrueForAll(Predicate)] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.all[Enumerable.All] === Benchmarks [options="header"] |=== -| Method | Runtime | Mean | Standard Deviation | Allocated -| TrueForAll | .NET 7.0 | 1.302 ms | 0.0027 ms | 1 B -| All | .NET 7.0 | 6.279 ms | 0.0181 ms | 40004 B -| TrueForAll | .NET Framework 4.6.2 | 1.105 ms | 0.0142 ms | - -| All | .NET Framework 4.6.2 | 4.968 ms | 0.0143 ms | 40128 B +| Method | Runtime | Categories | Mean | Standard Deviation | Allocated +| ArrayAll | .NET 8.0 | Array | 109.25 μs | 1.767 μs | 32 B +| ArrayTrueForAll | .NET 8.0 | Array | 45.01 μs | 0.547 μs | - +| | | | | | +| ArrayAll | .NET 9.0 | Array | 22.28 μs | 0.254 μs | - +| ArrayTrueForAll | .NET 9.0 | Array | 37.60 μs | 0.382 μs | - +| | | | | | +| ArrayAll | .NET Framework 4.8.1 | Array | 495.90 μs | 4.342 μs | 40 B +| ArrayTrueForAll | .NET Framework 4.8.1 | Array | 164.52 μs | 2.030 μs | - +| | | | | | +| ImmutableListAll | .NET 8.0 | ImmutableList | 940.29 μs | 5.600 μs | 72 B +| ImmutableListTrueForAll | .NET 8.0 | ImmutableList | 679.46 μs | 2.371 μs | - +| | | | | | +| ImmutableListAll | .NET 9.0 | ImmutableList | 922.43 μs | 14.564 μs | 72 B +| ImmutableListTrueForAll | .NET 9.0 | ImmutableList | 692.31 μs | 8.897 μs | - +| | | | | | +| ImmutableListAll | .NET Framework 4.8.1 | ImmutableList | 4,578.72 μs | 77.920 μs | 128 B +| ImmutableListTrueForAll | .NET Framework 4.8.1 | ImmutableList | 4,393.49 μs | 122.061 μs | - +| | | | | | +| ImmutableListBuilderAll | .NET 8.0 | ImmutableList.Builder | 970.45 μs | 13.598 μs | 73 B +| ImmutableListBuilderTrueForAll | .NET 8.0 | ImmutableList.Builder | 687.82 μs | 6.142 μs | - +| | | | | | +| ImmutableListBuilderAll | .NET 9.0 | ImmutableList.Builder | 981.17 μs | 12.966 μs | 72 B +| ImmutableListBuilderTrueForAll | .NET 9.0 | ImmutableList.Builder | 710.19 μs | 16.195 μs | - +| | | | | | +| ImmutableListBuilderAll | .NET Framework 4.8.1 | ImmutableList.Builder | 4,780.50 μs | 43.282 μs | 128 B +| ImmutableListBuilderTrueForAll | .NET Framework 4.8.1 | ImmutableList.Builder | 4,493.82 μs | 76.530 μs | - +| | | | | | +| ListAll | .NET 8.0 | List | 151.12 μs | 2.028 μs | 40 B +| ListTrueForAll | .NET 8.0 | List | 58.03 μs | 0.493 μs | - +| | | | | | +| ListAll | .NET 9.0 | List | 22.14 μs | 0.327 μs | - +| ListTrueForAll | .NET 9.0 | List | 46.01 μs | 0.327 μs | - +| | | | | | +| ListAll | .NET Framework 4.8.1 | List | 619.86 μs | 6.037 μs | 48 B +| ListTrueForAll | .NET Framework 4.8.1 | List | 208.49 μs | 2.340 μs | - |=== ==== Glossary @@ -29,42 +60,69 @@ The results were generated by running the following snippet with https://github. [source,csharp] ---- -private List data; +// Explicitly cache the delegates to avoid allocations inside the benchmark. +private readonly static Func ConditionFunc = static x => x == Math.Abs(x); +private readonly static Predicate ConditionPredicate = static x => x == Math.Abs(x); -[Params(10_000)] +private List list; +private ImmutableList immutableList; +private ImmutableList.Builder immutableListBuilder; +private int[] array; + +[Params(100_000)] public int N { get; set; } [GlobalSetup] -public void Setup() => - data = Enumerable.Range(0, N).Select(x => 42).ToList(); - -[Benchmark] -public void TrueForAll() +public void GlobalSetup() { - for (var i = 0; i < N; i++) - { - _ = data.TrueForAll(x => x == 42); // List.TrueForAll - } + list = Enumerable.Range(0, N).Select(x => N - x).ToList(); + immutableList = ImmutableList.CreateRange(list); + immutableListBuilder = ImmutableList.CreateBuilder(); + immutableListBuilder.AddRange(list); + array = list.ToArray(); } -[Benchmark(Baseline = true)] -public void All() -{ - for (var i = 0; i < N; i++) - { - _ = data.All(x => x == 42); // Enumerable.All - } -} +[BenchmarkCategory("List"), Benchmark] +public bool ListAll() => + list.All(ConditionFunc); + +[BenchmarkCategory("List"), Benchmark(Baseline = true)] +public bool ListTrueForAll() => + list.TrueForAll(ConditionPredicate); + +[BenchmarkCategory("ImmutableList"), Benchmark(Baseline = true)] +public bool ImmutableListAll() => + immutableList.All(ConditionFunc); + +[BenchmarkCategory("ImmutableList"), Benchmark] +public bool ImmutableListTrueForAll() => + immutableList.TrueForAll(ConditionPredicate); + +[BenchmarkCategory("ImmutableList.Builder"), Benchmark(Baseline = true)] +public bool ImmutableListBuilderAll() => + immutableListBuilder.All(ConditionFunc); + +[BenchmarkCategory("ImmutableList.Builder"), Benchmark] +public bool ImmutableListBuilderTrueForAll() => + immutableListBuilder.TrueForAll(ConditionPredicate); + +[BenchmarkCategory("Array"), Benchmark(Baseline = true)] +public bool ArrayAll() => + array.All(ConditionFunc); + +[BenchmarkCategory("Array"), Benchmark] +public bool ArrayTrueForAll() => + Array.TrueForAll(array, ConditionPredicate); ---- Hardware configuration: [source] ---- -BenchmarkDotNet=v0.13.5, OS=Windows 10 (10.0.19045.2846/22H2/2022Update) -12th Gen Intel Core i7-12800H, 1 CPU, 20 logical and 14 physical cores -.NET SDK=7.0.203 - [Host] : .NET 7.0.5 (7.0.523.17405), X64 RyuJIT AVX2 - .NET 7.0 : .NET 7.0.5 (7.0.523.17405), X64 RyuJIT AVX2 - .NET Framework 4.6.2 : .NET Framework 4.8 (4.8.4614.0), X64 RyuJIT VectorSize=256 +BenchmarkDotNet v0.14.0, Windows 11 (10.0.22631.4317/23H2/2023Update/SunValley3) +11th Gen Intel Core i7-11850H 2.50GHz, 1 CPU, 16 logical and 8 physical cores + [Host] : .NET Framework 4.8.1 (4.8.9277.0), X64 RyuJIT VectorSize=256 + .NET 8.0 : .NET 8.0.10 (8.0.1024.46610), X64 RyuJIT AVX-512F+CD+BW+DQ+VL+VBMI + .NET 9.0 : .NET 9.0.0 (9.0.24.47305), X64 RyuJIT AVX-512F+CD+BW+DQ+VL+VBMI + .NET Framework 4.8.1 : .NET Framework 4.8.1 (4.8.9277.0), X64 RyuJIT VectorSize=256 ---- \ No newline at end of file diff --git a/rules/S6603/why-dotnet.adoc b/rules/S6603/why-dotnet.adoc index f1ec951b32c..a4631e1bc31 100644 --- a/rules/S6603/why-dotnet.adoc +++ b/rules/S6603/why-dotnet.adoc @@ -2,6 +2,8 @@ Both the `List.TrueForAll` method and the `IEnumerable.All` method can be used to check if all list elements satisfy a given condition in a collection. However, `List.TrueForAll` can be faster than `IEnumerable.All` for `List` objects. The performance difference may be minor for small collections, but for large collections, it can be noticeable. +It is important to enable this rule with caution, as performance outcomes can vary significantly across different runtimes. Notably, the https://devblogs.microsoft.com/dotnet/performance-improvements-in-net-9/#collections[performance improvements in .NET 9] have brought `All` closer to the performance of collection-specific `TrueForAll` methods in most scenarios. + *Applies to* * https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1.trueforall[List] From d93d542b8114d17f1c5c9f503d07ff864a7c2ce0 Mon Sep 17 00:00:00 2001 From: SonarTech Date: Wed, 30 Oct 2024 02:43:58 +0000 Subject: [PATCH 33/61] update coverage information --- frontend/public/covered_rules.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 343d255c6e3..1ae8be481cb 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -2064,7 +2064,7 @@ "S1206": "sonar-dart 0.1.0.1359", "S121": "sonar-dart 0.1.0.1359", "S1481": "sonar-dart 0.1.0.1359", - "S1541": "sonar-dart master", + "S1541": "sonar-dart 0.4.0.1887", "S1578": "sonar-dart 0.1.0.1359", "S1679": "sonar-dart 0.1.0.1359", "S1854": "sonar-dart 0.1.0.1359", From 7f4817c401081d8f0941b9c7638c8fcad58795e1 Mon Sep 17 00:00:00 2001 From: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:42:45 +0100 Subject: [PATCH 34/61] Modify rule S6377: Clarify C# compliant code sample (APPSEC-1731) (#4451) --- rules/S6377/common/impact.adoc | 3 ++- rules/S6377/common/impacts/injection.adoc | 7 ++++++- rules/S6377/common/impacts/spoofing.adoc | 7 ++++++- rules/S6377/common/rationale.adoc | 4 +++- rules/S6377/csharp/how-to-fix/net-core.adoc | 10 ++++++++-- 5 files changed, 25 insertions(+), 6 deletions(-) diff --git a/rules/S6377/common/impact.adoc b/rules/S6377/common/impact.adoc index 85b29e4c821..f99027d53be 100644 --- a/rules/S6377/common/impact.adoc +++ b/rules/S6377/common/impact.adoc @@ -1,4 +1,5 @@ -By not enforcing secure validation, the XML Digital Signature API is more susceptible to attacks such as signature spoofing and injections. +By not enforcing secure validation, the XML Digital Signature API is more +susceptible to attacks such as signature spoofing and injections. include::impacts/spoofing.adoc[] diff --git a/rules/S6377/common/impacts/injection.adoc b/rules/S6377/common/impacts/injection.adoc index 8d254c400ff..4b2a7c463f8 100644 --- a/rules/S6377/common/impacts/injection.adoc +++ b/rules/S6377/common/impacts/injection.adoc @@ -1,3 +1,8 @@ === Risk of Injection Attacks -Disabling secure validation can expose the application to injection attacks. Attackers can inject malicious code or entities into the XML document, taking advantage of the weakened validation process. In some cases, it can also expose the application to denial-of-service attacks. Attackers can exploit vulnerabilities in the validation process to cause excessive resource consumption or system crashes, leading to service unavailability or disruption. +Disabling secure validation can expose the application to injection attacks. +Attackers can inject malicious code or entities into the XML document, taking +advantage of the weakened validation process. In some cases, it can also expose +the application to denial-of-service attacks. Attackers can exploit +vulnerabilities in the validation process to cause excessive resource +consumption or system crashes, leading to service unavailability or disruption. diff --git a/rules/S6377/common/impacts/spoofing.adoc b/rules/S6377/common/impacts/spoofing.adoc index 07583ee2403..538dc5470bc 100644 --- a/rules/S6377/common/impacts/spoofing.adoc +++ b/rules/S6377/common/impacts/spoofing.adoc @@ -1,3 +1,8 @@ === Increased Vulnerability to Signature Spoofing -By disabling secure validation, the application becomes more susceptible to signature spoofing attacks. Attackers can potentially manipulate the XML signature in a way that bypasses the validation process, allowing them to forge or tamper with the signature. This can lead to the acceptance of invalid or maliciously modified signatures, compromising the integrity and authenticity of the XML documents. +By disabling secure validation, the application becomes more susceptible to +signature spoofing attacks. Attackers can potentially manipulate the XML +signature in a way that bypasses the validation process, allowing them to forge +or tamper with the signature. This can lead to the acceptance of invalid or +maliciously modified signatures, compromising the integrity and authenticity of +the XML documents. diff --git a/rules/S6377/common/rationale.adoc b/rules/S6377/common/rationale.adoc index 136e7741468..0899ad55f83 100644 --- a/rules/S6377/common/rationale.adoc +++ b/rules/S6377/common/rationale.adoc @@ -1 +1,3 @@ -XML signatures are a method used to ensure the integrity and authenticity of XML documents. However, if XML signatures are not validated securely, it can lead to potential vulnerabilities. +XML signatures are a method used to ensure the integrity and authenticity of XML +documents. However, if XML signatures are not validated securely, it can lead to +potential vulnerabilities. diff --git a/rules/S6377/csharp/how-to-fix/net-core.adoc b/rules/S6377/csharp/how-to-fix/net-core.adoc index 0276a21010a..49047bd1b26 100644 --- a/rules/S6377/csharp/how-to-fix/net-core.adoc +++ b/rules/S6377/csharp/how-to-fix/net-core.adoc @@ -54,5 +54,11 @@ if (signedXml.CheckSignature(rsaKey)) { Here, the compliant solution provides an RSA public key to the signature validation function. This will ensure only signatures computed with the -associated private key will be accepted. This prevents signature forgery -attacks. \ No newline at end of file +associated private key will be accepted, preventing signature forgery attacks. + +Using the `CheckSignature` method without providing a key can be risky because +it may search the `AddressBook` store for certificates, which includes all +trusted root CA certificates on the machine. This broad trust base can be +exploited by attackers. Additionally, if the document is not signed with an +X.509 signature, the method will use the key embedded in the signature element, +which can lead to accepting signatures from untrusted sources. From 041d90ff3888c0542fe812f5d1c915f6a4399d19 Mon Sep 17 00:00:00 2001 From: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Date: Wed, 30 Oct 2024 15:57:46 +0100 Subject: [PATCH 35/61] Modify Rule S5144: Add information on blacklisting (#4454) * Modify Rule S5144: Add information on blacklisting --- rules/S5144/common/fix/blacklist.adoc | 12 ++++++++++++ rules/S5144/common/fix/pre-approved-list.adoc | 2 +- rules/S5144/common/pitfalls/blacklist-toctou.adoc | 8 ++++++++ rules/S5144/csharp/how-to-fix-it/dotnet.adoc | 4 +++- rules/S5144/java/how-to-fix-it/java-se.adoc | 4 ++++ rules/S5144/javascript/how-to-fix-it/node.adoc | 4 ++++ rules/S5144/php/how-to-fix-it/core.adoc | 4 ++++ rules/S5144/php/how-to-fix-it/guzzle.adoc | 4 ++++ rules/S5144/python/how-to-fix-it/httpx.adoc | 4 ++++ rules/S5144/python/how-to-fix-it/python.adoc | 4 ++++ rules/S5144/python/how-to-fix-it/requests.adoc | 4 ++++ 11 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 rules/S5144/common/fix/blacklist.adoc create mode 100644 rules/S5144/common/pitfalls/blacklist-toctou.adoc diff --git a/rules/S5144/common/fix/blacklist.adoc b/rules/S5144/common/fix/blacklist.adoc new file mode 100644 index 00000000000..ca43a445192 --- /dev/null +++ b/rules/S5144/common/fix/blacklist.adoc @@ -0,0 +1,12 @@ +==== Blacklisting + +While whitelisting URLs is the preferred approach to ensure only safe URLs are accessible, there are scenarios where blacklisting may be necessary. + +If whitelisting is not feasible, blacklisting can serve as a partial defense against SSRF attacks, particularly when the objective is to block access to internal resources or specific known malicious URLs. + +When implementing blacklisting, it is crucial to: + +* Comprehensively Check URLs: Ensure that the URL scheme, domain, and path are all scrutinized. This prevents attackers from circumventing the blacklist by altering schemes or paths. +* Understand Limitations: Recognize that blacklisting is not a foolproof solution. It should be part of a multi-layered security strategy to effectively mitigate SSRF risks. + +By adhering to these guidelines, blacklisting can be a useful, albeit secondary, measure in protecting against SSRF attacks. diff --git a/rules/S5144/common/fix/pre-approved-list.adoc b/rules/S5144/common/fix/pre-approved-list.adoc index 56357cfb219..ab732782336 100644 --- a/rules/S5144/common/fix/pre-approved-list.adoc +++ b/rules/S5144/common/fix/pre-approved-list.adoc @@ -1,4 +1,4 @@ -==== Pre-Approved commands +==== Pre-Approved URLs Create a list of authorized and secure URLs that you want the application to be able to request. + diff --git a/rules/S5144/common/pitfalls/blacklist-toctou.adoc b/rules/S5144/common/pitfalls/blacklist-toctou.adoc new file mode 100644 index 00000000000..ada0d0c6712 --- /dev/null +++ b/rules/S5144/common/pitfalls/blacklist-toctou.adoc @@ -0,0 +1,8 @@ +==== Blacklist TOCTOU + +When employing a blacklist to mitigate SSRF attacks, it is essential to guard against Time-Of-Check Time-Of-Use (TOCTOU) vulnerabilities in the validation logic. + +A common example of a TOCTOU vulnerability occurs when the domain name is resolved to an IP address for blacklist validation, but the hostname is resolved again later by the request library to make the actual request. An attacker could exploit DNS rebinding to change the IP address between these two resolutions and bypass the blacklist. + + +To prevent this, ensure that the domain name is resolved to an IP address only once, and this IP address is used consistently throughout the validation and request process. diff --git a/rules/S5144/csharp/how-to-fix-it/dotnet.adoc b/rules/S5144/csharp/how-to-fix-it/dotnet.adoc index df0b495826e..0ad0e662ca5 100644 --- a/rules/S5144/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S5144/csharp/how-to-fix-it/dotnet.adoc @@ -62,8 +62,10 @@ public class ExampleController: Controller include::../../common/fix/pre-approved-list.adoc[] +include::../../common/fix/blacklist.adoc[] + === Pitfalls include::../../common/pitfalls/starts-with.adoc[] - +include::../../common/pitfalls/blacklist-toctou.adoc[] diff --git a/rules/S5144/java/how-to-fix-it/java-se.adoc b/rules/S5144/java/how-to-fix-it/java-se.adoc index 06fcf3b1bc5..403adff9b29 100644 --- a/rules/S5144/java/how-to-fix-it/java-se.adoc +++ b/rules/S5144/java/how-to-fix-it/java-se.adoc @@ -39,8 +39,12 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IO include::../../common/fix/pre-approved-list.adoc[] +include::../../common/fix/blacklist.adoc[] + === Pitfalls include::../../common/pitfalls/starts-with.adoc[] +include::../../common/pitfalls/blacklist-toctou.adoc[] + diff --git a/rules/S5144/javascript/how-to-fix-it/node.adoc b/rules/S5144/javascript/how-to-fix-it/node.adoc index 399108880b5..342ae043bac 100644 --- a/rules/S5144/javascript/how-to-fix-it/node.adoc +++ b/rules/S5144/javascript/how-to-fix-it/node.adoc @@ -55,6 +55,10 @@ app.get('/example', async (req, res) => { include::../../common/fix/pre-approved-list.adoc[] +include::../../common/fix/blacklist.adoc[] + === Pitfalls include::../../common/pitfalls/starts-with.adoc[] + +include::../../common/pitfalls/blacklist-toctou.adoc[] diff --git a/rules/S5144/php/how-to-fix-it/core.adoc b/rules/S5144/php/how-to-fix-it/core.adoc index e243eb35b18..a8cc418756b 100644 --- a/rules/S5144/php/how-to-fix-it/core.adoc +++ b/rules/S5144/php/how-to-fix-it/core.adoc @@ -30,6 +30,10 @@ curl_exec($ch); include::../../common/fix/pre-approved-list.adoc[] +include::../../common/fix/blacklist.adoc[] + === Pitfalls include::../../common/pitfalls/starts-with.adoc[] + +include::../../common/pitfalls/blacklist-toctou.adoc[] diff --git a/rules/S5144/php/how-to-fix-it/guzzle.adoc b/rules/S5144/php/how-to-fix-it/guzzle.adoc index c0691225207..35d8bfc6293 100644 --- a/rules/S5144/php/how-to-fix-it/guzzle.adoc +++ b/rules/S5144/php/how-to-fix-it/guzzle.adoc @@ -40,6 +40,10 @@ include::../../common/fix/pre-approved-list.adoc[] The compliant code example uses such an approach. The `requests` library implicitly validates the scheme as it only allows `http` and `https` by default. +include::../../common/fix/blacklist.adoc[] + === Pitfalls include::../../common/pitfalls/starts-with.adoc[] + +include::../../common/pitfalls/blacklist-toctou.adoc[] diff --git a/rules/S5144/python/how-to-fix-it/httpx.adoc b/rules/S5144/python/how-to-fix-it/httpx.adoc index 504013899d8..8279f2a0466 100644 --- a/rules/S5144/python/how-to-fix-it/httpx.adoc +++ b/rules/S5144/python/how-to-fix-it/httpx.adoc @@ -47,6 +47,10 @@ include::../../common/fix/pre-approved-list.adoc[] The compliant code example uses such an approach. HTTPX implicitly validates the scheme as it only allows `http` and `https` by default. +include::../../common/fix/blacklist.adoc[] + === Pitfalls include::../../common/pitfalls/starts-with.adoc[] + +include::../../common/pitfalls/blacklist-toctou.adoc[] diff --git a/rules/S5144/python/how-to-fix-it/python.adoc b/rules/S5144/python/how-to-fix-it/python.adoc index ff3d364f471..dcf8a6a8a0f 100644 --- a/rules/S5144/python/how-to-fix-it/python.adoc +++ b/rules/S5144/python/how-to-fix-it/python.adoc @@ -39,6 +39,10 @@ def example(): include::../../common/fix/pre-approved-list.adoc[] +include::../../common/fix/blacklist.adoc[] + === Pitfalls include::../../common/pitfalls/starts-with.adoc[] + +include::../../common/pitfalls/blacklist-toctou.adoc[] diff --git a/rules/S5144/python/how-to-fix-it/requests.adoc b/rules/S5144/python/how-to-fix-it/requests.adoc index baf304f1a50..bad384bfdbd 100644 --- a/rules/S5144/python/how-to-fix-it/requests.adoc +++ b/rules/S5144/python/how-to-fix-it/requests.adoc @@ -41,6 +41,10 @@ include::../../common/fix/pre-approved-list.adoc[] The compliant code example uses such an approach. The `requests` library implicitly validates the scheme as it only allows `http` and `https` by default. +include::../../common/fix/blacklist.adoc[] + === Pitfalls include::../../common/pitfalls/starts-with.adoc[] + +include::../../common/pitfalls/blacklist-toctou.adoc[] From d662fdf017629712e9ed4ecf05e80cea12bd8f92 Mon Sep 17 00:00:00 2001 From: "Loris S." <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Wed, 30 Oct 2024 16:46:47 +0100 Subject: [PATCH 36/61] Modify S2053(C#): Improve code sample (#4452) --- rules/S2053/csharp/how-to-fix-it/dot-net.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/S2053/csharp/how-to-fix-it/dot-net.adoc b/rules/S2053/csharp/how-to-fix-it/dot-net.adoc index 1ab826982f8..089ad088618 100644 --- a/rules/S2053/csharp/how-to-fix-it/dot-net.adoc +++ b/rules/S2053/csharp/how-to-fix-it/dot-net.adoc @@ -25,7 +25,9 @@ using System.Security.Cryptography; public static void hash(string password) { - var hashed = new Rfc2898DeriveBytes(password, 32, 10000, HashAlgorithmName.SHA256); + var saltSize = 32; + var iterations = 100_000; + var hashed = new Rfc2898DeriveBytes(password, saltSize, iterations, HashAlgorithmName.SHA512); } ---- From a8afb3842fd3c4fa5e7dce3f8956c4d2eef74435 Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Wed, 30 Oct 2024 17:13:24 +0100 Subject: [PATCH 37/61] Modify rule S2260: Fix list of actions to deal with analyzer failures in the description (#4457) --- rules/S2260/dart/rule.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/S2260/dart/rule.adoc b/rules/S2260/dart/rule.adoc index 0d3d6c60ad5..9403ff1233e 100644 --- a/rules/S2260/dart/rule.adoc +++ b/rules/S2260/dart/rule.adoc @@ -16,7 +16,8 @@ There are three recommended ways to deal with analysis failures: * Fix compiler errors. * Make sure you got all project dependencies, via `flutter pub get`, `dart pub get`, ... * Make sure all referenced generated files were generated before the analysis. -* If you cannot fix them, let us know through the https://community.sonarsource.com/[Sonar Community forum]. + +If you cannot fix them, let us know through the https://community.sonarsource.com/[Sonar Community forum]. === Noncompliant code example From 7f3640afc59e38d7f91057f77ce7d14414ef3fd3 Mon Sep 17 00:00:00 2001 From: SonarTech Date: Thu, 31 Oct 2024 02:44:22 +0000 Subject: [PATCH 38/61] update coverage information --- frontend/public/covered_rules.json | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 1ae8be481cb..80b6af2f292 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -102,21 +102,21 @@ "ANSIBLE": { "S1135": "sonar-iac-enterprise 1.37.0.12742", "S2260": "sonar-iac-enterprise 1.37.0.12742", - "S2612": "sonar-iac-enterprise master", - "S4830": "sonar-iac-enterprise master", - "S5332": "sonar-iac-enterprise master", - "S5849": "sonar-iac-enterprise master", - "S6321": "sonar-iac-enterprise master", - "S6428": "sonar-iac-enterprise master", - "S6429": "sonar-iac-enterprise master", - "S6430": "sonar-iac-enterprise master", - "S6431": "sonar-iac-enterprise master", - "S6433": "sonar-iac-enterprise master", - "S6437": "sonar-iac-enterprise master", - "S6473": "sonar-iac-enterprise master", - "S6596": "sonar-iac-enterprise master", - "S6867": "sonar-iac-enterprise master", - "S6868": "sonar-iac-enterprise master" + "S2612": "sonar-iac-enterprise 1.38.0.13264", + "S4830": "sonar-iac-enterprise 1.38.0.13264", + "S5332": "sonar-iac-enterprise 1.38.0.13264", + "S5849": "sonar-iac-enterprise 1.38.0.13264", + "S6321": "sonar-iac-enterprise 1.38.0.13264", + "S6428": "sonar-iac-enterprise 1.38.0.13264", + "S6429": "sonar-iac-enterprise 1.38.0.13264", + "S6430": "sonar-iac-enterprise 1.38.0.13264", + "S6431": "sonar-iac-enterprise 1.38.0.13264", + "S6433": "sonar-iac-enterprise 1.38.0.13264", + "S6437": "sonar-iac-enterprise 1.38.0.13264", + "S6473": "sonar-iac-enterprise 1.38.0.13264", + "S6596": "sonar-iac-enterprise 1.38.0.13264", + "S6867": "sonar-iac-enterprise 1.38.0.13264", + "S6868": "sonar-iac-enterprise 1.38.0.13264" }, "APEX": { "S100": "sonar-apex 1.17.0.87", From 2268e54865f071c6a7557e3009143f06fdb7cbe4 Mon Sep 17 00:00:00 2001 From: Egon Okerman Date: Thu, 31 Oct 2024 09:33:35 +0100 Subject: [PATCH 39/61] Modify rule S5334: Add noncompliant comment in C# (APPSEC-258) (#4439) * Add noncompliant comment to noncompliant example * add comment --------- Co-authored-by: Loris Sierra --- rules/S5334/csharp/how-to-fix-it/dotnet.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/S5334/csharp/how-to-fix-it/dotnet.adoc b/rules/S5334/csharp/how-to-fix-it/dotnet.adoc index 6256302c753..b566291f058 100644 --- a/rules/S5334/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S5334/csharp/how-to-fix-it/dotnet.adoc @@ -28,7 +28,8 @@ public class ExampleController : Controller var provider = CodeDomProvider.CreateProvider("CSharp"); var compilerParameters = new CompilerParameters { ReferencedAssemblies = { "System.dll", "System.Runtime.dll" } }; - var compilerResults = provider.CompileAssemblyFromSource(compilerParameters, code); + var compilerResults = provider.CompileAssemblyFromSource(compilerParameters, code); // Noncompliant + object myInstance = compilerResults.CompiledAssembly.CreateInstance("MyClass"); myInstance.GetType().GetMethod("MyMethod").Invoke(myInstance, new object[0]); } From 86ac8e6b42d88123cc6e722e3f39f528e8ca1250 Mon Sep 17 00:00:00 2001 From: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Date: Thu, 31 Oct 2024 09:41:16 +0100 Subject: [PATCH 40/61] Modify Rule S6287: Improve Message (#4455) --- rules/S6287/message.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S6287/message.adoc b/rules/S6287/message.adoc index c19f60d6127..950beb752b2 100644 --- a/rules/S6287/message.adoc +++ b/rules/S6287/message.adoc @@ -1,4 +1,4 @@ === Message -Change this code to not place user-controlled data in the cookie name. +Change this code to not place user-controlled data in a session cookie. From 56018c314b42434667d6643fba1a257c230a3787 Mon Sep 17 00:00:00 2001 From: Martin Strecker <103252490+martin-strecker-sonarsource@users.noreply.github.com> Date: Thu, 31 Oct 2024 09:52:14 +0100 Subject: [PATCH 41/61] NET-567 Modify rule S6605: Remove from SonarWay and update benchmarks (#4459) --- rules/S6605/metadata.json | 2 +- rules/S6605/resources-dotnet.adoc | 104 ++++++++++++++++++++---------- rules/S6605/why-dotnet.adoc | 2 + 3 files changed, 73 insertions(+), 35 deletions(-) diff --git a/rules/S6605/metadata.json b/rules/S6605/metadata.json index 01787ab4114..49acb5bb2d0 100644 --- a/rules/S6605/metadata.json +++ b/rules/S6605/metadata.json @@ -21,6 +21,6 @@ "ruleSpecification": "RSPEC-6605", "sqKey": "S6605", "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "defaultQualityProfiles": [], "quickfix": "targeted" } \ No newline at end of file diff --git a/rules/S6605/resources-dotnet.adoc b/rules/S6605/resources-dotnet.adoc index 0276e892844..adc20571c78 100644 --- a/rules/S6605/resources-dotnet.adoc +++ b/rules/S6605/resources-dotnet.adoc @@ -2,21 +2,43 @@ === Documentation -* https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1.exists[List.Exists(Predicate)] -* https://learn.microsoft.com/en-us/dotnet/api/system.array.exists[Array.Exists(T[\], Predicate)] -* https://learn.microsoft.com/en-us/dotnet/api/system.collections.immutable.immutablelist-1.exists[ImmutableList.Exists(Predicate)] -* https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.any[Enumerable.Any(Predicate)] -* https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/ef/language-reference/linq-to-entities[LINQ to Entities] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1.exists[List.Exists(Predicate)] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.array.exists[Array.Exists(T[\], Predicate)] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.collections.immutable.immutablelist-1.exists[ImmutableList.Exists(Predicate)] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.any[Enumerable.Any(Predicate)] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/ef/language-reference/linq-to-entities[LINQ to Entities] === Benchmarks [options="header"] |=== -| Method | Runtime | Mean | Standard Deviation | Allocated -| Any | .NET 7.0 | 6.670 ms | 0.1413 ms | 40004 B -| Exists | .NET 7.0 | 1.364 ms | 0.0270 ms | 1 B -| Any | .NET Framework 4.6.2 | 5.380 ms | 0.0327 ms | 40128 B -| Exists | .NET Framework 4.6.2 | 1.575 ms | 0.0348 ms | - +| Method | Runtime | Categories | Mean | Standard Deviation | Allocated +| ArrayAny | .NET 8.0 | Array | 1,174.0 ns | 16.44 ns | 32 B +| ArrayExists | .NET 8.0 | Array | 570.6 ns | 7.12 ns | - +| | | | | | +| ArrayAny | .NET 9.0 | Array | 358.5 ns | 5.57 ns | - +| ArrayExists | .NET 9.0 | Array | 581.6 ns | 6.17 ns | - +| | | | | | +| ArrayAny | .NET Framework 4.8.1 | Array | 4,896.0 ns | 102.83 ns | 32 B +| ArrayExists | .NET Framework 4.8.1 | Array | 1,649.4 ns | 29.81 ns | - +| | | | | | +| ImmutableListAny | .NET 8.0 | ImmutableList | 7,859.3 ns | 91.45 ns | 72 B +| ImmutableListExists | .NET 8.0 | ImmutableList | 5,898.1 ns | 81.69 ns | - +| | | | | | +| ImmutableListAny | .NET 9.0 | ImmutableList | 7,748.9 ns | 119.10 ns | 72 B +| ImmutableListExists | .NET 9.0 | ImmutableList | 5,705.0 ns | 31.53 ns | - +| | | | | | +| ImmutableListAny | .NET Framework 4.8.1 | ImmutableList | 45,118.5 ns | 168.72 ns | 72 B +| ImmutableListExists | .NET Framework 4.8.1 | ImmutableList | 41,966.0 ns | 631.59 ns | - +| | | | | | +| ListAny | .NET 8.0 | List | 1,643.5 ns | 13.09 ns | 40 B +| ListExists | .NET 8.0 | List | 726.2 ns | 11.99 ns | - +| | | | | | +| ListAny | .NET 9.0 | List | 398.6 ns | 8.20 ns | - +| ListExists | .NET 9.0 | List | 612.4 ns | 18.73 ns | - +| | | | | | +| ListAny | .NET Framework 4.8.1 | List | 5,621.5 ns | 35.80 ns | 40 B +| ListExists | .NET Framework 4.8.1 | List | 1,748.0 ns | 11.76 ns | - |=== ==== Glossary @@ -29,44 +51,58 @@ The results were generated by running the following snippet with https://github. [source,csharp] ---- -private List data; -private readonly Random random = new Random(); +// Explicitly cache the delegates to avoid allocations inside the benchmark. +private readonly static Func ConditionFunc = static x => x == -1 * Math.Abs(x); +private readonly static Predicate ConditionPredicate = static x => x == -1 * Math.Abs(x); + +private List list; +private ImmutableList immutableList; +private int[] array; [Params(1_000)] public int N { get; set; } [GlobalSetup] -public void Setup() => - data = Enumerable.Range(0, N).Select(x => 43).ToList(); - -[Benchmark(Baseline = true)] -public void Any() +public void GlobalSetup() { - for (var i = 0; i < N; i++) - { - _ = data.Any(x => x % 2 == 0); // Enumerable.Any - } + list = Enumerable.Range(0, N).Select(x => N - x).ToList(); + immutableList = ImmutableList.CreateRange(list); + array = list.ToArray(); } -[Benchmark] -public void Exists() -{ - for (var i = 0; i < N; i++) - { - _ = data.Exists(x => x % 2 == 0); // List.Exists - } -} +[BenchmarkCategory("List"), Benchmark] +public bool ListAny() => + list.Any(ConditionFunc); + +[BenchmarkCategory("List"), Benchmark(Baseline = true)] +public bool ListExists() => + list.Exists(ConditionPredicate); + +[BenchmarkCategory("ImmutableList"), Benchmark(Baseline = true)] +public bool ImmutableListAny() => + immutableList.Any(ConditionFunc); + +[BenchmarkCategory("ImmutableList"), Benchmark] +public bool ImmutableListExists() => + immutableList.Exists(ConditionPredicate); + +[BenchmarkCategory("Array"), Benchmark(Baseline = true)] +public bool ArrayAny() => + array.Any(ConditionFunc); +[BenchmarkCategory("Array"), Benchmark] +public bool ArrayExists() => + Array.Exists(array, ConditionPredicate); ---- Hardware configuration: [source] ---- -BenchmarkDotNet=v0.13.5, OS=Windows 10 (10.0.19045.2846/22H2/2022Update) +BenchmarkDotNet v0.14.0, Windows 11 (10.0.22631.4317/23H2/2023Update/SunValley3) 11th Gen Intel Core i7-11850H 2.50GHz, 1 CPU, 16 logical and 8 physical cores -.NET SDK=7.0.203 - [Host] : .NET 7.0.5 (7.0.523.17405), X64 RyuJIT AVX2 - .NET 7.0 : .NET 7.0.5 (7.0.523.17405), X64 RyuJIT AVX2 - .NET Framework 4.6.2 : .NET Framework 4.8.1 (4.8.9139.0), X64 RyuJIT VectorSize=256 + [Host] : .NET Framework 4.8.1 (4.8.9277.0), X64 RyuJIT VectorSize=256 + .NET 8.0 : .NET 8.0.10 (8.0.1024.46610), X64 RyuJIT AVX-512F+CD+BW+DQ+VL+VBMI + .NET 9.0 : .NET 9.0.0 (9.0.24.47305), X64 RyuJIT AVX-512F+CD+BW+DQ+VL+VBMI + .NET Framework 4.8.1 : .NET Framework 4.8.1 (4.8.9277.0), X64 RyuJIT VectorSize=256 ---- diff --git a/rules/S6605/why-dotnet.adoc b/rules/S6605/why-dotnet.adoc index d6d8bfd5390..5b8e9c70cc7 100644 --- a/rules/S6605/why-dotnet.adoc +++ b/rules/S6605/why-dotnet.adoc @@ -2,6 +2,8 @@ Both the `List.Exists` method and `IEnumerable.Any` method can be used to find the first element that satisfies a predicate in a collection. However, `List.Exists` can be faster than `IEnumerable.Any` for `List` objects, as well as requires significantly less memory. For small collections, the performance difference may be negligible, but for large collections, it can be noticeable. The same applies to `ImmutableList` and arrays too. +It is important to enable this rule with caution, as performance outcomes can vary significantly across different runtimes. Notably, the https://devblogs.microsoft.com/dotnet/performance-improvements-in-net-9/#collections[performance improvements in .NET 9] have brought `Any` closer to the performance of collection-specific `Exists` methods in most scenarios. + *Applies to* * https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1.exists[List] From 419edfbf30e44d4c5b15b4b909c7c1e803dc3a1f Mon Sep 17 00:00:00 2001 From: Mostafa Mohammed Date: Fri, 1 Nov 2024 15:59:56 +0100 Subject: [PATCH 42/61] Modify rule S1155: Adopt standard library method names Co-authored-by: Marco Borgeaud Co-authored-by: Michael Jabbour <117195239+michael-jabbour-sonarsource@users.noreply.github.com> --- rules/S1155/cfamily/metadata.json | 2 +- rules/S1155/cfamily/rule.adoc | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/S1155/cfamily/metadata.json b/rules/S1155/cfamily/metadata.json index 05c8ea280cc..c4cb248eb18 100644 --- a/rules/S1155/cfamily/metadata.json +++ b/rules/S1155/cfamily/metadata.json @@ -1,5 +1,5 @@ { - "title": "\"empty()\" or \"is_empty()\" should be used to test for emptiness", + "title": "\"empty()\" should be used to test for emptiness", "tags": [ "cppcoreguidelines", "clumsy" diff --git a/rules/S1155/cfamily/rule.adoc b/rules/S1155/cfamily/rule.adoc index 9f468ff8e02..19485b47e66 100644 --- a/rules/S1155/cfamily/rule.adoc +++ b/rules/S1155/cfamily/rule.adoc @@ -1,8 +1,8 @@ == Why is this an issue? -When you call `empty()` or `is_empty()`, it clearly communicates the code's intention, which is to check if the collection is empty. Using `size() == 0` for this purpose is less direct and makes the code slightly more complex. +When you call `empty()`, it clearly communicates the code's intention, which is to check if the collection is empty. Using `size() == 0` for this purpose is less direct and makes the code slightly more complex. -Moreover, depending on the implementation, the `size()`, `length()`, or `count()` methods can have a time complexity of `O(n)` where `n` is the number of elements in the collection. On the other hand, `empty()` and `is_empty()` simply check if there is at least one element in the collection, which is a constant time operation, `O(1)`. +Moreover, in the standard library, depending on the implementation, the `size()` method can have a time complexity of `O(n)` where `n` is the number of elements in the collection. On the other hand, `empty()` simply checks if there is at least one element in the collection, which is a constant time operation, `O(1)`. Note that this rule also identifies similar method names in user-defined types, where the semantics and complexity may differ. [source,cpp,diff-id=1,diff-type=noncompliant] ---- @@ -13,7 +13,7 @@ void fun(const std::vector &myVector) { } ---- -Prefer using `empty()` or `is_empty()` to test for emptiness over `size()`, `length()`, or `count()`. +Prefer using `empty()` or to test for emptiness over `size()`. [source,cpp,diff-id=1,diff-type=compliant] ---- @@ -38,7 +38,7 @@ ifdef::env-github,rspecator-view[] === Message -Use empty() or is_empty() to check whether the container is empty or not. +Use empty() to check whether the container is empty or not. ''' == Comments And Links From fd533682a373f4cedbdf150024a32f594780cb49 Mon Sep 17 00:00:00 2001 From: Sebastien Andrivet <138577785+sebastien-andrivet-sonarsource@users.noreply.github.com> Date: Mon, 4 Nov 2024 13:24:06 +0100 Subject: [PATCH 43/61] Modify rule S5131: Fix dead link (#4461) --- rules/S5131/python/rule.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/S5131/python/rule.adoc b/rules/S5131/python/rule.adoc index b812840c3b1..305f7b9f99f 100644 --- a/rules/S5131/python/rule.adoc +++ b/rules/S5131/python/rule.adoc @@ -24,8 +24,8 @@ include::../common/resources/docs.adoc[] * https://docs.djangoproject.com/en/4.0/ref/request-response/[Django Project, Request and response objects (Django 4.0)] * https://docs.djangoproject.com/en/4.0/ref/templates/builtins[Django, Built-in template tags and filters] -* https://flask.palletsprojects.com/en/2.1.x/security/?highlight=xss#cross-site-scripting-xss[Flask, Security Considerations] -* https://jinja.palletsprojects.com/en/3.0.x/templates/[The Pallets Projects, Jinja, Template Designer Documentation] +* https://flask.palletsprojects.com/en/stable/web-security/?highlight=xss#cross-site-scripting-xss[Flask, Security Considerations] +* https://jinja.palletsprojects.com/en/stable/templates/[The Pallets Projects, Jinja, Template Designer Documentation] include::../common/resources/articles.adoc[] From 5b31725f8142a81c9ab63aa6470b42d7bdc2c1f1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 17:13:23 +0100 Subject: [PATCH 44/61] Create rule S7137: RubyGems.org API keys should not be disclosed (APPSEC-1862) (#4464) --- rules/S7137/metadata.json | 2 ++ rules/S7137/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7137/secrets/rule.adoc | 43 ++++++++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 rules/S7137/metadata.json create mode 100644 rules/S7137/secrets/metadata.json create mode 100644 rules/S7137/secrets/rule.adoc diff --git a/rules/S7137/metadata.json b/rules/S7137/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7137/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7137/secrets/metadata.json b/rules/S7137/secrets/metadata.json new file mode 100644 index 00000000000..d08788e821f --- /dev/null +++ b/rules/S7137/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "RubyGems.org API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7137", + "sqKey": "S7137", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7137/secrets/rule.adoc b/rules/S7137/secrets/rule.adoc new file mode 100644 index 00000000000..7c25e69cf6f --- /dev/null +++ b/rules/S7137/secrets/rule.adoc @@ -0,0 +1,43 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +If an attacker gains access to a RubyGems.org API key, they might be able to gain access to any private package linked to this token. + +=== What is the potential impact? + +The exact impact of the compromise of an RubyGems.org API key varies depending on the permissions granted to this token. It can range from loss of sensitive data and source code to severe supply chain attacks. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: rubygems_cec9db9373ea171daaaa0bf2337edce187f09558cb19c1b2 +:example_name: rubygems.api-key +:example_env: RUBYGEMS_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +=== Going the extra mile + +include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[] + +== Resources + +=== Documentation + +RubyGems.org - https://guides.rubygems.org/api-key-scopes/[API key scopes] + +include::../../../shared_content/secrets/resources/standards.adoc[] + From 0093e1be20201ac92c1589dbdc8e0918d51aa649 Mon Sep 17 00:00:00 2001 From: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Date: Mon, 4 Nov 2024 17:27:34 +0100 Subject: [PATCH 45/61] Modify rule S6096: Update resources (#4467) --- rules/S6096/common/resources/articles.adoc | 3 +++ rules/S6096/common/resources/docs.adoc | 3 --- rules/S6096/csharp/rule.adoc | 2 +- rules/S6096/java/rule.adoc | 2 +- rules/S6096/javascript/rule.adoc | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) create mode 100644 rules/S6096/common/resources/articles.adoc delete mode 100644 rules/S6096/common/resources/docs.adoc diff --git a/rules/S6096/common/resources/articles.adoc b/rules/S6096/common/resources/articles.adoc new file mode 100644 index 00000000000..f0800c027f3 --- /dev/null +++ b/rules/S6096/common/resources/articles.adoc @@ -0,0 +1,3 @@ +=== Articles & blog posts + +* Sonar Blog - https://www.sonarsource.com/blog/openrefine-zip-slip/[Unzipping Dangers: OpenRefine Zip Slip Vulnerability] diff --git a/rules/S6096/common/resources/docs.adoc b/rules/S6096/common/resources/docs.adoc deleted file mode 100644 index 5413a68a9f6..00000000000 --- a/rules/S6096/common/resources/docs.adoc +++ /dev/null @@ -1,3 +0,0 @@ -=== Documentation - -* https://snyk.io/research/zip-slip-vulnerability[snyk] - Zip Slip Vulnerability diff --git a/rules/S6096/csharp/rule.adoc b/rules/S6096/csharp/rule.adoc index 9a5e5567462..b49e2a8454d 100644 --- a/rules/S6096/csharp/rule.adoc +++ b/rules/S6096/csharp/rule.adoc @@ -10,7 +10,7 @@ include::how-to-fix-it/dotnet.adoc[] == Resources -include::../common/resources/docs.adoc[] +include::../common/resources/articles.adoc[] include::../common/resources/standards.adoc[] diff --git a/rules/S6096/java/rule.adoc b/rules/S6096/java/rule.adoc index 4970cfc106d..5a96d91ce5f 100644 --- a/rules/S6096/java/rule.adoc +++ b/rules/S6096/java/rule.adoc @@ -8,7 +8,7 @@ include::how-to-fix-it/java-se.adoc[] == Resources -include::../common/resources/docs.adoc[] +include::../common/resources/articles.adoc[] include::../common/resources/standards.adoc[] diff --git a/rules/S6096/javascript/rule.adoc b/rules/S6096/javascript/rule.adoc index dae77c4fd66..85116f736c1 100644 --- a/rules/S6096/javascript/rule.adoc +++ b/rules/S6096/javascript/rule.adoc @@ -11,7 +11,7 @@ include::how-to-fix-it/nodejs.adoc[] == Resources -include::../common/resources/docs.adoc[] +include::../common/resources/articles.adoc[] include::../common/resources/standards.adoc[] From 4c937f7f7dfa1238804c10f02c318498c8bc405d Mon Sep 17 00:00:00 2001 From: SonarTech Date: Tue, 5 Nov 2024 02:43:04 +0000 Subject: [PATCH 46/61] update coverage information --- frontend/public/covered_rules.json | 199 ++++++++++++++++++++--------- 1 file changed, 137 insertions(+), 62 deletions(-) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 80b6af2f292..4acaaf7a254 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -5478,96 +5478,171 @@ "S6292": "sonar-secrets 1.1.0.36766", "S6334": "sonar-secrets 1.1.0.36766", "S6335": "sonar-secrets 1.1.0.36766", - "S6336": "sonar-secrets 1.1.0.36766", - "S6337": "sonar-secrets 1.1.0.36766", + "S6336": { + "since": "sonar-secrets 1.1.0.36766", + "until": "sonar-text 2.5.0.2293" + }, + "S6337": { + "since": "sonar-secrets 1.1.0.36766", + "until": "sonar-text 2.5.0.2293" + }, "S6338": "sonar-secrets 1.1.0.36766", "S6652": { "since": "sonar-text 2.2.0.1571", "until": "sonar-text 2.2.0.1571" }, "S6684": "sonar-text 2.3.0.1632", - "S6686": "sonar-text 2.3.0.1632", + "S6686": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, "S6687": "sonar-text 2.3.0.1632", - "S6688": "sonar-text 2.3.0.1632", + "S6688": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, "S6689": "sonar-text 2.3.0.1632", "S6690": "sonar-text 2.3.0.1632", - "S6691": "sonar-text 2.3.0.1632", - "S6692": "sonar-text 2.3.0.1632", + "S6691": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, + "S6692": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, "S6693": "sonar-text 2.3.0.1632", "S6694": "sonar-text 2.3.0.1632", - "S6695": "sonar-text 2.3.0.1632", - "S6696": "sonar-text 2.3.0.1632", + "S6695": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, + "S6696": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, "S6697": "sonar-text 2.3.0.1632", "S6698": "sonar-text 2.3.0.1632", - "S6699": "sonar-text 2.3.0.1632", - "S6700": "sonar-text 2.3.0.1632", + "S6699": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, + "S6700": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, "S6701": "sonar-text 2.3.0.1632", "S6702": "sonar-text 2.3.0.1632", "S6703": "sonar-text 2.3.0.1632", - "S6704": "sonar-text 2.3.0.1632", - "S6705": "sonar-text 2.3.0.1632", + "S6704": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, + "S6705": { + "since": "sonar-text 2.3.0.1632", + "until": "sonar-text 2.5.0.2293" + }, "S6706": "sonar-text 2.3.0.1632", "S6708": "sonar-text 2.4.0.2120", - "S6710": "sonar-text 2.4.0.2120", - "S6713": "sonar-text 2.4.0.2120", - "S6717": "sonar-text 2.4.0.2120", - "S6718": "sonar-text 2.4.0.2120", - "S6719": "sonar-text 2.4.0.2120", - "S6720": "sonar-text 2.4.0.2120", - "S6721": "sonar-text 2.4.0.2120", - "S6722": "sonar-text 2.4.0.2120", - "S6723": "sonar-text 2.4.0.2120", - "S6731": "sonar-text 2.4.0.2120", - "S6732": "sonar-text 2.4.0.2120", - "S6733": "sonar-text 2.4.0.2120", - "S6736": "sonar-text 2.4.0.2120", + "S6710": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6713": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6717": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6718": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6719": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6720": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6721": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6722": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6723": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6731": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6732": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6733": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6736": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, "S6739": "sonar-text 2.4.0.2120", "S6751": "sonar-text 2.4.0.2120", "S6752": "sonar-text 2.4.0.2120", - "S6753": "sonar-text 2.4.0.2120", - "S6755": "sonar-text 2.4.0.2120", + "S6753": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6755": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, "S6758": "sonar-text 2.4.0.2120", - "S6760": "sonar-text 2.4.0.2120", + "S6760": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, "S6762": "sonar-text 2.4.0.2120", - "S6764": "sonar-text 2.4.0.2120", - "S6765": "sonar-text 2.4.0.2120", - "S6768": "sonar-text 2.4.0.2120", - "S6769": "sonar-text 2.4.0.2120", + "S6764": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6765": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6768": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6769": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, "S6771": "sonar-text 2.4.0.2120", - "S6773": "sonar-text 2.4.0.2120", - "S6777": "sonar-text 2.4.0.2120", + "S6773": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, + "S6777": { + "since": "sonar-text 2.4.0.2120", + "until": "sonar-text 2.5.0.2293" + }, "S6782": "sonar-text 2.4.0.2120", "S6783": "sonar-text 2.4.0.2120", - "S6910": "sonar-text master", "S6987": "sonar-secrets 1.1.0.36766", - "S6988": "sonar-text master", - "S6989": "sonar-text master", - "S6990": "sonar-text master", - "S6992": "sonar-text master", - "S6993": "sonar-text master", "S6995": "sonar-text master", - "S6997": "sonar-text master", - "S6998": "sonar-text master", - "S6999": "sonar-text master", - "S7000": "sonar-text master", - "S7001": "sonar-text master", - "S7002": "sonar-text master", - "S7003": "sonar-text master", - "S7004": "sonar-text master", - "S7006": "sonar-text master", - "S7007": "sonar-text master", - "S7008": "sonar-text master", - "S7009": "sonar-text master", - "S7010": "sonar-text master", - "S7011": "sonar-text master", - "S7013": "sonar-text master", - "S7014": "sonar-text master", - "S7015": "sonar-text master", - "S7016": "sonar-text master", - "S7017": "sonar-text master", - "S7022": "sonar-text master", - "S7024": "sonar-text master", - "S7025": "sonar-text master" + "S7013": "sonar-text master" }, "SWIFT": { "S100": "sonar-swift 3.1.0.2067", From 91873ea473bd5ae1afed064cd4b5b39b325658af Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 10:10:57 +0000 Subject: [PATCH 47/61] Create rule S7136: Clojars deploy tokens should not be disclosed (#4463) --- rules/S7136/metadata.json | 2 ++ rules/S7136/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7136/secrets/rule.adoc | 41 ++++++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 rules/S7136/metadata.json create mode 100644 rules/S7136/secrets/metadata.json create mode 100644 rules/S7136/secrets/rule.adoc diff --git a/rules/S7136/metadata.json b/rules/S7136/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7136/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7136/secrets/metadata.json b/rules/S7136/secrets/metadata.json new file mode 100644 index 00000000000..14702d55d3b --- /dev/null +++ b/rules/S7136/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Clojars deploy tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7136", + "sqKey": "S7136", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7136/secrets/rule.adoc b/rules/S7136/secrets/rule.adoc new file mode 100644 index 00000000000..7118363f0b3 --- /dev/null +++ b/rules/S7136/secrets/rule.adoc @@ -0,0 +1,41 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +include::../../../shared_content/secrets/impact/malware_distribution.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: CLOJARS_76c6def45d9b5c7f4a8cc85dff710bb89f0f9dde1b286b53c62be3f16551 +:example_name: clojars-token +:example_env: CLOJARS_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks From 2a2c8c536b54ea00a3318c6c52db1f4df7cc64ea Mon Sep 17 00:00:00 2001 From: Gregory Paidis <115458417+gregory-paidis-sonarsource@users.noreply.github.com> Date: Tue, 5 Nov 2024 15:05:44 +0100 Subject: [PATCH 48/61] S2068: Update description for C# (#4473) --- rules/S2068/csharp/rule.adoc | 2 +- rules/S2068/vbnet/rule.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/S2068/csharp/rule.adoc b/rules/S2068/csharp/rule.adoc index 5fd79efe18c..38edc455521 100644 --- a/rules/S2068/csharp/rule.adoc +++ b/rules/S2068/csharp/rule.adoc @@ -1,4 +1,4 @@ -include::../description.adoc[] +include::../description-no-recommend.adoc[] include::../ask-yourself.adoc[] diff --git a/rules/S2068/vbnet/rule.adoc b/rules/S2068/vbnet/rule.adoc index 5a6922a9dcc..905e9c6408d 100644 --- a/rules/S2068/vbnet/rule.adoc +++ b/rules/S2068/vbnet/rule.adoc @@ -1,4 +1,4 @@ -include::../description.adoc[] +include::../description-no-recommend.adoc[] include::../ask-yourself.adoc[] From 47956ba750a1da4d3899ab949f0648ef09ecd573 Mon Sep 17 00:00:00 2001 From: "erwan.serandour" Date: Thu, 31 Oct 2024 16:24:31 +0100 Subject: [PATCH 49/61] allow INFO and BLOCKER for CCT rule quality severity to support Multi-Quality Rule mode --- docs/metadata.adoc | 2 +- .../rspec_tools/validation/rule-metadata-schema.json | 6 +++--- rspec-tools/tests/validation/test_metadata_validation.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/metadata.adoc b/docs/metadata.adoc index a34fcd15c86..7d175bcb4a0 100644 --- a/docs/metadata.adoc +++ b/docs/metadata.adoc @@ -40,6 +40,6 @@ You can update the quickfix field using this GitHub Workflow: https://github.com The code field is an object that contains information related to the clean code taxonomy. It is an object with two required properties: -* `impacts`: A nested object that is treated as a mapping from a software quality to a level (`"LOW"`, `"MEDIUM"` or `"HIGH"`). Note that at least one software quality has to be specified. The current list of allowed software qualities is `"MAINTAINABILITY"`, `"RELIABILITY"` and `"SECURITY"`. +* `impacts`: A nested object that is treated as a mapping from a software quality to a level (`"INFO"`, `"LOW"`, `"MEDIUM"`, `"HIGH"` or `"BLOCKER"`). Note that at least one software quality has to be specified. The current list of allowed software qualities is `"MAINTAINABILITY"`, `"RELIABILITY"` and `"SECURITY"`. * `attribute`: A single clean code attribute that the rule aims to achieve. This has to be one of the following values: `"FORMATTED"`, `"CONVENTIONAL"`, `"IDENTIFIABLE"`, `"CLEAR"`, `"LOGICAL"`, `"COMPLETE"`, `"EFFICIENT"`, `"FOCUSED"`, `"DISTINCT"`, `"MODULAR"`, `"TESTED"`, `"LAWFUL"`, `"TRUSTWORTHY"`, `"RESPECTFUL"`. diff --git a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json index 212818f5c77..18fceff5ee8 100644 --- a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json +++ b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json @@ -267,15 +267,15 @@ "properties": { "MAINTAINABILITY": { "type": "string", - "enum": ["LOW", "MEDIUM", "HIGH"] + "enum": ["INFO", "LOW", "MEDIUM", "HIGH", "BLOCKER"] }, "RELIABILITY": { "type": "string", - "enum": ["LOW", "MEDIUM", "HIGH"] + "enum": ["INFO", "LOW", "MEDIUM", "HIGH", "BLOCKER"] }, "SECURITY": { "type": "string", - "enum": ["LOW", "MEDIUM", "HIGH"] + "enum": ["INFO", "LOW", "MEDIUM", "HIGH", "BLOCKER"] } } }, diff --git a/rspec-tools/tests/validation/test_metadata_validation.py b/rspec-tools/tests/validation/test_metadata_validation.py index 87d25427d5a..e525b39d677 100644 --- a/rspec-tools/tests/validation/test_metadata_validation.py +++ b/rspec-tools/tests/validation/test_metadata_validation.py @@ -82,7 +82,7 @@ def test_rule_with_invalid_impacts(invalid_rules: RulesRepository): def test_rule_with_invalid_impact_level(invalid_rules: RulesRepository): s506 = invalid_rules.get_rule('S506') - with pytest.raises(RuleValidationError, match=re.escape("Rule S506 failed validation for these reasons:\n - Rule scala:S506 has invalid metadata in MAINTAINABILITY: 'INVALID' is not one of ['LOW', 'MEDIUM', 'HIGH']")): + with pytest.raises(RuleValidationError, match=re.escape("Rule S506 failed validation for these reasons:\n - Rule scala:S506 has invalid metadata in MAINTAINABILITY: 'INVALID' is not one of ['INFO', 'LOW', 'MEDIUM', 'HIGH', 'BLOCKER']")): validate_rule_metadata(s506) From 1b03c3fe9165169e0375f810bf337e7bb2476c68 Mon Sep 17 00:00:00 2001 From: Fred Tingaud Date: Tue, 5 Nov 2024 11:17:42 +0100 Subject: [PATCH 50/61] Automatically migrate all rules where defaultSeverity and MQR are in agreement Not migrated because of multiple qualities: {'common': ['S1523', 'S2077', 'S6821', 'S6967'], 'xml': ['S3281', 'S3355'], 'cfamily': ['S5782', 'S6991', 'S7012', 'S7038', 'S7042'], 'python': ['S6709', 'S6714', 'S6727', 'S6729', 'S6734', 'S6740', 'S6741', 'S6882', 'S6883', 'S6887', 'S6890', 'S6894', 'S6900', 'S6903', 'S6919', 'S6925', 'S6928', 'S6929', 'S6971', 'S6973', 'S6974', 'S6982'], 'javascript': ['S6746', 'S6747', 'S6748', 'S6750', 'S6756', 'S6757', 'S6761', 'S6763', 'S6766', 'S6772', 'S6774', 'S6788', 'S6789', 'S6790', 'S6791', 'S6859', 'S6861', 'S7059', 'S7060'], 'java': ['S6804', 'S6806', 'S6813', 'S6818', 'S6829', 'S6831'], 'kubernetes': ['S6865', 'S6869', 'S6870', 'S6873', 'S6892', 'S6897', 'S6907'], 'csharp': ['S6932'], 'docker': ['S7018', 'S7019', 'S7023', 'S7029', 'S7030']} Not migrated because of a contradiction between quality and severity, please migrate manually: {'javascript': ['S1441', 'S2310', 'S3523', 'S5254', 'S6661', 'S6666', 'S6671', 'S6676', 'S6679', 'S6749', 'S6754', 'S6759', 'S6767', 'S6770', 'S6775', 'S6836', 'S6849'], 'common': ['S3723', 'S6620', 'S6667', 'S6668', 'S6669', 'S6670', 'S6672', 'S6674', 'S6675', 'S6776', 'S6930', 'S6931', 'S6934', 'S6960', 'S6964'], 'java': ['S6485', 'S6809', 'S6814', 'S6816', 'S6817', 'S6830', 'S6837', 'S6857', 'S6863', 'S6876', 'S6877', 'S6878', 'S6881', 'S6889', 'S6891', 'S6898', 'S6904', 'S6905', 'S6909', 'S6912', 'S6914', 'S6923', 'S6926', 'S7027'], 'kotlin': ['S6524', 'S6527', 'S6528'], 'python': ['S6660'], 'csharp': ['S6798', 'S6800', 'S6968'], 'cfamily': ['S6936', 'S6996', 'S7032', 'S7040'], 'docker': ['S7020', 'S7021', 'S7026', 'S7031']} Migrated: {'cfamily': ['S1032', 'S1036', 'S1232', 'S1760', 'S1912', 'S1914', 'S2806', 'S3491', 'S3519', 'S3520', 'S3529', 'S3584', 'S3588', 'S3590', 'S3654', 'S3657', 'S3692', 'S3729', 'S3936', 'S4997', 'S4999', 'S5000', 'S5018', 'S5020', 'S5184', 'S5267', 'S5302', 'S5404', 'S5417', 'S5486', 'S5487', 'S5489', 'S5502', 'S5553', 'S5639', 'S5798', 'S5912', 'S5999', 'S6025', 'S6223', 'S6427', 'S6493', 'S6655', 'S797', 'S798', 'S912', 'S916', 'S946', 'S961', 'S963', 'S969', 'S978', 'S998'], 'csharp': ['S1048', 'S2306', 'S3237', 'S6422', 'S6424'], 'vbnet': ['S1048'], 'plsql': ['S1058', 'S1074', 'S4577'], 'common': ['S1069', 'S1139', 'S1147', 'S1219', 'S128', 'S1309', 'S1314', 'S1451', 'S1493', 'S1527', 'S1590', 'S1614', 'S1669', 'S1845', 'S1909', 'S2007', 'S2068', 'S2095', 'S2096', 'S2178', 'S2187', 'S2189', 'S2190', 'S2275', 'S2368', 'S2387', 'S2437', 'S2689', 'S2695', 'S2699', 'S2857', 'S2930', 'S2931', 'S2953', 'S2970', 'S3046', 'S3060', 'S3360', 'S3427', 'S3433', 'S3443', 'S3464', 'S3516', 'S3618', 'S3827', 'S3862', 'S3869', 'S3875', 'S3877', 'S3884', 'S3889', 'S3931', 'S4159', 'S4462', 'S5496', 'S5632', 'S5708', 'S6265', 'S6270', 'S6302', 'S6304', 'S6329', 'S6333', 'S6373', 'S6418', 'S6472', 'S6781', 'S6839', 'S999'], 'java': ['S1190', 'S2168', 'S2188', 'S2229', 'S2236', 'S2276', 'S2693', 'S2975', 'S3014', 'S3546', 'S3753', 'S4602', 'S5786', 'S5793', 'S5979', 'S6208', 'S6212', 'S6539', 'S6541', 'S6548', 'S923'], 'pli': ['S131'], 'flex': ['S1446', 'S1466', 'S1468', 'S1469'], 'abap': ['S1496', 'S1508', 'S5117'], 'javascript': ['S1526', 'S2703', 'S2817', 'S3796', 'S6268', 'S6299'], 'php': ['S1599', 'S1799', 'S2014', 'S3333', 'S3334', 'S3336', 'S3337', 'S5335', 'S5911'], 'vb6': ['S1657'], 'cobol': ['S1967', 'S1969', 'S3481', 'S3938'], 'python': ['S2316', 'S2317', 'S2711', 'S2712', 'S2823', 'S2876', 'S3403', 'S5549', 'S5607', 'S5633', 'S5642', 'S5644', 'S5714', 'S5719', 'S5722', 'S5724', 'S5756', 'S5807', 'S5828', 'S5905', 'S5953', 'S6725', 'S6779', 'S930'], 'xml': ['S3282', 'S3374'], 'css': ['S4650', 'S4653', 'S4654', 'S4668'], 'apex': ['S5376', 'S5377', 'S5379', 'S5382', 'S5389'], 'secrets': ['S6292', 'S6334', 'S6335', 'S6336', 'S6337', 'S6338', 'S6652', 'S6684', 'S6686', 'S6687', 'S6688', 'S6689', 'S6690', 'S6691', 'S6692', 'S6693', 'S6694', 'S6695', 'S6696', 'S6697', 'S6698', 'S6699', 'S6700', 'S6701', 'S6702', 'S6703', 'S6704', 'S6705', 'S6706', 'S6708', 'S6710', 'S6713', 'S6717', 'S6718', 'S6719', 'S6720', 'S6721', 'S6722', 'S6723', 'S6731', 'S6732', 'S6733', 'S6736', 'S6739', 'S6751', 'S6752', 'S6753', 'S6755', 'S6758', 'S6760', 'S6762', 'S6764', 'S6765', 'S6768', 'S6769', 'S6771', 'S6773', 'S6777', 'S6782', 'S6783', 'S6910', 'S6987', 'S6988', 'S6989', 'S6990', 'S6992', 'S6993', 'S6995', 'S6997', 'S6998', 'S6999', 'S7000', 'S7001', 'S7002', 'S7003', 'S7004', 'S7006', 'S7007', 'S7008', 'S7009', 'S7010', 'S7011', 'S7013', 'S7014', 'S7015', 'S7016', 'S7017', 'S7022', 'S7024', 'S7025']} Already good: {'cfamily': ['S1000', 'S1001', 'S1002', 'S1003', 'S1006', 'S1011', 'S1013', 'S1016', 'S1017', 'S1035', 'S1039', 'S1042', 'S1044', 'S1046', 'S1051', 'S1052', 'S1055', 'S1079', 'S1081', 'S1198', 'S1231', 'S1235', 'S1236', 'S1242', 'S1259', 'S1265', 'S1271', 'S1705', 'S1706', 'S1708', 'S1709', 'S1712', 'S1749', 'S1750', 'S1761', 'S1762', 'S1767', 'S1768', 'S1771', 'S1773', 'S1831', 'S1836', 'S1878', 'S1911', 'S1913', 'S1915', 'S1916', 'S1917', 'S1986', 'S2107', 'S2216', 'S2303', 'S2305', 'S2323', 'S2324', 'S2393', 'S2665', 'S2668', 'S2753', 'S2754', 'S2807', 'S2808', 'S2813', 'S2815', 'S3135', 'S3229', 'S3230', 'S3231', 'S3432', 'S3468', 'S3469', 'S3470', 'S3471', 'S3485', 'S3486', 'S3490', 'S3522', 'S3539', 'S3540', 'S3541', 'S3542', 'S3548', 'S3549', 'S3574', 'S3576', 'S3608', 'S3609', 'S3624', 'S3628', 'S3636', 'S3642', 'S3646', 'S3656', 'S3659', 'S3685', 'S3687', 'S3691', 'S3698', 'S3708', 'S3715', 'S3719', 'S3726', 'S3728', 'S3730', 'S3731', 'S3732', 'S3743', 'S3744', 'S3805', 'S3806', 'S3807', 'S3935', 'S4263', 'S4334', 'S4962', 'S4963', 'S4998', 'S5008', 'S5019', 'S5025', 'S5028', 'S5180', 'S5205', 'S5213', 'S5259', 'S5262', 'S5263', 'S5265', 'S5266', 'S5269', 'S5270', 'S5271', 'S5272', 'S5273', 'S5274', 'S5275', 'S5276', 'S5277', 'S5278', 'S5279', 'S5280', 'S5281', 'S5283', 'S5293', 'S5297', 'S5298', 'S5303', 'S5305', 'S5306', 'S5307', 'S5308', 'S5309', 'S5311', 'S5312', 'S5313', 'S5314', 'S5316', 'S5318', 'S5319', 'S5350', 'S5356', 'S5357', 'S5358', 'S5381', 'S5408', 'S5409', 'S5414', 'S5415', 'S5419', 'S5421', 'S5422', 'S5425', 'S5485', 'S5488', 'S5491', 'S5494', 'S5495', 'S5500', 'S5501', 'S5506', 'S5507', 'S5523', 'S5524', 'S5536', 'S5566', 'S5570', 'S5658', 'S5801', 'S5812', 'S5813', 'S5814', 'S5815', 'S5816', 'S5817', 'S5820', 'S5824', 'S5825', 'S5827', 'S5832', 'S5945', 'S5946', 'S5950', 'S5951', 'S5952', 'S5954', 'S5955', 'S5962', 'S5964', 'S5965', 'S5966', 'S5972', 'S5978', 'S5981', 'S5982', 'S5995', 'S5997', 'S6000', 'S6003', 'S6004', 'S6005', 'S6006', 'S6007', 'S6008', 'S6009', 'S6010', 'S6011', 'S6012', 'S6013', 'S6015', 'S6016', 'S6017', 'S6018', 'S6020', 'S6021', 'S6022', 'S6023', 'S6024', 'S6026', 'S6029', 'S6030', 'S6031', 'S6032', 'S6033', 'S6045', 'S6069', 'S6147', 'S6164', 'S6165', 'S6166', 'S6168', 'S6169', 'S6171', 'S6172', 'S6177', 'S6178', 'S6179', 'S6180', 'S6181', 'S6183', 'S6184', 'S6185', 'S6186', 'S6187', 'S6188', 'S6189', 'S6190', 'S6191', 'S6192', 'S6193', 'S6195', 'S6197', 'S6200', 'S6214', 'S6221', 'S6222', 'S6225', 'S6226', 'S6228', 'S6229', 'S6230', 'S6231', 'S6232', 'S6234', 'S6236', 'S6352', 'S6365', 'S6366', 'S6367', 'S6369', 'S6372', 'S6391', 'S6456', 'S6458', 'S6459', 'S6460', 'S6461', 'S6462', 'S6482', 'S6483', 'S6484', 'S6487', 'S6488', 'S6489', 'S6490', 'S6491', 'S6492', 'S6494', 'S6495', 'S6621', 'S6636', 'S6871', 'S6872', 'S6994', 'S7033', 'S7034', 'S7035', 'S784', 'S793', 'S796', 'S799', 'S810', 'S811', 'S812', 'S813', 'S814', 'S817', 'S819', 'S824', 'S831', 'S833', 'S834', 'S835', 'S841', 'S845', 'S851', 'S853', 'S854', 'S855', 'S856', 'S859', 'S860', 'S868', 'S871', 'S872', 'S873', 'S874', 'S876', 'S877', 'S883', 'S886', 'S890', 'S892', 'S897', 'S919', 'S920', 'S922', 'S924', 'S926', 'S929', 'S936', 'S943', 'S945', 'S950', 'S953', 'S954', 'S955', 'S956', 'S958', 'S959', 'S960', 'S966', 'S967', 'S968', 'S977', 'S982', 'S984', 'S985', 'S986', 'S987', 'S988', 'S989', 'S990', 'S991', 'S994', 'S995'], 'common': ['S1005', 'S1006', 'S103', 'S104', 'S1041', 'S1045', 'S1048', 'S105', 'S1066', 'S1067', 'S1075', 'S1077', 'S108', 'S109', 'S110', 'S1103', 'S1104', 'S1105', 'S1106', 'S1107', 'S1108', 'S1109', 'S1110', 'S1117', 'S1119', 'S112', 'S1120', 'S1121', 'S1124', 'S1125', 'S1126', 'S1131', 'S1138', 'S114', 'S1141', 'S1142', 'S1144', 'S1151', 'S116', 'S1163', 'S1166', 'S1168', 'S117', 'S1170', 'S1176', 'S1181', 'S1188', 'S119', 'S1197', 'S1199', 'S1200', 'S1210', 'S1213', 'S1215', 'S1223', 'S1226', 'S1227', 'S1238', 'S124', 'S1244', 'S125', 'S1258', 'S126', 'S1264', 'S127', 'S1270', 'S1291', 'S1301', 'S131', 'S1312', 'S1313', 'S1321', 'S133', 'S134', 'S135', 'S138', 'S139', 'S140', 'S1438', 'S1439', 'S1440', 'S1444', 'S1448', 'S1449', 'S1450', 'S1472', 'S1479', 'S1488', 'S1492', 'S1498', 'S1499', 'S1515', 'S1516', 'S1536', 'S1537', 'S1542', 'S1543', 'S1545', 'S1546', 'S1548', 'S1573', 'S1583', 'S1601', 'S1607', 'S1615', 'S1619', 'S1631', 'S1639', 'S1642', 'S1643', 'S1645', 'S1654', 'S1656', 'S1659', 'S1694', 'S1695', 'S1696', 'S1698', 'S1699', 'S1700', 'S1707', 'S1735', 'S1737', 'S1738', 'S1739', 'S1741', 'S1742', 'S1745', 'S1751', 'S1763', 'S1764', 'S1772', 'S1774', 'S1784', 'S1788', 'S1820', 'S1821', 'S1848', 'S1858', 'S1862', 'S1872', 'S1899', 'S1905', 'S1939', 'S1940', 'S1941', 'S1944', 'S1952', 'S1990', 'S1994', 'S1996', 'S2004', 'S2005', 'S2011', 'S2024', 'S2039', 'S2042', 'S2047', 'S2092', 'S2094', 'S2097', 'S2108', 'S2114', 'S2122', 'S2123', 'S2139', 'S2145', 'S2147', 'S2148', 'S2151', 'S2156', 'S2164', 'S2166', 'S2177', 'S2183', 'S2184', 'S2193', 'S2197', 'S2198', 'S2201', 'S2208', 'S2209', 'S2219', 'S2221', 'S2222', 'S2223', 'S2225', 'S2228', 'S2234', 'S2245', 'S2250', 'S2251', 'S2252', 'S2253', 'S2257', 'S2259', 'S2301', 'S2302', 'S2304', 'S2309', 'S2321', 'S2325', 'S2326', 'S2327', 'S2333', 'S2335', 'S2339', 'S2340', 'S2342', 'S2343', 'S2344', 'S2345', 'S2346', 'S2357', 'S2360', 'S2365', 'S2372', 'S2373', 'S2376', 'S2384', 'S2386', 'S2429', 'S2436', 'S2440', 'S2445', 'S2479', 'S2490', 'S2523', 'S2527', 'S2551', 'S2583', 'S2589', 'S2629', 'S2637', 'S2638', 'S2639', 'S2658', 'S2674', 'S2688', 'S2692', 'S2701', 'S2738', 'S2760', 'S2814', 'S2830', 'S2925', 'S2951', 'S2955', 'S2959', 'S2966', 'S2997', 'S3010', 'S3011', 'S3038', 'S3047', 'S3052', 'S3059', 'S3063', 'S3065', 'S3087', 'S3215', 'S3218', 'S3222', 'S3235', 'S3236', 'S3241', 'S3242', 'S3244', 'S3249', 'S3252', 'S3254', 'S3261', 'S3263', 'S3317', 'S3330', 'S3346', 'S3353', 'S3363', 'S3366', 'S3376', 'S3397', 'S3398', 'S3400', 'S3403', 'S3414', 'S3415', 'S3416', 'S3431', 'S3440', 'S3449', 'S3453', 'S3457', 'S3458', 'S3466', 'S3518', 'S3543', 'S3577', 'S3598', 'S3603', 'S3604', 'S3626', 'S3630', 'S3633', 'S3641', 'S3643', 'S3650', 'S3651', 'S3655', 'S3696', 'S3699', 'S3717', 'S3752', 'S3801', 'S3830', 'S3871', 'S3872', 'S3874', 'S3878', 'S3887', 'S3890', 'S3898', 'S3900', 'S3902', 'S3903', 'S3904', 'S3906', 'S3908', 'S3921', 'S3925', 'S3926', 'S3927', 'S3937', 'S3958', 'S3966', 'S3972', 'S3973', 'S3981', 'S3984', 'S3985', 'S3990', 'S3992', 'S3993', 'S3994', 'S3995', 'S3996', 'S3997', 'S3998', 'S4004', 'S4005', 'S4015', 'S4018', 'S4022', 'S4023', 'S4025', 'S4026', 'S4030', 'S4036', 'S4040', 'S4054', 'S4060', 'S4109', 'S4136', 'S4143', 'S4144', 'S4158', 'S4165', 'S4188', 'S4196', 'S4200', 'S4201', 'S4210', 'S4220', 'S4225', 'S4260', 'S4274', 'S4275', 'S4277', 'S4413', 'S4428', 'S4456', 'S4457', 'S4487', 'S4502', 'S4507', 'S4508', 'S4524', 'S4545', 'S4581', 'S4583', 'S4586', 'S4635', 'S4639', 'S4721', 'S4738', 'S4787', 'S4790', 'S4792', 'S4797', 'S4801', 'S4828', 'S4970', 'S5034', 'S5042', 'S5122', 'S5141', 'S5148', 'S5245', 'S5247', 'S5256', 'S5257', 'S5260', 'S5261', 'S5264', 'S5320', 'S5322', 'S5324', 'S5359', 'S5361', 'S5443', 'S5603', 'S5604', 'S5679', 'S5689', 'S5691', 'S5693', 'S5713', 'S5725', 'S5728', 'S5730', 'S5732', 'S5734', 'S5736', 'S5739', 'S5742', 'S5743', 'S5753', 'S5757', 'S5759', 'S5766', 'S5770', 'S5779', 'S5780', 'S5781', 'S5783', 'S5785', 'S5797', 'S5802', 'S5804', 'S5842', 'S5843', 'S5845', 'S5846', 'S5850', 'S5852', 'S5855', 'S5857', 'S5860', 'S5863', 'S5867', 'S5868', 'S5869', 'S5915', 'S5939', 'S5958', 'S5994', 'S5996', 'S6001', 'S6002', 'S6019', 'S6035', 'S6112', 'S6145', 'S6146', 'S6194', 'S6202', 'S6203', 'S6218', 'S6245', 'S6249', 'S6252', 'S6258', 'S6273', 'S6275', 'S6281', 'S6288', 'S6291', 'S6293', 'S6300', 'S6303', 'S6308', 'S6319', 'S6323', 'S6326', 'S6327', 'S6328', 'S6330', 'S6331', 'S6332', 'S6350', 'S6353', 'S6354', 'S6359', 'S6362', 'S6363', 'S6364', 'S6374', 'S6375', 'S6376', 'S6378', 'S6379', 'S6380', 'S6381', 'S6383', 'S6387', 'S6388', 'S6395', 'S6396', 'S6397', 'S6401', 'S6402', 'S6403', 'S6405', 'S6407', 'S6412', 'S6413', 'S6414', 'S6417', 'S6444', 'S6463', 'S6469', 'S6470', 'S6471', 'S6474', 'S6500', 'S6502', 'S6504', 'S6506', 'S6507', 'S6513', 'S6561', 'S6562', 'S6563', 'S6566', 'S6575', 'S6580', 'S6585', 'S6588', 'S6602', 'S6603', 'S6605', 'S6607', 'S6608', 'S6609', 'S6610', 'S6612', 'S6613', 'S6617', 'S6618', 'S6656', 'S6664', 'S6673', 'S6677', 'S6678', 'S6958', 'S6966', 'S787', 'S818', 'S820', 'S864', 'S867', 'S878', 'S881', 'S888', 'S899', 'S905', 'S907', 'S909', 'S923', 'S925', 'S930', 'S935', 'S979', 'S997'], 'plsql': ['S1056', 'S1057', 'S1059', 'S1070', 'S1071', 'S141', 'S1478', 'S1703', 'S2221', 'S2491', 'S2492', 'S2517', 'S2519', 'S2520', 'S2538', 'S3874', 'S4062', 'S4081', 'S4421', 'S4575', 'S4576', 'S4584', 'S5047', 'S6467'], 'html': ['S1082', 'S1083', 'S1297', 'S1298', 'S1436', 'S1456', 'S1457', 'S1458', 'S1827', 'S4084', 'S4645', 'S5254', 'S5255', 'S5258'], 'javascript': ['S1082', 'S1090', 'S1528', 'S1529', 'S1530', 'S1533', 'S1534', 'S1535', 'S1539', 'S2137', 'S2138', 'S2392', 'S2424', 'S2427', 'S2428', 'S2430', 'S2685', 'S2692', 'S2713', 'S2870', 'S2871', 'S2990', 'S2999', 'S3001', 'S3003', 'S3402', 'S3498', 'S3499', 'S3500', 'S3504', 'S3513', 'S3514', 'S3524', 'S3525', 'S3531', 'S3533', 'S3579', 'S3616', 'S3686', 'S3735', 'S3757', 'S3758', 'S3760', 'S3782', 'S3785', 'S3786', 'S3798', 'S3799', 'S3800', 'S3812', 'S3834', 'S3854', 'S3863', 'S4043', 'S4084', 'S4124', 'S4125', 'S4137', 'S4138', 'S4139', 'S4140', 'S4156', 'S4157', 'S4204', 'S4322', 'S4323', 'S4324', 'S4325', 'S4326', 'S4327', 'S4328', 'S4335', 'S4619', 'S4621', 'S4622', 'S4623', 'S4624', 'S4634', 'S4782', 'S4798', 'S4822', 'S6079', 'S6080', 'S6092', 'S6324', 'S6325', 'S6351', 'S6426', 'S6435', 'S6438', 'S6439', 'S6440', 'S6441', 'S6442', 'S6443', 'S6477', 'S6478', 'S6479', 'S6480', 'S6481', 'S6486', 'S6509', 'S6522', 'S6523', 'S6534', 'S6544', 'S6550', 'S6551', 'S6557', 'S6564', 'S6565', 'S6568', 'S6569', 'S6571', 'S6572', 'S6578', 'S6583', 'S6590', 'S6594', 'S6598', 'S6635', 'S6637', 'S6638', 'S6643', 'S6644', 'S6645', 'S6647', 'S6650', 'S6653', 'S6654', 'S6657', 'S6660', 'S6854', 'S6855', 'S6957', 'S6959', 'S930'], 'java': ['S1111', 'S1113', 'S1130', 'S1132', 'S1149', 'S1150', 'S1153', 'S1157', 'S1158', 'S1160', 'S1162', 'S1165', 'S1171', 'S1174', 'S1175', 'S118', 'S1182', 'S1191', 'S1193', 'S1194', 'S1195', 'S1201', 'S1214', 'S1217', 'S1220', 'S1221', 'S1228', 'S1310', 'S1315', 'S1317', 'S1319', 'S1452', 'S1596', 'S1598', 'S1602', 'S1604', 'S1610', 'S1611', 'S1612', 'S1640', 'S1641', 'S1710', 'S1711', 'S1844', 'S1849', 'S1860', 'S1942', 'S1943', 'S1948', 'S1989', 'S2039', 'S2055', 'S2057', 'S2059', 'S2060', 'S2061', 'S2062', 'S2063', 'S2065', 'S2066', 'S2093', 'S2109', 'S2110', 'S2111', 'S2112', 'S2116', 'S2118', 'S2119', 'S2121', 'S2127', 'S2129', 'S2130', 'S2133', 'S2134', 'S2140', 'S2141', 'S2142', 'S2143', 'S2153', 'S2154', 'S2157', 'S2160', 'S2162', 'S2167', 'S2176', 'S2185', 'S2186', 'S2196', 'S2200', 'S2203', 'S2204', 'S2211', 'S2226', 'S2230', 'S2232', 'S2235', 'S2254', 'S2272', 'S2273', 'S2274', 'S2293', 'S2308', 'S2388', 'S2390', 'S2438', 'S2441', 'S2442', 'S2444', 'S2446', 'S2447', 'S2629', 'S2675', 'S2676', 'S2677', 'S2694', 'S2698', 'S2701', 'S2718', 'S2786', 'S2789', 'S2864', 'S2885', 'S2886', 'S2924', 'S2972', 'S2973', 'S2974', 'S3008', 'S3012', 'S3020', 'S3030', 'S3032', 'S3034', 'S3039', 'S3042', 'S3064', 'S3066', 'S3067', 'S3077', 'S3078', 'S3305', 'S3306', 'S3436', 'S3437', 'S3551', 'S3553', 'S3578', 'S3599', 'S3631', 'S3658', 'S3725', 'S3740', 'S3749', 'S3750', 'S3751', 'S3824', 'S3864', 'S3959', 'S3986', 'S4011', 'S4032', 'S4034', 'S4042', 'S4065', 'S4087', 'S4174', 'S4248', 'S4266', 'S4276', 'S4288', 'S4348', 'S4349', 'S4351', 'S4424', 'S4425', 'S4434', 'S4435', 'S4449', 'S4454', 'S4488', 'S4512', 'S4517', 'S4544', 'S4551', 'S4601', 'S4605', 'S4682', 'S4684', 'S4719', 'S4838', 'S4925', 'S4926', 'S4929', 'S4968', 'S4973', 'S5128', 'S5164', 'S5194', 'S5301', 'S5329', 'S5411', 'S5413', 'S5612', 'S5663', 'S5664', 'S5665', 'S5669', 'S5738', 'S5776', 'S5777', 'S5778', 'S5790', 'S5803', 'S5810', 'S5826', 'S5831', 'S5833', 'S5838', 'S5840', 'S5841', 'S5853', 'S5854', 'S5866', 'S5917', 'S5960', 'S5961', 'S5967', 'S5969', 'S5970', 'S5976', 'S5977', 'S5993', 'S5998', 'S6068', 'S6070', 'S6073', 'S6103', 'S6104', 'S6126', 'S6201', 'S6204', 'S6205', 'S6206', 'S6209', 'S6211', 'S6213', 'S6216', 'S6217', 'S6219', 'S6241', 'S6242', 'S6243', 'S6244', 'S6246', 'S6262', 'S6263', 'S6320', 'S6322', 'S6355', 'S6411', 'S6416', 'S6466', 'S6646', 'S6649', 'S6651', 'S6707', 'S6780', 'S6810', 'S6832', 'S6833', 'S6838', 'S6856', 'S6862', 'S6880', 'S6885', 'S6901', 'S6906', 'S6913', 'S6915', 'S6916', 'S6976'], 'python': ['S1129', 'S1244', 'S1716', 'S1720', 'S1722', 'S2318', 'S2319', 'S2320', 'S2710', 'S2772', 'S2836', 'S5655', 'S5685', 'S5704', 'S5706', 'S5707', 'S5709', 'S5712', 'S5717', 'S5720', 'S5727', 'S5747', 'S5754', 'S5795', 'S5796', 'S5799', 'S5806', 'S5864', 'S5886', 'S5890', 'S5899', 'S5906', 'S5914', 'S5918', 'S6464', 'S6465', 'S6466', 'S6468', 'S6537', 'S6538', 'S6540', 'S6542', 'S6543', 'S6545', 'S6546', 'S6552', 'S6553', 'S6554', 'S6556', 'S6559', 'S6560', 'S6711', 'S6730', 'S6735', 'S6742', 'S6785', 'S6786', 'S6792', 'S6794', 'S6795', 'S6796', 'S6799', 'S6886', 'S6899', 'S6908', 'S6911', 'S6918', 'S6969', 'S6972', 'S6978', 'S6979', 'S6983', 'S6984', 'S6985'], 'cobol': ['S1137', 'S1184', 'S1274', 'S1275', 'S1276', 'S1277', 'S1278', 'S1279', 'S1280', 'S1281', 'S1282', 'S1283', 'S1284', 'S1285', 'S1287', 'S1288', 'S1289', 'S1290', 'S1292', 'S1293', 'S1299', 'S1300', 'S1302', 'S1303', 'S1305', 'S1306', 'S1307', 'S1308', 'S1316', 'S1437', 'S1461', 'S1471', 'S1473', 'S1474', 'S1475', 'S1476', 'S1550', 'S1579', 'S1580', 'S1582', 'S1587', 'S1589', 'S1682', 'S1683', 'S1685', 'S1686', 'S1691', 'S1692', 'S1693', 'S1713', 'S1723', 'S1725', 'S1726', 'S1728', 'S1729', 'S1731', 'S1732', 'S1740', 'S1747', 'S1755', 'S1966', 'S2269', 'S3004', 'S3394', 'S3482', 'S3483', 'S3515', 'S3573', 'S3580', 'S3581', 'S3582', 'S3592', 'S3595', 'S3606', 'S3613', 'S3614', 'S3620', 'S3621', 'S3625', 'S3632', 'S3671', 'S3767', 'S3891', 'S3892', 'S3939', 'S4727', 'S4882', 'S4883', 'S4884'], 'csharp': ['S1192', 'S1313', 'S1944', 'S2290', 'S2291', 'S2292', 'S2328', 'S2330', 'S2743', 'S2934', 'S2952', 'S2995', 'S2996', 'S3005', 'S3168', 'S3169', 'S3172', 'S3216', 'S3217', 'S3220', 'S3234', 'S3246', 'S3247', 'S3251', 'S3253', 'S3256', 'S3260', 'S3262', 'S3264', 'S3265', 'S3267', 'S3343', 'S3441', 'S3442', 'S3444', 'S3445', 'S3447', 'S3450', 'S3451', 'S3456', 'S3459', 'S3532', 'S3597', 'S3600', 'S3610', 'S3876', 'S3880', 'S3881', 'S3885', 'S3897', 'S3909', 'S3928', 'S3956', 'S3963', 'S3967', 'S3971', 'S4000', 'S4002', 'S4017', 'S4019', 'S4027', 'S4035', 'S4039', 'S4041', 'S4047', 'S4049', 'S4050', 'S4052', 'S4055', 'S4056', 'S4057', 'S4058', 'S4059', 'S4061', 'S4069', 'S4070', 'S4211', 'S4212', 'S4226', 'S4261', 'S6419', 'S6420', 'S6421', 'S6423', 'S6640', 'S6797', 'S6802', 'S6803', 'S6961', 'S6962', 'S6965'], 'flex': ['S1320', 'S1321', 'S1434', 'S1435', 'S1445', 'S1447', 'S1455', 'S1462', 'S1463', 'S1464', 'S1465', 'S1467', 'S1470', 'S1982'], 'abap': ['S1485', 'S1486', 'S1487', 'S1491', 'S1494', 'S1500', 'S1501', 'S1502', 'S1505', 'S1506', 'S1507', 'S1510', 'S1511', 'S1512', 'S1540', 'S1547', 'S1549', 'S1597', 'S1655', 'S1668', 'S1670', 'S1671', 'S1672', 'S1673', 'S1675', 'S1676', 'S1715', 'S2237', 'S2239', 'S2240', 'S2241', 'S2242', 'S2243', 'S2809', 'S5115', 'S5118'], 'php': ['S1600', 'S1603', 'S1605', 'S1757', 'S1765', 'S1766', 'S1779', 'S1780', 'S1781', 'S1793', 'S1808', 'S1997', 'S1998', 'S2000', 'S2001', 'S2002', 'S2003', 'S2010', 'S2036', 'S2037', 'S2038', 'S2043', 'S2044', 'S2046', 'S2050', 'S2918', 'S3335', 'S4824', 'S4833', 'S5328', 'S5899', 'S5935', 'S6339', 'S6341', 'S6343', 'S6344', 'S6345', 'S6346', 'S6347', 'S6348', 'S6349', 'S6393', 'S6600'], 'rpg': ['S1608', 'S1617', 'S1618', 'S1620', 'S1621', 'S1622', 'S1624', 'S1625', 'S1626', 'S1627', 'S1629', 'S1630', 'S1632', 'S1633', 'S1634', 'S1752', 'S1753', 'S1816', 'S1880', 'S1895', 'S1900', 'S1901', 'S1902', 'S2016', 'S2025', 'S2031', 'S2202', 'S2793', 'S2795', 'S2798', 'S2803'], 'vb6': ['S1647', 'S1648', 'S1649', 'S1650', 'S1651', 'S1652', 'S1658', 'S1660', 'S1702'], 'xml': ['S1778', 'S3373', 'S3417', 'S3419', 'S3420', 'S3421', 'S3422', 'S3423', 'S3438', 'S3439', 'S3822', 'S5594', 'S6358', 'S6361'], 'kotlin': ['S2116', 'S5612', 'S6305', 'S6306', 'S6307', 'S6309', 'S6310', 'S6311', 'S6312', 'S6313', 'S6314', 'S6315', 'S6316', 'S6318', 'S6508', 'S6510', 'S6511', 'S6512', 'S6514', 'S6515', 'S6516', 'S6517', 'S6518', 'S6519', 'S6529', 'S6530', 'S6532', 'S6558', 'S6611', 'S6615', 'S6623', 'S6624', 'S6625', 'S6626', 'S6629', 'S6631', 'S6634'], 'vbnet': ['S2347', 'S2348', 'S2349', 'S2352', 'S2354', 'S2355', 'S2359', 'S2362', 'S2363', 'S2364', 'S2366', 'S2367', 'S2369', 'S2370', 'S2374', 'S2375', 'S3385', 'S3860', 'S3866', 'S5944'], 'swift': ['S2635', 'S2950', 'S2957', 'S2958', 'S2960', 'S2961', 'S2962', 'S2967', 'S2968', 'S2969', 'S3083', 'S3086', 'S3110', 'S3111', 'S3661', 'S4173', 'S4184', 'S4186', 'S4233'], 'tsql': ['S3643', 'S4075', 'S4078', 'S4094', 'S4102', 'S4103', 'S4104', 'S4108', 'S4149', 'S4154', 'S4155', 'S4819', 'S4820', 'S6498'], 'pli': ['S3982', 'S4208', 'S4806', 'S5348'], 'css': ['S4648', 'S4649', 'S4651', 'S4652', 'S4655', 'S4656', 'S4657', 'S4658', 'S4659', 'S4660', 'S4661', 'S4662', 'S4664', 'S4666', 'S4667', 'S4670'], 'apex': ['S5378', 'S5384', 'S5386', 'S5387', 'S5390', 'S5394', 'S5395'], 'terraform': ['S6255', 'S6400', 'S6404', 'S6406', 'S6408', 'S6409', 'S6410'], 'cloudformation': ['S6294', 'S6295'], 'text': ['S6389'], 'docker': ['S6476', 'S6497', 'S6505', 'S6570', 'S6573', 'S6574', 'S6579', 'S6581', 'S6584', 'S6586', 'S6587', 'S6589', 'S6595', 'S6597', 'S7028'], 'kubernetes': ['S6893']} --- rules/S1032/cfamily/metadata.json | 14 +--- rules/S1036/cfamily/metadata.json | 10 +-- rules/S1048/csharp/metadata.json | 2 +- rules/S1048/vbnet/metadata.json | 2 +- rules/S1058/plsql/metadata.json | 10 +-- rules/S1069/metadata.json | 10 +-- rules/S1074/plsql/metadata.json | 10 +-- rules/S1139/metadata.json | 10 +-- rules/S1147/metadata.json | 14 +--- rules/S1190/java/metadata.json | 2 +- rules/S1219/metadata.json | 10 +-- rules/S1232/cfamily/metadata.json | 10 +-- rules/S128/metadata.json | 6 +- rules/S1309/metadata.json | 18 ++--- rules/S131/pli/metadata.json | 2 +- rules/S1314/metadata.json | 6 +- rules/S1446/flex/metadata.json | 6 +- rules/S1451/metadata.json | 10 +-- rules/S1466/flex/metadata.json | 6 +- rules/S1468/flex/metadata.json | 6 +- rules/S1469/flex/metadata.json | 6 +- rules/S1493/metadata.json | 6 +- rules/S1496/abap/metadata.json | 10 +-- rules/S1508/abap/metadata.json | 10 +-- rules/S1526/javascript/metadata.json | 10 +-- rules/S1527/metadata.json | 10 +-- rules/S1590/metadata.json | 6 +- rules/S1599/php/metadata.json | 10 +-- rules/S1614/metadata.json | 14 +--- rules/S1657/vb6/metadata.json | 10 +-- rules/S1669/metadata.json | 6 +- rules/S1760/cfamily/metadata.json | 10 +-- rules/S1799/php/metadata.json | 18 ++--- rules/S1845/metadata.json | 10 +-- rules/S1909/metadata.json | 6 +- rules/S1912/cfamily/metadata.json | 6 +- rules/S1914/cfamily/metadata.json | 14 +--- rules/S1967/cobol/metadata.json | 10 +-- rules/S1969/cobol/metadata.json | 10 +-- rules/S2007/metadata.json | 10 +-- rules/S2014/php/metadata.json | 14 +--- rules/S2068/metadata.json | 10 +-- rules/S2095/metadata.json | 10 +-- rules/S2096/metadata.json | 14 +--- rules/S2168/java/metadata.json | 2 +- rules/S2178/metadata.json | 14 +--- rules/S2187/metadata.json | 10 +-- rules/S2188/java/metadata.json | 10 +-- rules/S2189/metadata.json | 14 +--- rules/S2190/metadata.json | 10 +-- rules/S2229/java/metadata.json | 10 +-- rules/S2236/java/metadata.json | 2 +- rules/S2275/metadata.json | 14 +--- rules/S2276/java/metadata.json | 2 +- rules/S2306/csharp/metadata.json | 6 +- rules/S2316/python/metadata.json | 6 +- rules/S2317/python/metadata.json | 6 +- rules/S2368/metadata.json | 6 +- rules/S2387/metadata.json | 10 +-- rules/S2437/metadata.json | 10 +-- rules/S2689/metadata.json | 2 +- rules/S2693/java/metadata.json | 14 +--- rules/S2695/metadata.json | 2 +- rules/S2699/metadata.json | 10 +-- rules/S2703/javascript/metadata.json | 10 +-- rules/S2711/python/metadata.json | 14 +--- rules/S2712/python/metadata.json | 18 ++--- rules/S2806/cfamily/metadata.json | 14 +--- rules/S2817/javascript/metadata.json | 14 +--- rules/S2823/python/metadata.json | 14 +--- rules/S2857/metadata.json | 10 +-- rules/S2876/python/metadata.json | 14 +--- rules/S2930/metadata.json | 10 +-- rules/S2931/metadata.json | 14 +--- rules/S2953/metadata.json | 56 ++++++------- rules/S2970/metadata.json | 10 +-- rules/S2975/java/metadata.json | 10 +-- rules/S3014/java/metadata.json | 10 +-- rules/S3046/metadata.json | 10 +-- rules/S3060/metadata.json | 10 +-- rules/S3237/csharp/metadata.json | 10 +-- rules/S3282/xml/metadata.json | 14 +--- rules/S3333/php/metadata.json | 14 +--- rules/S3334/php/metadata.json | 14 +--- rules/S3336/php/metadata.json | 14 +--- rules/S3337/php/metadata.json | 14 +--- rules/S3360/metadata.json | 14 +--- rules/S3374/xml/metadata.json | 10 +-- rules/S3403/python/metadata.json | 2 +- rules/S3427/metadata.json | 10 +-- rules/S3433/metadata.json | 10 +-- rules/S3443/metadata.json | 61 +++++++-------- rules/S3464/metadata.json | 14 +--- rules/S3481/cobol/metadata.json | 14 +--- rules/S3491/cfamily/metadata.json | 10 +-- rules/S3516/metadata.json | 14 +--- rules/S3519/cfamily/metadata.json | 10 +-- rules/S3520/cfamily/metadata.json | 10 +-- rules/S3529/cfamily/metadata.json | 10 +-- rules/S3546/java/metadata.json | 14 +--- rules/S3584/cfamily/metadata.json | 10 +-- rules/S3588/cfamily/metadata.json | 10 +-- rules/S3590/cfamily/metadata.json | 10 +-- rules/S3618/metadata.json | 10 +-- rules/S3654/cfamily/metadata.json | 10 +-- rules/S3657/cfamily/metadata.json | 10 +-- rules/S3692/cfamily/metadata.json | 10 +-- rules/S3729/cfamily/metadata.json | 10 +-- rules/S3753/java/metadata.json | 10 +-- rules/S3796/javascript/metadata.json | 10 +-- rules/S3827/metadata.json | 14 +--- rules/S3862/metadata.json | 14 +--- rules/S3869/metadata.json | 10 +-- rules/S3875/metadata.json | 10 +-- rules/S3877/metadata.json | 12 +-- rules/S3884/metadata.json | 16 ++-- rules/S3889/metadata.json | 10 +-- rules/S3931/metadata.json | 10 +-- rules/S3936/cfamily/metadata.json | 10 +-- rules/S3938/cobol/metadata.json | 18 ++--- rules/S4159/metadata.json | 10 +-- rules/S4462/metadata.json | 14 +--- rules/S4577/plsql/metadata.json | 14 +--- rules/S4602/java/metadata.json | 10 +-- rules/S4650/css/metadata.json | 14 +--- rules/S4653/css/metadata.json | 14 +--- rules/S4654/css/metadata.json | 14 +--- rules/S4668/css/metadata.json | 14 +--- rules/S4997/cfamily/metadata.json | 10 +-- rules/S4999/cfamily/metadata.json | 14 +--- rules/S5000/cfamily/metadata.json | 10 +-- rules/S5018/cfamily/metadata.json | 10 +-- rules/S5020/cfamily/metadata.json | 10 +-- rules/S5117/abap/metadata.json | 14 +--- rules/S5184/cfamily/metadata.json | 10 +-- rules/S5267/cfamily/metadata.json | 10 +-- rules/S5302/cfamily/metadata.json | 10 +-- rules/S5335/php/metadata.json | 10 +-- rules/S5376/apex/metadata.json | 14 +--- rules/S5377/apex/metadata.json | 16 ++-- rules/S5379/apex/metadata.json | 14 +--- rules/S5382/apex/metadata.json | 10 +-- rules/S5389/apex/metadata.json | 14 +--- rules/S5404/cfamily/metadata.json | 10 +-- rules/S5417/cfamily/metadata.json | 10 +-- rules/S5486/cfamily/metadata.json | 10 +-- rules/S5487/cfamily/metadata.json | 10 +-- rules/S5489/cfamily/metadata.json | 10 +-- rules/S5496/metadata.json | 10 +-- rules/S5502/cfamily/metadata.json | 10 +-- rules/S5549/python/metadata.json | 14 +--- rules/S5553/cfamily/metadata.json | 10 +-- rules/S5607/python/metadata.json | 14 +--- rules/S5632/metadata.json | 14 +--- rules/S5633/python/metadata.json | 14 +--- rules/S5639/cfamily/metadata.json | 18 ++--- rules/S5642/python/metadata.json | 14 +--- rules/S5644/python/metadata.json | 14 +--- rules/S5708/metadata.json | 14 +--- rules/S5714/python/metadata.json | 14 +--- rules/S5719/python/metadata.json | 14 +--- rules/S5722/python/metadata.json | 14 +--- rules/S5724/python/metadata.json | 14 +--- rules/S5756/python/metadata.json | 14 +--- rules/S5786/java/metadata.json | 10 +-- rules/S5793/java/metadata.json | 14 +--- rules/S5798/cfamily/metadata.json | 10 +-- rules/S5807/python/metadata.json | 14 +--- rules/S5828/python/metadata.json | 14 +--- rules/S5905/python/metadata.json | 10 +-- rules/S5911/php/metadata.json | 10 +-- rules/S5912/cfamily/metadata.json | 10 +-- rules/S5953/python/metadata.json | 18 ++--- rules/S5979/java/metadata.json | 14 +--- rules/S5999/cfamily/metadata.json | 10 +-- rules/S6025/cfamily/metadata.json | 10 +-- rules/S6208/java/metadata.json | 2 +- rules/S6212/java/metadata.json | 14 +--- rules/S6223/cfamily/metadata.json | 14 +--- rules/S6265/metadata.json | 10 +-- rules/S6268/javascript/metadata.json | 10 +-- rules/S6270/metadata.json | 10 +-- rules/S6292/secrets/metadata.json | 10 +-- rules/S6299/javascript/metadata.json | 6 +- rules/S6302/metadata.json | 10 +-- rules/S6304/metadata.json | 10 +-- rules/S6329/metadata.json | 10 +-- rules/S6333/metadata.json | 10 +-- rules/S6334/secrets/metadata.json | 2 +- rules/S6335/secrets/metadata.json | 2 +- rules/S6336/secrets/metadata.json | 6 +- rules/S6337/secrets/metadata.json | 2 +- rules/S6338/secrets/metadata.json | 6 +- rules/S6373/metadata.json | 14 +--- rules/S6418/metadata.json | 10 +-- rules/S6422/csharp/metadata.json | 6 +- rules/S6424/csharp/metadata.json | 2 +- rules/S6427/cfamily/metadata.json | 10 ++- rules/S6472/metadata.json | 58 +++++++------- rules/S6493/cfamily/metadata.json | 6 +- rules/S6539/java/metadata.json | 2 +- rules/S6541/java/metadata.json | 2 +- rules/S6548/java/metadata.json | 2 +- rules/S6652/secrets/metadata.json | 6 +- rules/S6655/cfamily/metadata.json | 8 +- rules/S6684/secrets/metadata.json | 6 +- rules/S6686/secrets/metadata.json | 6 +- rules/S6687/secrets/metadata.json | 6 +- rules/S6688/secrets/metadata.json | 6 +- rules/S6689/secrets/metadata.json | 6 +- rules/S6690/secrets/metadata.json | 6 +- rules/S6691/secrets/metadata.json | 6 +- rules/S6692/secrets/metadata.json | 6 +- rules/S6693/secrets/metadata.json | 6 +- rules/S6694/secrets/metadata.json | 6 +- rules/S6695/secrets/metadata.json | 6 +- rules/S6696/secrets/metadata.json | 6 +- rules/S6697/secrets/metadata.json | 6 +- rules/S6698/secrets/metadata.json | 6 +- rules/S6699/secrets/metadata.json | 6 +- rules/S6700/secrets/metadata.json | 6 +- rules/S6701/secrets/metadata.json | 6 +- rules/S6702/secrets/metadata.json | 6 +- rules/S6703/secrets/metadata.json | 6 +- rules/S6704/secrets/metadata.json | 6 +- rules/S6705/secrets/metadata.json | 6 +- rules/S6706/secrets/metadata.json | 6 +- rules/S6708/secrets/metadata.json | 6 +- rules/S6710/secrets/metadata.json | 6 +- rules/S6713/secrets/metadata.json | 6 +- rules/S6717/secrets/metadata.json | 6 +- rules/S6718/secrets/metadata.json | 6 +- rules/S6719/secrets/metadata.json | 6 +- rules/S6720/secrets/metadata.json | 6 +- rules/S6721/secrets/metadata.json | 6 +- rules/S6722/secrets/metadata.json | 6 +- rules/S6723/secrets/metadata.json | 6 +- rules/S6725/python/metadata.json | 6 +- rules/S6731/secrets/metadata.json | 6 +- rules/S6732/secrets/metadata.json | 6 +- rules/S6733/secrets/metadata.json | 6 +- rules/S6736/secrets/metadata.json | 6 +- rules/S6739/secrets/metadata.json | 6 +- rules/S6751/secrets/metadata.json | 2 +- rules/S6752/secrets/metadata.json | 107 ++++++++++++------------- rules/S6753/secrets/metadata.json | 2 +- rules/S6755/secrets/metadata.json | 2 +- rules/S6758/secrets/metadata.json | 2 +- rules/S6760/secrets/metadata.json | 2 +- rules/S6762/secrets/metadata.json | 2 +- rules/S6764/secrets/metadata.json | 2 +- rules/S6765/secrets/metadata.json | 2 +- rules/S6768/secrets/metadata.json | 2 +- rules/S6769/secrets/metadata.json | 2 +- rules/S6771/secrets/metadata.json | 113 +++++++++++++-------------- rules/S6773/secrets/metadata.json | 107 ++++++++++++------------- rules/S6777/secrets/metadata.json | 108 ++++++++++++------------- rules/S6779/python/metadata.json | 8 +- rules/S6781/metadata.json | 8 +- rules/S6782/secrets/metadata.json | 108 ++++++++++++------------- rules/S6783/secrets/metadata.json | 7 +- rules/S6839/metadata.json | 14 +--- rules/S6910/secrets/metadata.json | 2 +- rules/S6987/secrets/metadata.json | 10 +-- rules/S6988/secrets/metadata.json | 10 +-- rules/S6989/secrets/metadata.json | 2 +- rules/S6990/secrets/metadata.json | 2 +- rules/S6992/secrets/metadata.json | 2 +- rules/S6993/secrets/metadata.json | 2 +- rules/S6995/secrets/metadata.json | 2 +- rules/S6997/secrets/metadata.json | 2 +- rules/S6998/secrets/metadata.json | 2 +- rules/S6999/secrets/metadata.json | 2 +- rules/S7000/secrets/metadata.json | 2 +- rules/S7001/secrets/metadata.json | 2 +- rules/S7002/secrets/metadata.json | 2 +- rules/S7003/secrets/metadata.json | 2 +- rules/S7004/secrets/metadata.json | 2 +- rules/S7006/secrets/metadata.json | 2 +- rules/S7007/secrets/metadata.json | 2 +- rules/S7008/secrets/metadata.json | 2 +- rules/S7009/secrets/metadata.json | 2 +- rules/S7010/secrets/metadata.json | 2 +- rules/S7011/secrets/metadata.json | 2 +- rules/S7013/secrets/metadata.json | 2 +- rules/S7014/secrets/metadata.json | 2 +- rules/S7015/secrets/metadata.json | 2 +- rules/S7016/secrets/metadata.json | 2 +- rules/S7017/secrets/metadata.json | 2 +- rules/S7022/secrets/metadata.json | 2 +- rules/S7024/secrets/metadata.json | 2 +- rules/S7025/secrets/metadata.json | 2 +- rules/S797/cfamily/metadata.json | 6 +- rules/S798/cfamily/metadata.json | 6 +- rules/S912/cfamily/metadata.json | 6 +- rules/S916/cfamily/metadata.json | 6 +- rules/S923/java/metadata.json | 2 +- rules/S930/python/metadata.json | 2 +- rules/S946/cfamily/metadata.json | 10 +-- rules/S961/cfamily/metadata.json | 10 +-- rules/S963/cfamily/metadata.json | 13 +-- rules/S969/cfamily/metadata.json | 10 +-- rules/S978/cfamily/metadata.json | 14 +--- rules/S998/cfamily/metadata.json | 6 +- rules/S999/metadata.json | 6 +- 305 files changed, 1148 insertions(+), 2112 deletions(-) diff --git a/rules/S1032/cfamily/metadata.json b/rules/S1032/cfamily/metadata.json index 336c9a190f8..9730fd0059b 100644 --- a/rules/S1032/cfamily/metadata.json +++ b/rules/S1032/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -17,19 +17,13 @@ "based-on-misra" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1032", "sqKey": "S1032", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S1036/cfamily/metadata.json b/rules/S1036/cfamily/metadata.json index 1b1a972b491..c5de7df80b0 100644 --- a/rules/S1036/cfamily/metadata.json +++ b/rules/S1036/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -19,12 +19,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1036", diff --git a/rules/S1048/csharp/metadata.json b/rules/S1048/csharp/metadata.json index 1a385910efb..7f94eb8fb1e 100644 --- a/rules/S1048/csharp/metadata.json +++ b/rules/S1048/csharp/metadata.json @@ -2,7 +2,7 @@ "title": "Finalizers should not throw exceptions", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, diff --git a/rules/S1048/vbnet/metadata.json b/rules/S1048/vbnet/metadata.json index 61023668772..e9440f22ce0 100644 --- a/rules/S1048/vbnet/metadata.json +++ b/rules/S1048/vbnet/metadata.json @@ -2,7 +2,7 @@ "title": "Finalize method should not throw exceptions", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, diff --git a/rules/S1058/plsql/metadata.json b/rules/S1058/plsql/metadata.json index 613fd0eb4e4..4e0b9a53f6a 100644 --- a/rules/S1058/plsql/metadata.json +++ b/rules/S1058/plsql/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,13 +12,9 @@ "func": "Constant\/Issue", "constantCost": "30min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "PipelinedFunctionsWithoutPipeRow" ] diff --git a/rules/S1069/metadata.json b/rules/S1069/metadata.json index 7522076aed1..6a30b9dc6b8 100644 --- a/rules/S1069/metadata.json +++ b/rules/S1069/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "sql" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1069", diff --git a/rules/S1074/plsql/metadata.json b/rules/S1074/plsql/metadata.json index 80e0ed55d7a..54b0c65f9d4 100644 --- a/rules/S1074/plsql/metadata.json +++ b/rules/S1074/plsql/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -12,13 +12,9 @@ "func": "Constant\/Issue", "constantCost": "1h" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "ForallStatementShouldUseSaveExceptionsClause" ] diff --git a/rules/S1139/metadata.json b/rules/S1139/metadata.json index d7b0587d27e..c387ced5596 100644 --- a/rules/S1139/metadata.json +++ b/rules/S1139/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,12 +16,8 @@ "sql" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1139", diff --git a/rules/S1147/metadata.json b/rules/S1147/metadata.json index 746c4c5d6dc..71677b3ea68 100644 --- a/rules/S1147/metadata.json +++ b/rules/S1147/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1147", @@ -33,8 +29,6 @@ 382 ] }, - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S1190/java/metadata.json b/rules/S1190/java/metadata.json index 5a14ff46d62..1ced5968767 100644 --- a/rules/S1190/java/metadata.json +++ b/rules/S1190/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, diff --git a/rules/S1219/metadata.json b/rules/S1219/metadata.json index 538db302313..35b373a6fad 100644 --- a/rules/S1219/metadata.json +++ b/rules/S1219/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,12 +16,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1219", diff --git a/rules/S1232/cfamily/metadata.json b/rules/S1232/cfamily/metadata.json index acac097a8f6..270a9899e94 100644 --- a/rules/S1232/cfamily/metadata.json +++ b/rules/S1232/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -18,12 +18,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1232", diff --git a/rules/S128/metadata.json b/rules/S128/metadata.json index 5e471db837e..76d2e2c034e 100644 --- a/rules/S128/metadata.json +++ b/rules/S128/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -17,9 +17,7 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "non-empty-case-without-break", "NonEmptyCaseWithoutBreak" diff --git a/rules/S1309/metadata.json b/rules/S1309/metadata.json index ae68b1aebda..29a08080ca8 100644 --- a/rules/S1309/metadata.json +++ b/rules/S1309/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "CLEAR" }, @@ -12,23 +12,15 @@ "func": "Constant\/Issue", "constantCost": "10min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Info", "ruleSpecification": "RSPEC-1309", "sqKey": "S1309", "scope": "All", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S131/pli/metadata.json b/rules/S131/pli/metadata.json index 026bac6f092..131662a6792 100644 --- a/rules/S131/pli/metadata.json +++ b/rules/S131/pli/metadata.json @@ -2,7 +2,7 @@ "title": "\"SELECT\" statements should end with \"OTHERWISE\" statements", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, diff --git a/rules/S1314/metadata.json b/rules/S1314/metadata.json index de0921d5728..61c3edfc1a3 100644 --- a/rules/S1314/metadata.json +++ b/rules/S1314/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,9 +16,7 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "OctalConstantAndSequence", "OctalNumber" diff --git a/rules/S1446/flex/metadata.json b/rules/S1446/flex/metadata.json index 88ce1135729..72ca59c3686 100644 --- a/rules/S1446/flex/metadata.json +++ b/rules/S1446/flex/metadata.json @@ -3,13 +3,13 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, "status": "deprecated", "remediation": { - "func": "Constant/Issue", + "func": "Constant\/Issue", "constantCost": "30min" }, "tags": [], @@ -23,4 +23,4 @@ "scope": "Main", "defaultQualityProfiles": [], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S1451/metadata.json b/rules/S1451/metadata.json index a1ba31b2b8b..695b64b8c0e 100644 --- a/rules/S1451/metadata.json +++ b/rules/S1451/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LAWFUL" }, @@ -12,13 +12,9 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "COBOL.HeaderCheck" ] diff --git a/rules/S1466/flex/metadata.json b/rules/S1466/flex/metadata.json index 2506c67f2c8..dc5917a5e27 100644 --- a/rules/S1466/flex/metadata.json +++ b/rules/S1466/flex/metadata.json @@ -3,13 +3,13 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, "status": "deprecated", "remediation": { - "func": "Constant/Issue", + "func": "Constant\/Issue", "constantCost": "10min" }, "tags": [], @@ -23,4 +23,4 @@ "scope": "Main", "defaultQualityProfiles": [], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S1468/flex/metadata.json b/rules/S1468/flex/metadata.json index f1e6d33ac97..dccff6f0b6a 100644 --- a/rules/S1468/flex/metadata.json +++ b/rules/S1468/flex/metadata.json @@ -3,13 +3,13 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, "status": "deprecated", "remediation": { - "func": "Constant/Issue", + "func": "Constant\/Issue", "constantCost": "10min" }, "tags": [], @@ -23,4 +23,4 @@ "scope": "Main", "defaultQualityProfiles": [], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S1469/flex/metadata.json b/rules/S1469/flex/metadata.json index 9a3e23e8422..705baca0940 100644 --- a/rules/S1469/flex/metadata.json +++ b/rules/S1469/flex/metadata.json @@ -3,13 +3,13 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, "status": "deprecated", "remediation": { - "func": "Constant/Issue", + "func": "Constant\/Issue", "constantCost": "5min" }, "tags": [], @@ -23,4 +23,4 @@ "scope": "Main", "defaultQualityProfiles": [], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S1493/metadata.json b/rules/S1493/metadata.json index 2bd81fe977a..0c043a0b385 100644 --- a/rules/S1493/metadata.json +++ b/rules/S1493/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "sql" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "SQL.DynamicSqlCheck" ] diff --git a/rules/S1496/abap/metadata.json b/rules/S1496/abap/metadata.json index 0d7422bbe3f..6199ef9aa70 100644 --- a/rules/S1496/abap/metadata.json +++ b/rules/S1496/abap/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -16,12 +16,8 @@ "sql" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1496", diff --git a/rules/S1508/abap/metadata.json b/rules/S1508/abap/metadata.json index 96af3e2cbe5..b362e60e602 100644 --- a/rules/S1508/abap/metadata.json +++ b/rules/S1508/abap/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -16,12 +16,8 @@ "lock-in" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1508", diff --git a/rules/S1526/javascript/metadata.json b/rules/S1526/javascript/metadata.json index a8ccf5545fb..fda0f7f4b03 100644 --- a/rules/S1526/javascript/metadata.json +++ b/rules/S1526/javascript/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -16,9 +16,7 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "VariableDeclarationAfterUsage" ] @@ -27,8 +25,6 @@ "ruleSpecification": "RSPEC-1526", "sqKey": "S1526", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S1527/metadata.json b/rules/S1527/metadata.json index 21bc64249a1..735bc8a8d8a 100644 --- a/rules/S1527/metadata.json +++ b/rules/S1527/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1527", diff --git a/rules/S1590/metadata.json b/rules/S1590/metadata.json index ab07d8cb49b..a2ff14e6f8e 100644 --- a/rules/S1590/metadata.json +++ b/rules/S1590/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -16,9 +16,7 @@ "sql" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "DeleteOrUpdateWithoutWhereCheck" ] diff --git a/rules/S1599/php/metadata.json b/rules/S1599/php/metadata.json index 950720be7a8..e0304baf812 100644 --- a/rules/S1599/php/metadata.json +++ b/rules/S1599/php/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,12 +16,8 @@ "brain-overload" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1599", diff --git a/rules/S1614/metadata.json b/rules/S1614/metadata.json index 5b1e2f75b4b..79352901f3d 100644 --- a/rules/S1614/metadata.json +++ b/rules/S1614/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,19 +16,13 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1614", "sqKey": "S1614", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S1657/vb6/metadata.json b/rules/S1657/vb6/metadata.json index 0b260a72872..991578099ae 100644 --- a/rules/S1657/vb6/metadata.json +++ b/rules/S1657/vb6/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,12 +16,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1657", diff --git a/rules/S1669/metadata.json b/rules/S1669/metadata.json index ffda43a6be3..ab06b574c65 100644 --- a/rules/S1669/metadata.json +++ b/rules/S1669/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,9 +16,7 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "LanguageKeywordUsage" ] diff --git a/rules/S1760/cfamily/metadata.json b/rules/S1760/cfamily/metadata.json index 9d3f201a4e5..9a83fc009cb 100644 --- a/rules/S1760/cfamily/metadata.json +++ b/rules/S1760/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -16,12 +16,8 @@ "lock-in" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1760", diff --git a/rules/S1799/php/metadata.json b/rules/S1799/php/metadata.json index 2ae347ee8ec..fd81decfae1 100644 --- a/rules/S1799/php/metadata.json +++ b/rules/S1799/php/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -12,23 +12,15 @@ "func": "Constant\/Issue", "constantCost": "20min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1799", "sqKey": "S1799", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S1845/metadata.json b/rules/S1845/metadata.json index 61897d9d28d..d6f3c9265b8 100644 --- a/rules/S1845/metadata.json +++ b/rules/S1845/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "IDENTIFIABLE" }, @@ -16,12 +16,8 @@ "confusing" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1845", diff --git a/rules/S1909/metadata.json b/rules/S1909/metadata.json index fd8c7f168c7..c761acd2f45 100644 --- a/rules/S1909/metadata.json +++ b/rules/S1909/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -17,9 +17,7 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "GotoLabelInNestedBlock" ] diff --git a/rules/S1912/cfamily/metadata.json b/rules/S1912/cfamily/metadata.json index 53d3d45a91b..6ffb52a6900 100644 --- a/rules/S1912/cfamily/metadata.json +++ b/rules/S1912/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -16,9 +16,7 @@ "multi-threading" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "NonReentrantFunction" ] diff --git a/rules/S1914/cfamily/metadata.json b/rules/S1914/cfamily/metadata.json index d028eb54ea9..7f05a0ea23a 100644 --- a/rules/S1914/cfamily/metadata.json +++ b/rules/S1914/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "LOGICAL" }, @@ -12,13 +12,9 @@ "func": "Constant\/Issue", "constantCost": "0min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "PPErrorDirectiveReached" ] @@ -27,8 +23,6 @@ "ruleSpecification": "RSPEC-1914", "sqKey": "S1914", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S1967/cobol/metadata.json b/rules/S1967/cobol/metadata.json index 208df300786..f3e2daab600 100644 --- a/rules/S1967/cobol/metadata.json +++ b/rules/S1967/cobol/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1967", diff --git a/rules/S1969/cobol/metadata.json b/rules/S1969/cobol/metadata.json index d205a683707..f169590c5ce 100644 --- a/rules/S1969/cobol/metadata.json +++ b/rules/S1969/cobol/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-1969", diff --git a/rules/S2007/metadata.json b/rules/S2007/metadata.json index 6ca2bec99e6..086fa023b1d 100644 --- a/rules/S2007/metadata.json +++ b/rules/S2007/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "MODULAR" }, @@ -16,9 +16,7 @@ "design" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "VariableInPackageSpecificationCheck" ] @@ -27,8 +25,6 @@ "ruleSpecification": "RSPEC-2007", "sqKey": "S2007", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S2014/php/metadata.json b/rules/S2014/php/metadata.json index 2eb9822fdac..bca5d053ef7 100644 --- a/rules/S2014/php/metadata.json +++ b/rules/S2014/php/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "15min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2014", diff --git a/rules/S2068/metadata.json b/rules/S2068/metadata.json index 1be8e925d3d..4674b6d6a6d 100644 --- a/rules/S2068/metadata.json +++ b/rules/S2068/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -16,12 +16,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2068", diff --git a/rules/S2095/metadata.json b/rules/S2095/metadata.json index 153b128329e..f9011363d15 100644 --- a/rules/S2095/metadata.json +++ b/rules/S2095/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -18,12 +18,8 @@ "denial-of-service" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2095", diff --git a/rules/S2096/metadata.json b/rules/S2096/metadata.json index 803feaab21b..d1ac5e9694a 100644 --- a/rules/S2096/metadata.json +++ b/rules/S2096/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,19 +16,13 @@ "error-handling" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2096", "sqKey": "S2096", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S2168/java/metadata.json b/rules/S2168/java/metadata.json index 0a537144710..ce07716a9dd 100644 --- a/rules/S2168/java/metadata.json +++ b/rules/S2168/java/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, diff --git a/rules/S2178/metadata.json b/rules/S2178/metadata.json index 56ca8e1bc68..37e5254138f 100644 --- a/rules/S2178/metadata.json +++ b/rules/S2178/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2178", diff --git a/rules/S2187/metadata.json b/rules/S2187/metadata.json index 015df761401..576beea8775 100644 --- a/rules/S2187/metadata.json +++ b/rules/S2187/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "TESTED" }, @@ -18,12 +18,8 @@ "confusing" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2187", diff --git a/rules/S2188/java/metadata.json b/rules/S2188/java/metadata.json index 1b84b09828b..cb9d90d84c5 100644 --- a/rules/S2188/java/metadata.json +++ b/rules/S2188/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,12 +17,8 @@ "tests" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2188", diff --git a/rules/S2189/metadata.json b/rules/S2189/metadata.json index c572994af46..8abdefac93a 100644 --- a/rules/S2189/metadata.json +++ b/rules/S2189/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "15min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2189", diff --git a/rules/S2190/metadata.json b/rules/S2190/metadata.json index 34d6a3ad41c..a109c757e51 100644 --- a/rules/S2190/metadata.json +++ b/rules/S2190/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2190", diff --git a/rules/S2229/java/metadata.json b/rules/S2229/java/metadata.json index 14917e2916c..3e93ee497ec 100644 --- a/rules/S2229/java/metadata.json +++ b/rules/S2229/java/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -16,12 +16,8 @@ "spring" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2229", diff --git a/rules/S2236/java/metadata.json b/rules/S2236/java/metadata.json index eeeaf3bc9a1..17bec5880ea 100644 --- a/rules/S2236/java/metadata.json +++ b/rules/S2236/java/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, diff --git a/rules/S2275/metadata.json b/rules/S2275/metadata.json index ed399d27634..d0e00bd816a 100644 --- a/rules/S2275/metadata.json +++ b/rules/S2275/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "10min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2275", diff --git a/rules/S2276/java/metadata.json b/rules/S2276/java/metadata.json index f833ff85747..a82b277587e 100644 --- a/rules/S2276/java/metadata.json +++ b/rules/S2276/java/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, diff --git a/rules/S2306/csharp/metadata.json b/rules/S2306/csharp/metadata.json index 5d9d87e820f..3ae50e3c34b 100644 --- a/rules/S2306/csharp/metadata.json +++ b/rules/S2306/csharp/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,9 +16,7 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "AsyncAwaitIdentifier" ] diff --git a/rules/S2316/python/metadata.json b/rules/S2316/python/metadata.json index e2ade908087..3643af51e5f 100644 --- a/rules/S2316/python/metadata.json +++ b/rules/S2316/python/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -16,9 +16,7 @@ "python3" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "BackticksUsage" ] diff --git a/rules/S2317/python/metadata.json b/rules/S2317/python/metadata.json index 3a382f93fb9..0516fadb441 100644 --- a/rules/S2317/python/metadata.json +++ b/rules/S2317/python/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,9 +17,7 @@ "obsolete" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "ExecStatementUsage" ] diff --git a/rules/S2368/metadata.json b/rules/S2368/metadata.json index a533da20546..5150a282172 100644 --- a/rules/S2368/metadata.json +++ b/rules/S2368/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,9 +16,7 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "PublicMethodWithMultidimensionalArrayParameter" ] diff --git a/rules/S2387/metadata.json b/rules/S2387/metadata.json index 1ab4977c5ec..f8d7fa7c78f 100644 --- a/rules/S2387/metadata.json +++ b/rules/S2387/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,12 +16,8 @@ "confusing" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2387", diff --git a/rules/S2437/metadata.json b/rules/S2437/metadata.json index 4f2e7f2be80..0b40db74406 100644 --- a/rules/S2437/metadata.json +++ b/rules/S2437/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2437", diff --git a/rules/S2689/metadata.json b/rules/S2689/metadata.json index 2b1b9ed9fd4..5efe3179d49 100644 --- a/rules/S2689/metadata.json +++ b/rules/S2689/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, diff --git a/rules/S2693/java/metadata.json b/rules/S2693/java/metadata.json index d84c4b499cc..6791da21dc0 100644 --- a/rules/S2693/java/metadata.json +++ b/rules/S2693/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "FOCUSED" }, @@ -18,12 +18,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2693", @@ -34,8 +30,6 @@ "TSM02-J." ] }, - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S2695/metadata.json b/rules/S2695/metadata.json index 82eaaf87bcd..36fbd5464c4 100644 --- a/rules/S2695/metadata.json +++ b/rules/S2695/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, diff --git a/rules/S2699/metadata.json b/rules/S2699/metadata.json index cb212f1e0eb..acdd716f39b 100644 --- a/rules/S2699/metadata.json +++ b/rules/S2699/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "TESTED" }, @@ -16,12 +16,8 @@ "tests" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2699", diff --git a/rules/S2703/javascript/metadata.json b/rules/S2703/javascript/metadata.json index 3a84f18fe79..ad026fb8323 100644 --- a/rules/S2703/javascript/metadata.json +++ b/rules/S2703/javascript/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,12 +16,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2703", diff --git a/rules/S2711/python/metadata.json b/rules/S2711/python/metadata.json index 40af40c3fd5..6143a291563 100644 --- a/rules/S2711/python/metadata.json +++ b/rules/S2711/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "15min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2711", diff --git a/rules/S2712/python/metadata.json b/rules/S2712/python/metadata.json index 7f7db232b23..1b861bdc12f 100644 --- a/rules/S2712/python/metadata.json +++ b/rules/S2712/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,23 +12,15 @@ "func": "Constant\/Issue", "constantCost": "15min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2712", "sqKey": "S2712", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S2806/cfamily/metadata.json b/rules/S2806/cfamily/metadata.json index 703e4483929..4ca5105b33e 100644 --- a/rules/S2806/cfamily/metadata.json +++ b/rules/S2806/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -17,19 +17,13 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2806", "sqKey": "S2806", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S2817/javascript/metadata.json b/rules/S2817/javascript/metadata.json index 1b32865c4c9..13b3ac634ae 100644 --- a/rules/S2817/javascript/metadata.json +++ b/rules/S2817/javascript/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -16,19 +16,13 @@ "type-dependent" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2817", "sqKey": "S2817", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S2823/python/metadata.json b/rules/S2823/python/metadata.json index 2e4fdfe9c78..35071b27f44 100644 --- a/rules/S2823/python/metadata.json +++ b/rules/S2823/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "1min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2823", diff --git a/rules/S2857/metadata.json b/rules/S2857/metadata.json index 1df1829e322..47016545017 100644 --- a/rules/S2857/metadata.json +++ b/rules/S2857/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -16,12 +16,8 @@ "sql" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2857", diff --git a/rules/S2876/python/metadata.json b/rules/S2876/python/metadata.json index 1a8bcce5b31..7c102870a70 100644 --- a/rules/S2876/python/metadata.json +++ b/rules/S2876/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "10min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2876", diff --git a/rules/S2930/metadata.json b/rules/S2930/metadata.json index 7406a67af41..fc67b547960 100644 --- a/rules/S2930/metadata.json +++ b/rules/S2930/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "denial-of-service" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2930", diff --git a/rules/S2931/metadata.json b/rules/S2931/metadata.json index 36c3e27b613..dd0da8642a2 100644 --- a/rules/S2931/metadata.json +++ b/rules/S2931/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,12 +17,8 @@ "denial-of-service" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2931", @@ -33,8 +29,6 @@ 459 ] }, - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S2953/metadata.json b/rules/S2953/metadata.json index fe33838cf36..5b62851ce3c 100644 --- a/rules/S2953/metadata.json +++ b/rules/S2953/metadata.json @@ -1,33 +1,29 @@ { - "title": "Methods named \"Dispose\" should implement \"IDisposable.Dispose\"", - "type": "CODE_SMELL", - "code": { - "impacts": { - "MAINTAINABILITY": "HIGH" - }, - "attribute": "IDENTIFIABLE" + "title": "Methods named \"Dispose\" should implement \"IDisposable.Dispose\"", + "type": "CODE_SMELL", + "code": { + "impacts": { + "MAINTAINABILITY": "BLOCKER" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "10min" - }, - "tags": [ - "pitfall" - ], - "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-2953", - "sqKey": "S2953", - "scope": "Main", - "defaultQualityProfiles": [ - "Sonar way" - ] + "attribute": "IDENTIFIABLE" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "10min" + }, + "tags": [ + "pitfall" + ], + "extra": { + "replacementRules": [], + "legacyKeys": [] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-2953", + "sqKey": "S2953", + "scope": "Main", + "defaultQualityProfiles": [ + "Sonar way" + ] } diff --git a/rules/S2970/metadata.json b/rules/S2970/metadata.json index 16a48495ffe..676baf2d7b0 100644 --- a/rules/S2970/metadata.json +++ b/rules/S2970/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "TESTED" }, @@ -16,12 +16,8 @@ "tests" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2970", diff --git a/rules/S2975/java/metadata.json b/rules/S2975/java/metadata.json index e33b8f59841..a71f497e3da 100644 --- a/rules/S2975/java/metadata.json +++ b/rules/S2975/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -16,12 +16,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2975", diff --git a/rules/S3014/java/metadata.json b/rules/S3014/java/metadata.json index df0863a34fb..8f8b12c1aad 100644 --- a/rules/S3014/java/metadata.json +++ b/rules/S3014/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -18,12 +18,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3014", diff --git a/rules/S3046/metadata.json b/rules/S3046/metadata.json index 3ae94f087bc..2075741ebaf 100644 --- a/rules/S3046/metadata.json +++ b/rules/S3046/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,12 +17,8 @@ "deadlock" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3046", diff --git a/rules/S3060/metadata.json b/rules/S3060/metadata.json index 81840471f65..9455baeed99 100644 --- a/rules/S3060/metadata.json +++ b/rules/S3060/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "bad-practice" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3060", diff --git a/rules/S3237/csharp/metadata.json b/rules/S3237/csharp/metadata.json index 85221fd61f9..6ba57ede9f7 100644 --- a/rules/S3237/csharp/metadata.json +++ b/rules/S3237/csharp/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3237", diff --git a/rules/S3282/xml/metadata.json b/rules/S3282/xml/metadata.json index 006b4badded..c25d6c08b6e 100644 --- a/rules/S3282/xml/metadata.json +++ b/rules/S3282/xml/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,19 +16,13 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3282", "sqKey": "S3282", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S3333/php/metadata.json b/rules/S3333/php/metadata.json index 7d7b380089a..22fe371ce02 100644 --- a/rules/S3333/php/metadata.json +++ b/rules/S3333/php/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "php-ini" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3333", @@ -48,8 +44,6 @@ "6.2.4" ] }, - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S3334/php/metadata.json b/rules/S3334/php/metadata.json index 0ac2df5b77d..717a878cba0 100644 --- a/rules/S3334/php/metadata.json +++ b/rules/S3334/php/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,12 +17,8 @@ "php-ini" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3334", @@ -51,8 +47,6 @@ "5.3.9" ] }, - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S3336/php/metadata.json b/rules/S3336/php/metadata.json index 9d7afa3cd9d..f52e9169a2a 100644 --- a/rules/S3336/php/metadata.json +++ b/rules/S3336/php/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -16,12 +16,8 @@ "php-ini" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3336", @@ -41,8 +37,6 @@ "6.2.4" ] }, - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S3337/php/metadata.json b/rules/S3337/php/metadata.json index 25b4c085dfa..776dfec8ddf 100644 --- a/rules/S3337/php/metadata.json +++ b/rules/S3337/php/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -16,12 +16,8 @@ "php-ini" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3337", @@ -41,8 +37,6 @@ "6.2.4" ] }, - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S3360/metadata.json b/rules/S3360/metadata.json index 159b7af3c07..95ffee2e361 100644 --- a/rules/S3360/metadata.json +++ b/rules/S3360/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "IDENTIFIABLE" }, @@ -16,19 +16,13 @@ "tests" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3360", "sqKey": "S3360", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S3374/xml/metadata.json b/rules/S3374/xml/metadata.json index 0ee53ae4398..3aa0a59ff99 100644 --- a/rules/S3374/xml/metadata.json +++ b/rules/S3374/xml/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "struts" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3374", diff --git a/rules/S3403/python/metadata.json b/rules/S3403/python/metadata.json index 40076174a98..69f61522fd9 100644 --- a/rules/S3403/python/metadata.json +++ b/rules/S3403/python/metadata.json @@ -1,7 +1,7 @@ { "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, diff --git a/rules/S3427/metadata.json b/rules/S3427/metadata.json index a5cf1cb0040..168653fdb3e 100644 --- a/rules/S3427/metadata.json +++ b/rules/S3427/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -17,12 +17,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3427", diff --git a/rules/S3433/metadata.json b/rules/S3433/metadata.json index e8a3d6a9ab3..43fc8ab7a15 100644 --- a/rules/S3433/metadata.json +++ b/rules/S3433/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "tests" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3433", diff --git a/rules/S3443/metadata.json b/rules/S3443/metadata.json index 44b9240bc58..885cb3f45ce 100644 --- a/rules/S3443/metadata.json +++ b/rules/S3443/metadata.json @@ -1,35 +1,30 @@ { - "title": "Type should not be examined on \"System.Type\" instances", - "type": "CODE_SMELL", - "code": { - "impacts": { - "MAINTAINABILITY": "HIGH" - }, - "attribute": "CLEAR" + "title": "Type should not be examined on \"System.Type\" instances", + "type": "CODE_SMELL", + "code": { + "impacts": { + "MAINTAINABILITY": "BLOCKER" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "5min" - }, - "tags": [ - "suspicious" - ], - "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-3443", - "sqKey": "S3443", - "scope": "All", - "defaultQualityProfiles": [ - "Sonar way" - ], - "quickfix": "unknown" - } - \ No newline at end of file + "attribute": "CLEAR" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "suspicious" + ], + "extra": { + "replacementRules": [], + "legacyKeys": [] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-3443", + "sqKey": "S3443", + "scope": "All", + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S3464/metadata.json b/rules/S3464/metadata.json index 59cacdbac8b..6546c715681 100644 --- a/rules/S3464/metadata.json +++ b/rules/S3464/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "1h" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3464", diff --git a/rules/S3481/cobol/metadata.json b/rules/S3481/cobol/metadata.json index dca8181e092..9801b84dc5f 100644 --- a/rules/S3481/cobol/metadata.json +++ b/rules/S3481/cobol/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,19 +17,13 @@ "sql" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3481", "sqKey": "S3481", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S3491/cfamily/metadata.json b/rules/S3491/cfamily/metadata.json index 2aa500c3827..8d14ec98622 100644 --- a/rules/S3491/cfamily/metadata.json +++ b/rules/S3491/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,12 +16,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3491", diff --git a/rules/S3516/metadata.json b/rules/S3516/metadata.json index 35054a49152..eb76cbea38a 100644 --- a/rules/S3516/metadata.json +++ b/rules/S3516/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -13,16 +13,10 @@ "linearDesc": "Per number of return statements", "linearFactor": "2min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3516", diff --git a/rules/S3519/cfamily/metadata.json b/rules/S3519/cfamily/metadata.json index e31d767b132..9e0a11eb724 100644 --- a/rules/S3519/cfamily/metadata.json +++ b/rules/S3519/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -18,12 +18,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3519", diff --git a/rules/S3520/cfamily/metadata.json b/rules/S3520/cfamily/metadata.json index 6ba91ba6e0e..c541d9581a1 100644 --- a/rules/S3520/cfamily/metadata.json +++ b/rules/S3520/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "symbolic-execution" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3520", diff --git a/rules/S3529/cfamily/metadata.json b/rules/S3529/cfamily/metadata.json index 46c1d9db022..aa674af9e8b 100644 --- a/rules/S3529/cfamily/metadata.json +++ b/rules/S3529/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -18,12 +18,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3529", diff --git a/rules/S3546/java/metadata.json b/rules/S3546/java/metadata.json index 93c1936fb7c..82d41875e42 100644 --- a/rules/S3546/java/metadata.json +++ b/rules/S3546/java/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,19 +17,13 @@ "symbolic-execution" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3546", "sqKey": "S3546", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S3584/cfamily/metadata.json b/rules/S3584/cfamily/metadata.json index c00fd2d00b0..ae22a0a0f56 100644 --- a/rules/S3584/cfamily/metadata.json +++ b/rules/S3584/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -20,12 +20,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3584", diff --git a/rules/S3588/cfamily/metadata.json b/rules/S3588/cfamily/metadata.json index 4a53f23d071..38277ed35f8 100644 --- a/rules/S3588/cfamily/metadata.json +++ b/rules/S3588/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3588", diff --git a/rules/S3590/cfamily/metadata.json b/rules/S3590/cfamily/metadata.json index 0613581f141..a1104b9ecdb 100644 --- a/rules/S3590/cfamily/metadata.json +++ b/rules/S3590/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "unpredictable" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3590", diff --git a/rules/S3618/metadata.json b/rules/S3618/metadata.json index e6aaf3c4b9d..6d776c6e017 100644 --- a/rules/S3618/metadata.json +++ b/rules/S3618/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "sql" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3618", diff --git a/rules/S3654/cfamily/metadata.json b/rules/S3654/cfamily/metadata.json index 73695f9ad99..ac61d7045a2 100644 --- a/rules/S3654/cfamily/metadata.json +++ b/rules/S3654/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -18,12 +18,8 @@ "since-c++11" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3654", diff --git a/rules/S3657/cfamily/metadata.json b/rules/S3657/cfamily/metadata.json index ac25aeea78b..765b1bcd1f3 100644 --- a/rules/S3657/cfamily/metadata.json +++ b/rules/S3657/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3657", diff --git a/rules/S3692/cfamily/metadata.json b/rules/S3692/cfamily/metadata.json index 466a05098fa..d6ff0233594 100644 --- a/rules/S3692/cfamily/metadata.json +++ b/rules/S3692/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -17,12 +17,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3692", diff --git a/rules/S3729/cfamily/metadata.json b/rules/S3729/cfamily/metadata.json index 41e8daa8ed8..b78d304386e 100644 --- a/rules/S3729/cfamily/metadata.json +++ b/rules/S3729/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -16,12 +16,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3729", diff --git a/rules/S3753/java/metadata.json b/rules/S3753/java/metadata.json index eaaa5b9c15e..f0e3b573895 100644 --- a/rules/S3753/java/metadata.json +++ b/rules/S3753/java/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -16,12 +16,8 @@ "spring" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3753", diff --git a/rules/S3796/javascript/metadata.json b/rules/S3796/javascript/metadata.json index 0679497c4de..d5bfe279fe7 100644 --- a/rules/S3796/javascript/metadata.json +++ b/rules/S3796/javascript/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -16,12 +16,8 @@ "type-dependent" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3796", diff --git a/rules/S3827/metadata.json b/rules/S3827/metadata.json index fdd8b2af7b0..e86821e5380 100644 --- a/rules/S3827/metadata.json +++ b/rules/S3827/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "10min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3827", diff --git a/rules/S3862/metadata.json b/rules/S3862/metadata.json index 064c5f5850e..b9626bad786 100644 --- a/rules/S3862/metadata.json +++ b/rules/S3862/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3862", diff --git a/rules/S3869/metadata.json b/rules/S3869/metadata.json index d16e7942974..c898d84ac16 100644 --- a/rules/S3869/metadata.json +++ b/rules/S3869/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "unpredictable" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3869", diff --git a/rules/S3875/metadata.json b/rules/S3875/metadata.json index c677d701b99..7aebb8d23d6 100644 --- a/rules/S3875/metadata.json +++ b/rules/S3875/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,12 +16,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3875", diff --git a/rules/S3877/metadata.json b/rules/S3877/metadata.json index b22a51f65ab..c6cf8dee7ae 100644 --- a/rules/S3877/metadata.json +++ b/rules/S3877/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3877", @@ -31,4 +27,4 @@ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S3884/metadata.json b/rules/S3884/metadata.json index 4d6a417186b..e0da8353de9 100644 --- a/rules/S3884/metadata.json +++ b/rules/S3884/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,15 +12,10 @@ "func": "Constant\/Issue", "constantCost": "20min" }, - "tags": [ - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3884", @@ -43,7 +38,6 @@ "6.2.4" ] }, - "defaultQualityProfiles": [ - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S3889/metadata.json b/rules/S3889/metadata.json index 5b1728476b1..c2bd0874e82 100644 --- a/rules/S3889/metadata.json +++ b/rules/S3889/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "unpredictable" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3889", diff --git a/rules/S3931/metadata.json b/rules/S3931/metadata.json index 40729933acb..93d39c14ce8 100644 --- a/rules/S3931/metadata.json +++ b/rules/S3931/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,12 +16,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3931", diff --git a/rules/S3936/cfamily/metadata.json b/rules/S3936/cfamily/metadata.json index bf1dca95128..4636202c8a2 100644 --- a/rules/S3936/cfamily/metadata.json +++ b/rules/S3936/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "gnu" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-3936", diff --git a/rules/S3938/cobol/metadata.json b/rules/S3938/cobol/metadata.json index fb70b9a2389..3748c0c5011 100644 --- a/rules/S3938/cobol/metadata.json +++ b/rules/S3938/cobol/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "CONVENTIONAL" }, @@ -12,23 +12,15 @@ "func": "Constant\/Issue", "constantCost": "0min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Info", "ruleSpecification": "RSPEC-3938", "sqKey": "S3938", "scope": "All", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S4159/metadata.json b/rules/S4159/metadata.json index 04e5db50ca7..977de49ca2f 100644 --- a/rules/S4159/metadata.json +++ b/rules/S4159/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4159", diff --git a/rules/S4462/metadata.json b/rules/S4462/metadata.json index 031f3c626fe..8fda3adc316 100644 --- a/rules/S4462/metadata.json +++ b/rules/S4462/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,19 +17,13 @@ "deadlock" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4462", "sqKey": "S4462", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S4577/plsql/metadata.json b/rules/S4577/plsql/metadata.json index c9c0ad23f23..055545f7fb3 100644 --- a/rules/S4577/plsql/metadata.json +++ b/rules/S4577/plsql/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "EFFICIENT" }, @@ -16,19 +16,13 @@ "performance" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4577", "sqKey": "S4577", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S4602/java/metadata.json b/rules/S4602/java/metadata.json index d9a079f19f1..3afc6e303d9 100644 --- a/rules/S4602/java/metadata.json +++ b/rules/S4602/java/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "spring" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4602", diff --git a/rules/S4650/css/metadata.json b/rules/S4650/css/metadata.json index fb9b030acbc..92962326bd4 100644 --- a/rules/S4650/css/metadata.json +++ b/rules/S4650/css/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "1min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4650", diff --git a/rules/S4653/css/metadata.json b/rules/S4653/css/metadata.json index dca1ada2203..ec340253bb1 100644 --- a/rules/S4653/css/metadata.json +++ b/rules/S4653/css/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4653", diff --git a/rules/S4654/css/metadata.json b/rules/S4654/css/metadata.json index 7b51088332e..8241b34aeef 100644 --- a/rules/S4654/css/metadata.json +++ b/rules/S4654/css/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4654", diff --git a/rules/S4668/css/metadata.json b/rules/S4668/css/metadata.json index bc63501d87b..90e07c7022d 100644 --- a/rules/S4668/css/metadata.json +++ b/rules/S4668/css/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "1min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4668", diff --git a/rules/S4997/cfamily/metadata.json b/rules/S4997/cfamily/metadata.json index da81ec0a2c7..6fc671e50ad 100644 --- a/rules/S4997/cfamily/metadata.json +++ b/rules/S4997/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,12 +17,8 @@ "since-c++11" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4997", diff --git a/rules/S4999/cfamily/metadata.json b/rules/S4999/cfamily/metadata.json index 09c6a722757..b7612fb5c16 100644 --- a/rules/S4999/cfamily/metadata.json +++ b/rules/S4999/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "10min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-4999", diff --git a/rules/S5000/cfamily/metadata.json b/rules/S5000/cfamily/metadata.json index 44453fc42a1..cd14354f23c 100644 --- a/rules/S5000/cfamily/metadata.json +++ b/rules/S5000/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "unpredictable" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5000", diff --git a/rules/S5018/cfamily/metadata.json b/rules/S5018/cfamily/metadata.json index 033dd40fd3d..1e53d524de8 100644 --- a/rules/S5018/cfamily/metadata.json +++ b/rules/S5018/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "EFFICIENT" }, @@ -18,12 +18,8 @@ "since-c++11" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5018", diff --git a/rules/S5020/cfamily/metadata.json b/rules/S5020/cfamily/metadata.json index de5fdd5acb3..2960a6b1767 100644 --- a/rules/S5020/cfamily/metadata.json +++ b/rules/S5020/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -17,12 +17,8 @@ "since-c++11" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5020", diff --git a/rules/S5117/abap/metadata.json b/rules/S5117/abap/metadata.json index 92593f50d7a..78b350b14d4 100644 --- a/rules/S5117/abap/metadata.json +++ b/rules/S5117/abap/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5117", diff --git a/rules/S5184/cfamily/metadata.json b/rules/S5184/cfamily/metadata.json index c5e9866b2ae..abc30b29f8b 100644 --- a/rules/S5184/cfamily/metadata.json +++ b/rules/S5184/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5184", diff --git a/rules/S5267/cfamily/metadata.json b/rules/S5267/cfamily/metadata.json index 6d2a64d0efd..ff2dffe2135 100644 --- a/rules/S5267/cfamily/metadata.json +++ b/rules/S5267/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "confusing" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5267", diff --git a/rules/S5302/cfamily/metadata.json b/rules/S5302/cfamily/metadata.json index 24d63162ad3..36070fe8beb 100644 --- a/rules/S5302/cfamily/metadata.json +++ b/rules/S5302/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "misra-c++2008" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5302", diff --git a/rules/S5335/php/metadata.json b/rules/S5335/php/metadata.json index 777da05ecd5..5c8b921548c 100644 --- a/rules/S5335/php/metadata.json +++ b/rules/S5335/php/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -16,12 +16,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5335", diff --git a/rules/S5376/apex/metadata.json b/rules/S5376/apex/metadata.json index 76478a47725..4ceabf80854 100644 --- a/rules/S5376/apex/metadata.json +++ b/rules/S5376/apex/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5376", diff --git a/rules/S5377/apex/metadata.json b/rules/S5377/apex/metadata.json index de9574d2d84..96baf4f8443 100644 --- a/rules/S5377/apex/metadata.json +++ b/rules/S5377/apex/metadata.json @@ -1,9 +1,9 @@ { - "title": "Sharing level should be specified in Apex Classes with SOQL\/SOSL Queries or DML Statements", + "title": "Sharing level should be specified in Apex Classes with SOQL/SOSL Queries or DML Statements", "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5377", diff --git a/rules/S5379/apex/metadata.json b/rules/S5379/apex/metadata.json index 07527e38428..f7ed32fdbb2 100644 --- a/rules/S5379/apex/metadata.json +++ b/rules/S5379/apex/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5379", diff --git a/rules/S5382/apex/metadata.json b/rules/S5382/apex/metadata.json index e312118aa9e..c463926f207 100644 --- a/rules/S5382/apex/metadata.json +++ b/rules/S5382/apex/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -16,12 +16,8 @@ "governor-limits" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5382", diff --git a/rules/S5389/apex/metadata.json b/rules/S5389/apex/metadata.json index 03ecadc5358..321c2e30204 100644 --- a/rules/S5389/apex/metadata.json +++ b/rules/S5389/apex/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5389", diff --git a/rules/S5404/cfamily/metadata.json b/rules/S5404/cfamily/metadata.json index d970703ffd1..1ba35597450 100644 --- a/rules/S5404/cfamily/metadata.json +++ b/rules/S5404/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -19,12 +19,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5404", diff --git a/rules/S5417/cfamily/metadata.json b/rules/S5417/cfamily/metadata.json index ff7c23468e8..c3a4c41ec72 100644 --- a/rules/S5417/cfamily/metadata.json +++ b/rules/S5417/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -18,12 +18,8 @@ "since-c++11" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5417", diff --git a/rules/S5486/cfamily/metadata.json b/rules/S5486/cfamily/metadata.json index 14df1e3d829..849d0d56f30 100644 --- a/rules/S5486/cfamily/metadata.json +++ b/rules/S5486/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -18,12 +18,8 @@ "multi-threading" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5486", diff --git a/rules/S5487/cfamily/metadata.json b/rules/S5487/cfamily/metadata.json index 4fade9d2d6b..d990b0b698d 100644 --- a/rules/S5487/cfamily/metadata.json +++ b/rules/S5487/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "multi-threading" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5487", diff --git a/rules/S5489/cfamily/metadata.json b/rules/S5489/cfamily/metadata.json index a6cb67e5e92..63cd5a73520 100644 --- a/rules/S5489/cfamily/metadata.json +++ b/rules/S5489/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,12 +17,8 @@ "multi-threading" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5489", diff --git a/rules/S5496/metadata.json b/rules/S5496/metadata.json index bc7a112666f..8974b5e8b44 100644 --- a/rules/S5496/metadata.json +++ b/rules/S5496/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,12 +17,8 @@ "python3" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5496", diff --git a/rules/S5502/cfamily/metadata.json b/rules/S5502/cfamily/metadata.json index bd25034d13e..acc16c6e403 100644 --- a/rules/S5502/cfamily/metadata.json +++ b/rules/S5502/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -19,12 +19,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5502", diff --git a/rules/S5549/python/metadata.json b/rules/S5549/python/metadata.json index a542c47e6e0..6fea0d008d1 100644 --- a/rules/S5549/python/metadata.json +++ b/rules/S5549/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5549", diff --git a/rules/S5553/cfamily/metadata.json b/rules/S5553/cfamily/metadata.json index 20009509c74..d200bc30907 100644 --- a/rules/S5553/cfamily/metadata.json +++ b/rules/S5553/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "symbolic-execution" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5553", diff --git a/rules/S5607/python/metadata.json b/rules/S5607/python/metadata.json index 15d224f5d23..ab02aac2263 100644 --- a/rules/S5607/python/metadata.json +++ b/rules/S5607/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "20min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5607", diff --git a/rules/S5632/metadata.json b/rules/S5632/metadata.json index 038fce49869..177f6fb7a64 100644 --- a/rules/S5632/metadata.json +++ b/rules/S5632/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5632", diff --git a/rules/S5633/python/metadata.json b/rules/S5633/python/metadata.json index 0855421847c..05fedd4fb68 100644 --- a/rules/S5633/python/metadata.json +++ b/rules/S5633/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "20min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5633", diff --git a/rules/S5639/cfamily/metadata.json b/rules/S5639/cfamily/metadata.json index 8f2edaaeff5..b13b8b5f7e3 100644 --- a/rules/S5639/cfamily/metadata.json +++ b/rules/S5639/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "CONVENTIONAL" }, @@ -12,23 +12,15 @@ "func": "Constant\/Issue", "constantCost": "0min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Info", "ruleSpecification": "RSPEC-5639", "sqKey": "S5639", "scope": "All", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S5642/python/metadata.json b/rules/S5642/python/metadata.json index cc4f1de90d9..16e31bd09bf 100644 --- a/rules/S5642/python/metadata.json +++ b/rules/S5642/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "20min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5642", diff --git a/rules/S5644/python/metadata.json b/rules/S5644/python/metadata.json index 6f7d73bf573..c324e9dc3c2 100644 --- a/rules/S5644/python/metadata.json +++ b/rules/S5644/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "20min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5644", diff --git a/rules/S5708/metadata.json b/rules/S5708/metadata.json index 6f4f19946af..e316e009d29 100644 --- a/rules/S5708/metadata.json +++ b/rules/S5708/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5708", diff --git a/rules/S5714/python/metadata.json b/rules/S5714/python/metadata.json index 625ad1022b4..3301dea7140 100644 --- a/rules/S5714/python/metadata.json +++ b/rules/S5714/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5714", diff --git a/rules/S5719/python/metadata.json b/rules/S5719/python/metadata.json index 506fb3e6b1f..2d2474cac30 100644 --- a/rules/S5719/python/metadata.json +++ b/rules/S5719/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5719", diff --git a/rules/S5722/python/metadata.json b/rules/S5722/python/metadata.json index 849856a58fb..32afdb9df94 100644 --- a/rules/S5722/python/metadata.json +++ b/rules/S5722/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5722", diff --git a/rules/S5724/python/metadata.json b/rules/S5724/python/metadata.json index 96d630e9e63..ef5e657b80d 100644 --- a/rules/S5724/python/metadata.json +++ b/rules/S5724/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5724", diff --git a/rules/S5756/python/metadata.json b/rules/S5756/python/metadata.json index b05eb48d620..17af3fe14a4 100644 --- a/rules/S5756/python/metadata.json +++ b/rules/S5756/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "20min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5756", diff --git a/rules/S5786/java/metadata.json b/rules/S5786/java/metadata.json index dbd2d3a3e8a..1b7853cb6f8 100644 --- a/rules/S5786/java/metadata.json +++ b/rules/S5786/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "CLEAR" }, @@ -17,12 +17,8 @@ "tests" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Info", "ruleSpecification": "RSPEC-5786", diff --git a/rules/S5793/java/metadata.json b/rules/S5793/java/metadata.json index 8a95f26b522..77273b3d2bd 100644 --- a/rules/S5793/java/metadata.json +++ b/rules/S5793/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "CONVENTIONAL" }, @@ -17,19 +17,13 @@ "tests" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Info", "ruleSpecification": "RSPEC-5793", "sqKey": "S5793", "scope": "Tests", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S5798/cfamily/metadata.json b/rules/S5798/cfamily/metadata.json index f6da1055c77..8cc5201a750 100644 --- a/rules/S5798/cfamily/metadata.json +++ b/rules/S5798/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5798", diff --git a/rules/S5807/python/metadata.json b/rules/S5807/python/metadata.json index 3e4b8e44a38..4d7811f38ea 100644 --- a/rules/S5807/python/metadata.json +++ b/rules/S5807/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "1min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5807", diff --git a/rules/S5828/python/metadata.json b/rules/S5828/python/metadata.json index 7bf4eb880cb..87b5282ed64 100644 --- a/rules/S5828/python/metadata.json +++ b/rules/S5828/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "1min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5828", diff --git a/rules/S5905/python/metadata.json b/rules/S5905/python/metadata.json index fdcdd185d96..3d5675c4b7b 100644 --- a/rules/S5905/python/metadata.json +++ b/rules/S5905/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "tests" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5905", diff --git a/rules/S5911/php/metadata.json b/rules/S5911/php/metadata.json index e4885442244..1531d8923e7 100644 --- a/rules/S5911/php/metadata.json +++ b/rules/S5911/php/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5911", diff --git a/rules/S5912/cfamily/metadata.json b/rules/S5912/cfamily/metadata.json index a51111352dd..513f653d046 100644 --- a/rules/S5912/cfamily/metadata.json +++ b/rules/S5912/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "cppcoreguidelines" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5912", diff --git a/rules/S5953/python/metadata.json b/rules/S5953/python/metadata.json index 95f4263f997..ec52e96373e 100644 --- a/rules/S5953/python/metadata.json +++ b/rules/S5953/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,23 +12,15 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5953", "sqKey": "S5953", "scope": "All", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S5979/java/metadata.json b/rules/S5979/java/metadata.json index edccd875ddd..e7c1a85c0f2 100644 --- a/rules/S5979/java/metadata.json +++ b/rules/S5979/java/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,19 +17,13 @@ "mockito" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5979", "sqKey": "S5979", "scope": "Tests", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S5999/cfamily/metadata.json b/rules/S5999/cfamily/metadata.json index 322e87b8e8a..ea94ce10b3c 100644 --- a/rules/S5999/cfamily/metadata.json +++ b/rules/S5999/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -16,12 +16,8 @@ "since-c++17" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-5999", diff --git a/rules/S6025/cfamily/metadata.json b/rules/S6025/cfamily/metadata.json index 74e96f215d2..19d00d5716b 100644 --- a/rules/S6025/cfamily/metadata.json +++ b/rules/S6025/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "FOCUSED" }, @@ -18,12 +18,8 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6025", diff --git a/rules/S6208/java/metadata.json b/rules/S6208/java/metadata.json index dfd4218a78a..bd74c6fde32 100644 --- a/rules/S6208/java/metadata.json +++ b/rules/S6208/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "CLEAR" }, diff --git a/rules/S6212/java/metadata.json b/rules/S6212/java/metadata.json index 7ba08fa2cda..b80169d49b3 100644 --- a/rules/S6212/java/metadata.json +++ b/rules/S6212/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "CLEAR" }, @@ -16,19 +16,13 @@ "java10" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Info", "ruleSpecification": "RSPEC-6212", "sqKey": "S6212", "scope": "Main", - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S6223/cfamily/metadata.json b/rules/S6223/cfamily/metadata.json index a54f2217507..b2125117f92 100644 --- a/rules/S6223/cfamily/metadata.json +++ b/rules/S6223/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "5min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6223", diff --git a/rules/S6265/metadata.json b/rules/S6265/metadata.json index 9698c073266..677f5bf6525 100644 --- a/rules/S6265/metadata.json +++ b/rules/S6265/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6265", diff --git a/rules/S6268/javascript/metadata.json b/rules/S6268/javascript/metadata.json index 873e91d92da..8f6ca4a6c6d 100644 --- a/rules/S6268/javascript/metadata.json +++ b/rules/S6268/javascript/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -12,12 +12,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6268", diff --git a/rules/S6270/metadata.json b/rules/S6270/metadata.json index 689750e90ce..23c29806819 100644 --- a/rules/S6270/metadata.json +++ b/rules/S6270/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6270", diff --git a/rules/S6292/secrets/metadata.json b/rules/S6292/secrets/metadata.json index a4d5fa99774..bfa4c973408 100644 --- a/rules/S6292/secrets/metadata.json +++ b/rules/S6292/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,12 +17,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6292", diff --git a/rules/S6299/javascript/metadata.json b/rules/S6299/javascript/metadata.json index e4632d4c9ab..1f743c25815 100644 --- a/rules/S6299/javascript/metadata.json +++ b/rules/S6299/javascript/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -12,9 +12,7 @@ "cwe" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6299", diff --git a/rules/S6302/metadata.json b/rules/S6302/metadata.json index 92d33a2d03c..66a0c3dd7a6 100644 --- a/rules/S6302/metadata.json +++ b/rules/S6302/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "aws" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6302", diff --git a/rules/S6304/metadata.json b/rules/S6304/metadata.json index d6a22bcc0dd..d64c3663366 100644 --- a/rules/S6304/metadata.json +++ b/rules/S6304/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6304", diff --git a/rules/S6329/metadata.json b/rules/S6329/metadata.json index a8f5e20fd4a..b6c56afe71a 100644 --- a/rules/S6329/metadata.json +++ b/rules/S6329/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,12 +17,8 @@ "aws" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6329", diff --git a/rules/S6333/metadata.json b/rules/S6333/metadata.json index caace865ec2..f1a88b8e324 100644 --- a/rules/S6333/metadata.json +++ b/rules/S6333/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -17,12 +17,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6333", diff --git a/rules/S6334/secrets/metadata.json b/rules/S6334/secrets/metadata.json index bbb2be64b75..9978f2b2d93 100644 --- a/rules/S6334/secrets/metadata.json +++ b/rules/S6334/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6335/secrets/metadata.json b/rules/S6335/secrets/metadata.json index bd3d8e34cc6..015a0f94724 100644 --- a/rules/S6335/secrets/metadata.json +++ b/rules/S6335/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6336/secrets/metadata.json b/rules/S6336/secrets/metadata.json index 100bc2c669e..a923030da7e 100644 --- a/rules/S6336/secrets/metadata.json +++ b/rules/S6336/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6336", diff --git a/rules/S6337/secrets/metadata.json b/rules/S6337/secrets/metadata.json index 525a7ec6496..28c4ae2fb29 100644 --- a/rules/S6337/secrets/metadata.json +++ b/rules/S6337/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6338/secrets/metadata.json b/rules/S6338/secrets/metadata.json index 54c3d809042..e6686f32711 100644 --- a/rules/S6338/secrets/metadata.json +++ b/rules/S6338/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6338", diff --git a/rules/S6373/metadata.json b/rules/S6373/metadata.json index 16e169eb382..2de76c79cd3 100644 --- a/rules/S6373/metadata.json +++ b/rules/S6373/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -12,16 +12,10 @@ "func": "Constant\/Issue", "constantCost": "15min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6373", diff --git a/rules/S6418/metadata.json b/rules/S6418/metadata.json index a86843959c6..6498a5cc147 100644 --- a/rules/S6418/metadata.json +++ b/rules/S6418/metadata.json @@ -3,7 +3,7 @@ "type": "SECURITY_HOTSPOT", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -16,12 +16,8 @@ "cwe" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6418", diff --git a/rules/S6422/csharp/metadata.json b/rules/S6422/csharp/metadata.json index 6eba679b033..f377c81b3e8 100644 --- a/rules/S6422/csharp/metadata.json +++ b/rules/S6422/csharp/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "EFFICIENT" }, @@ -20,6 +20,8 @@ "ruleSpecification": "RSPEC-6422", "sqKey": "S6422", "scope": "Main", - "defaultQualityProfiles": ["Sonar way"], + "defaultQualityProfiles": [ + "Sonar way" + ], "quickfix": "infeasible" } diff --git a/rules/S6424/csharp/metadata.json b/rules/S6424/csharp/metadata.json index 329991d9ae6..9dbc7a93a37 100644 --- a/rules/S6424/csharp/metadata.json +++ b/rules/S6424/csharp/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, diff --git a/rules/S6427/cfamily/metadata.json b/rules/S6427/cfamily/metadata.json index bce9407146b..81606b49b58 100644 --- a/rules/S6427/cfamily/metadata.json +++ b/rules/S6427/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -12,11 +12,15 @@ "func": "Constant\/Issue", "constantCost": "1min" }, - "tags": ["since-c++17" ], + "tags": [ + "since-c++17" + ], "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6427", "sqKey": "S6427", "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "defaultQualityProfiles": [ + "Sonar way" + ], "quickfix": "covered" } diff --git a/rules/S6472/metadata.json b/rules/S6472/metadata.json index 3566b2c3b57..574396a5811 100644 --- a/rules/S6472/metadata.json +++ b/rules/S6472/metadata.json @@ -1,30 +1,32 @@ { - "title": "Using ENV or ARG to handle secrets is security-sensitive", - "type": "SECURITY_HOTSPOT", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "TRUSTWORTHY" + "title": "Using ENV or ARG to handle secrets is security-sensitive", + "type": "SECURITY_HOTSPOT", + "code": { + "impacts": { + "SECURITY": "BLOCKER" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "20min" - }, - "tags": [ - "dockerfile", - "cwe" - ], - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-6472", - "sqKey": "S6472", - "scope": "All", - "securityStandards": { - "CWE": [ - 522 - ] - }, - "defaultQualityProfiles": ["Sonar way"], - "quickfix": "unknown" -} \ No newline at end of file + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "20min" + }, + "tags": [ + "dockerfile", + "cwe" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6472", + "sqKey": "S6472", + "scope": "All", + "securityStandards": { + "CWE": [ + 522 + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6493/cfamily/metadata.json b/rules/S6493/cfamily/metadata.json index dfbca95a9fe..0e179571179 100644 --- a/rules/S6493/cfamily/metadata.json +++ b/rules/S6493/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -19,6 +19,8 @@ "ruleSpecification": "RSPEC-6493", "sqKey": "S6493", "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "defaultQualityProfiles": [ + "Sonar way" + ], "quickfix": "targeted" } diff --git a/rules/S6539/java/metadata.json b/rules/S6539/java/metadata.json index 22f4de17702..87e0c82e84e 100644 --- a/rules/S6539/java/metadata.json +++ b/rules/S6539/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "MODULAR" }, diff --git a/rules/S6541/java/metadata.json b/rules/S6541/java/metadata.json index b0d4fd3efa5..f888c1ab589 100644 --- a/rules/S6541/java/metadata.json +++ b/rules/S6541/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "FOCUSED" }, diff --git a/rules/S6548/java/metadata.json b/rules/S6548/java/metadata.json index ef4874f4a80..336d220af98 100644 --- a/rules/S6548/java/metadata.json +++ b/rules/S6548/java/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "MODULAR" }, diff --git a/rules/S6652/secrets/metadata.json b/rules/S6652/secrets/metadata.json index 0302bc8416d..5aa6b0693e9 100644 --- a/rules/S6652/secrets/metadata.json +++ b/rules/S6652/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6652", diff --git a/rules/S6655/cfamily/metadata.json b/rules/S6655/cfamily/metadata.json index b6d90d947c9..1f287b099ed 100644 --- a/rules/S6655/cfamily/metadata.json +++ b/rules/S6655/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -13,12 +13,14 @@ "constantCost": "15min" }, "tags": [ - "symbolic-execution" + "symbolic-execution" ], "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6655", "sqKey": "S6655", "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "defaultQualityProfiles": [ + "Sonar way" + ], "quickfix": "infeasible" } diff --git a/rules/S6684/secrets/metadata.json b/rules/S6684/secrets/metadata.json index 9f5e38d7d95..6770c2e4273 100644 --- a/rules/S6684/secrets/metadata.json +++ b/rules/S6684/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6684", diff --git a/rules/S6686/secrets/metadata.json b/rules/S6686/secrets/metadata.json index ff13fbb8551..3c7569f5e70 100644 --- a/rules/S6686/secrets/metadata.json +++ b/rules/S6686/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6686", diff --git a/rules/S6687/secrets/metadata.json b/rules/S6687/secrets/metadata.json index 5f64f790005..b09330c009d 100644 --- a/rules/S6687/secrets/metadata.json +++ b/rules/S6687/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6687", diff --git a/rules/S6688/secrets/metadata.json b/rules/S6688/secrets/metadata.json index d95a7e38e8f..8a4599f2d6e 100644 --- a/rules/S6688/secrets/metadata.json +++ b/rules/S6688/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6688", diff --git a/rules/S6689/secrets/metadata.json b/rules/S6689/secrets/metadata.json index b0aedde9475..34665e93059 100644 --- a/rules/S6689/secrets/metadata.json +++ b/rules/S6689/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6689", diff --git a/rules/S6690/secrets/metadata.json b/rules/S6690/secrets/metadata.json index 520989325d5..ff4202a0b17 100644 --- a/rules/S6690/secrets/metadata.json +++ b/rules/S6690/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6690", diff --git a/rules/S6691/secrets/metadata.json b/rules/S6691/secrets/metadata.json index a809d0c21dc..5a3b42bb27c 100644 --- a/rules/S6691/secrets/metadata.json +++ b/rules/S6691/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6691", diff --git a/rules/S6692/secrets/metadata.json b/rules/S6692/secrets/metadata.json index dafec401530..7bf949ef9fc 100644 --- a/rules/S6692/secrets/metadata.json +++ b/rules/S6692/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6692", diff --git a/rules/S6693/secrets/metadata.json b/rules/S6693/secrets/metadata.json index 1e13d766f01..99a7b2526d0 100644 --- a/rules/S6693/secrets/metadata.json +++ b/rules/S6693/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6693", diff --git a/rules/S6694/secrets/metadata.json b/rules/S6694/secrets/metadata.json index 3859ba14bfe..63006d3a878 100644 --- a/rules/S6694/secrets/metadata.json +++ b/rules/S6694/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6694", diff --git a/rules/S6695/secrets/metadata.json b/rules/S6695/secrets/metadata.json index d6e178fb4af..dc44d4f6e87 100644 --- a/rules/S6695/secrets/metadata.json +++ b/rules/S6695/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6695", diff --git a/rules/S6696/secrets/metadata.json b/rules/S6696/secrets/metadata.json index e9b379d86ce..738fece39ba 100644 --- a/rules/S6696/secrets/metadata.json +++ b/rules/S6696/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6696", diff --git a/rules/S6697/secrets/metadata.json b/rules/S6697/secrets/metadata.json index fb782ec11bc..24570e68f14 100644 --- a/rules/S6697/secrets/metadata.json +++ b/rules/S6697/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6697", diff --git a/rules/S6698/secrets/metadata.json b/rules/S6698/secrets/metadata.json index c96c5a245c5..ec6c82e5272 100644 --- a/rules/S6698/secrets/metadata.json +++ b/rules/S6698/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6698", diff --git a/rules/S6699/secrets/metadata.json b/rules/S6699/secrets/metadata.json index 391dcebcf40..9a73903fc2c 100644 --- a/rules/S6699/secrets/metadata.json +++ b/rules/S6699/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6699", diff --git a/rules/S6700/secrets/metadata.json b/rules/S6700/secrets/metadata.json index 3840ea99970..9045ad81f93 100644 --- a/rules/S6700/secrets/metadata.json +++ b/rules/S6700/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6700", diff --git a/rules/S6701/secrets/metadata.json b/rules/S6701/secrets/metadata.json index 5b7730090d9..7ed9a5dd59a 100644 --- a/rules/S6701/secrets/metadata.json +++ b/rules/S6701/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6701", diff --git a/rules/S6702/secrets/metadata.json b/rules/S6702/secrets/metadata.json index de4bda31718..60570616cf0 100644 --- a/rules/S6702/secrets/metadata.json +++ b/rules/S6702/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6702", diff --git a/rules/S6703/secrets/metadata.json b/rules/S6703/secrets/metadata.json index 855358596ad..5505ed0a030 100644 --- a/rules/S6703/secrets/metadata.json +++ b/rules/S6703/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6703", diff --git a/rules/S6704/secrets/metadata.json b/rules/S6704/secrets/metadata.json index e555f779988..16ddb398ac6 100644 --- a/rules/S6704/secrets/metadata.json +++ b/rules/S6704/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6704", diff --git a/rules/S6705/secrets/metadata.json b/rules/S6705/secrets/metadata.json index 4c9f01ca57d..0e69497fb84 100644 --- a/rules/S6705/secrets/metadata.json +++ b/rules/S6705/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6705", diff --git a/rules/S6706/secrets/metadata.json b/rules/S6706/secrets/metadata.json index be67b488197..4fb94bcec5a 100644 --- a/rules/S6706/secrets/metadata.json +++ b/rules/S6706/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6706", diff --git a/rules/S6708/secrets/metadata.json b/rules/S6708/secrets/metadata.json index dd5af769616..f447471da44 100644 --- a/rules/S6708/secrets/metadata.json +++ b/rules/S6708/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6708", diff --git a/rules/S6710/secrets/metadata.json b/rules/S6710/secrets/metadata.json index 18d0a852999..29a7e5a2ffa 100644 --- a/rules/S6710/secrets/metadata.json +++ b/rules/S6710/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6710", diff --git a/rules/S6713/secrets/metadata.json b/rules/S6713/secrets/metadata.json index a7477bf6813..6283c1d1ebd 100644 --- a/rules/S6713/secrets/metadata.json +++ b/rules/S6713/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6713", diff --git a/rules/S6717/secrets/metadata.json b/rules/S6717/secrets/metadata.json index 1e5a09eea6f..bc4fb6d18e2 100644 --- a/rules/S6717/secrets/metadata.json +++ b/rules/S6717/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6717", diff --git a/rules/S6718/secrets/metadata.json b/rules/S6718/secrets/metadata.json index 64d9f00f89b..bcf632eb8cb 100644 --- a/rules/S6718/secrets/metadata.json +++ b/rules/S6718/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6718", diff --git a/rules/S6719/secrets/metadata.json b/rules/S6719/secrets/metadata.json index f2413f611f6..27a6cea8dd8 100644 --- a/rules/S6719/secrets/metadata.json +++ b/rules/S6719/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6719", diff --git a/rules/S6720/secrets/metadata.json b/rules/S6720/secrets/metadata.json index b068c3aa6dd..bdec5531c5b 100644 --- a/rules/S6720/secrets/metadata.json +++ b/rules/S6720/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6720", diff --git a/rules/S6721/secrets/metadata.json b/rules/S6721/secrets/metadata.json index ebade74b9f3..af0fc1d07dd 100644 --- a/rules/S6721/secrets/metadata.json +++ b/rules/S6721/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6721", diff --git a/rules/S6722/secrets/metadata.json b/rules/S6722/secrets/metadata.json index 0ceb2370687..e9c564a21d2 100644 --- a/rules/S6722/secrets/metadata.json +++ b/rules/S6722/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6722", diff --git a/rules/S6723/secrets/metadata.json b/rules/S6723/secrets/metadata.json index 2ca4e244de3..7b2c9b4fc5b 100644 --- a/rules/S6723/secrets/metadata.json +++ b/rules/S6723/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6723", diff --git a/rules/S6725/python/metadata.json b/rules/S6725/python/metadata.json index 9491f08b264..dc9c5c3ccda 100644 --- a/rules/S6725/python/metadata.json +++ b/rules/S6725/python/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,9 +17,7 @@ "numpy" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6725", diff --git a/rules/S6731/secrets/metadata.json b/rules/S6731/secrets/metadata.json index 397c29c55ca..3b55706a6a7 100644 --- a/rules/S6731/secrets/metadata.json +++ b/rules/S6731/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6731", diff --git a/rules/S6732/secrets/metadata.json b/rules/S6732/secrets/metadata.json index cfbfd96cb18..34daf0935df 100644 --- a/rules/S6732/secrets/metadata.json +++ b/rules/S6732/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6732", diff --git a/rules/S6733/secrets/metadata.json b/rules/S6733/secrets/metadata.json index 1d8651f35c7..fa6bf1814cf 100644 --- a/rules/S6733/secrets/metadata.json +++ b/rules/S6733/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6733", diff --git a/rules/S6736/secrets/metadata.json b/rules/S6736/secrets/metadata.json index 9b9ac91dfe8..928b89cb8cf 100644 --- a/rules/S6736/secrets/metadata.json +++ b/rules/S6736/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6736", diff --git a/rules/S6739/secrets/metadata.json b/rules/S6739/secrets/metadata.json index 1db8b072736..4e7cf5fd7d2 100644 --- a/rules/S6739/secrets/metadata.json +++ b/rules/S6739/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6739", diff --git a/rules/S6751/secrets/metadata.json b/rules/S6751/secrets/metadata.json index 519ba055cb9..0905d19156c 100644 --- a/rules/S6751/secrets/metadata.json +++ b/rules/S6751/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6752/secrets/metadata.json b/rules/S6752/secrets/metadata.json index 4f661c66c5a..d1192b2e857 100644 --- a/rules/S6752/secrets/metadata.json +++ b/rules/S6752/secrets/metadata.json @@ -1,62 +1,59 @@ { - "title": "Artifactory tokens should not be disclosed", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "TRUSTWORTHY" + "title": "Artifactory tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "BLOCKER" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "30min" - }, - "tags": [ - "cwe", - "cert" + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6752", + "sqKey": "S6752", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 ], - "extra": { - "replacementRules": [ - - ] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-6752", - "sqKey": "S6752", - "scope": "All", - "securityStandards": { - "CWE": [ - 798, - 259 - ], - "OWASP": [ - "A3" - ], - "CERT": [ - "MSC03-J." - ], - "OWASP Top 10 2021": [ - "A7" - ], - "PCI DSS 3.2": [ - "6.5.10" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "2.10.4", - "3.5.2", - "6.4.1" + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" ], "STIG ASD_V5R3": [ "V-222642" ] - }, - "defaultQualityProfiles": [ - "Sonar way" - ], - "quickfix": "unknown" - } - + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6753/secrets/metadata.json b/rules/S6753/secrets/metadata.json index 4d8b4d68bac..d26e61c66ca 100644 --- a/rules/S6753/secrets/metadata.json +++ b/rules/S6753/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6755/secrets/metadata.json b/rules/S6755/secrets/metadata.json index b5e03cc1531..1231104bc59 100644 --- a/rules/S6755/secrets/metadata.json +++ b/rules/S6755/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6758/secrets/metadata.json b/rules/S6758/secrets/metadata.json index 943fef9c5a9..abdbb5cd746 100644 --- a/rules/S6758/secrets/metadata.json +++ b/rules/S6758/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6760/secrets/metadata.json b/rules/S6760/secrets/metadata.json index 51c7e8e81cd..09d4514c225 100644 --- a/rules/S6760/secrets/metadata.json +++ b/rules/S6760/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6762/secrets/metadata.json b/rules/S6762/secrets/metadata.json index a48a1825425..f494e903553 100644 --- a/rules/S6762/secrets/metadata.json +++ b/rules/S6762/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6764/secrets/metadata.json b/rules/S6764/secrets/metadata.json index aa65ac313f7..b26f1391b63 100644 --- a/rules/S6764/secrets/metadata.json +++ b/rules/S6764/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6765/secrets/metadata.json b/rules/S6765/secrets/metadata.json index 7fb03493e61..9b482124e04 100644 --- a/rules/S6765/secrets/metadata.json +++ b/rules/S6765/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6768/secrets/metadata.json b/rules/S6768/secrets/metadata.json index 507c8d87922..aec7f255e59 100644 --- a/rules/S6768/secrets/metadata.json +++ b/rules/S6768/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6769/secrets/metadata.json b/rules/S6769/secrets/metadata.json index 62bacb21466..dafbafd947d 100644 --- a/rules/S6769/secrets/metadata.json +++ b/rules/S6769/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6771/secrets/metadata.json b/rules/S6771/secrets/metadata.json index 346a1d113f9..5e1fef849e8 100644 --- a/rules/S6771/secrets/metadata.json +++ b/rules/S6771/secrets/metadata.json @@ -1,62 +1,59 @@ { - "title": "Postman tokens should not be disclosed", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "TRUSTWORTHY" + "title": "Postman tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "BLOCKER" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "30min" - }, - "tags": [ - "cwe", - "cert" + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6771", + "sqKey": "S6771", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 ], - "extra": { - "replacementRules": [ - - ] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-6771", - "sqKey": "S6771", - "scope": "All", - "securityStandards": { - "CWE": [ - 798, - 259 - ], - "OWASP": [ - "A3" - ], - "CERT": [ - "MSC03-J." - ], - "OWASP Top 10 2021": [ - "A7" - ], - "PCI DSS 3.2": [ - "6.5.10" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "2.10.4", - "3.5.2", - "6.4.1" - ], - "STIG ASD_V5R3": [ - "V-222642" - ] - }, - "defaultQualityProfiles": [ - "Sonar way" + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" ], - "quickfix": "unknown" - } - + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6773/secrets/metadata.json b/rules/S6773/secrets/metadata.json index ba087362586..504cd54e247 100644 --- a/rules/S6773/secrets/metadata.json +++ b/rules/S6773/secrets/metadata.json @@ -1,62 +1,59 @@ { - "title": "Hashicorp tokens should not be disclosed", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "TRUSTWORTHY" + "title": "Hashicorp tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "BLOCKER" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "30min" - }, - "tags": [ - "cwe", - "cert" + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6773", + "sqKey": "S6773", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 ], - "extra": { - "replacementRules": [ - - ] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-6773", - "sqKey": "S6773", - "scope": "All", - "securityStandards": { - "CWE": [ - 798, - 259 - ], - "OWASP": [ - "A3" - ], - "CERT": [ - "MSC03-J." - ], - "OWASP Top 10 2021": [ - "A7" - ], - "PCI DSS 3.2": [ - "6.5.10" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "2.10.4", - "3.5.2", - "6.4.1" + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" ], "STIG ASD_V5R3": [ "V-222642" ] - }, - "defaultQualityProfiles": [ - "Sonar way" - ], - "quickfix": "unknown" - } - + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6777/secrets/metadata.json b/rules/S6777/secrets/metadata.json index bba4267f9ea..a4b9370b500 100644 --- a/rules/S6777/secrets/metadata.json +++ b/rules/S6777/secrets/metadata.json @@ -1,63 +1,59 @@ { - "title": "Shippo tokens should not be disclosed", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "TRUSTWORTHY" + "title": "Shippo tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "BLOCKER" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "30min" - }, - "tags": [ - "cwe", - "cert" + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6777", + "sqKey": "S6777", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 ], - "extra": { - "replacementRules": [ - - ] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-6777", - "sqKey": "S6777", - "scope": "All", - "securityStandards": { - "CWE": [ - 798, - 259 - ], - "OWASP": [ - "A3" - ], - "CERT": [ - "MSC03-J." - ], - "OWASP Top 10 2021": [ - "A7" - ], - "PCI DSS 3.2": [ - "6.5.10" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "2.10.4", - "3.5.2", - "6.4.1" + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" ], "STIG ASD_V5R3": [ "V-222642" ] - - }, - "defaultQualityProfiles": [ - "Sonar way" - ], - "quickfix": "unknown" - } - + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6779/python/metadata.json b/rules/S6779/python/metadata.json index 72eede3b818..7a82bf27145 100644 --- a/rules/S6779/python/metadata.json +++ b/rules/S6779/python/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6779", @@ -55,4 +53,4 @@ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6781/metadata.json b/rules/S6781/metadata.json index 64d7f37effd..f005b6164d4 100644 --- a/rules/S6781/metadata.json +++ b/rules/S6781/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6781", @@ -54,4 +52,4 @@ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6782/secrets/metadata.json b/rules/S6782/secrets/metadata.json index ca0b8d15ea2..2c0bba67537 100644 --- a/rules/S6782/secrets/metadata.json +++ b/rules/S6782/secrets/metadata.json @@ -1,63 +1,59 @@ { - "title": "Docker Hub tokens should not be disclosed", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "TRUSTWORTHY" + "title": "Docker Hub tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "BLOCKER" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "30min" - }, - "tags": [ - "cwe", - "cert" + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6782", + "sqKey": "S6782", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 ], - "extra": { - "replacementRules": [ - - ] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-6782", - "sqKey": "S6782", - "scope": "All", - "securityStandards": { - "CWE": [ - 798, - 259 - ], - "OWASP": [ - "A3" - ], - "CERT": [ - "MSC03-J." - ], - "OWASP Top 10 2021": [ - "A7" - ], - "PCI DSS 3.2": [ - "6.5.10" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "2.10.4", - "3.5.2", - "6.4.1" + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" ], "STIG ASD_V5R3": [ "V-222642" ] - - }, - "defaultQualityProfiles": [ - "Sonar way" - ], - "quickfix": "unknown" - } - + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6783/secrets/metadata.json b/rules/S6783/secrets/metadata.json index 98cd13e2fb7..4432eb01192 100644 --- a/rules/S6783/secrets/metadata.json +++ b/rules/S6783/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ] + "replacementRules": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6783", @@ -53,7 +51,6 @@ "STIG ASD_V5R3": [ "V-222642" ] - }, "defaultQualityProfiles": [ "Sonar way" diff --git a/rules/S6839/metadata.json b/rules/S6839/metadata.json index 20773a82098..38f0c7ab8ee 100644 --- a/rules/S6839/metadata.json +++ b/rules/S6839/metadata.json @@ -6,16 +6,10 @@ "func": "Constant\/Issue", "constantCost": "30min" }, - "tags": [ - - ], + "tags": [], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6839", @@ -51,7 +45,7 @@ ], "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "COMPLETE" }, diff --git a/rules/S6910/secrets/metadata.json b/rules/S6910/secrets/metadata.json index 57c903309ba..ac8d8f99c41 100644 --- a/rules/S6910/secrets/metadata.json +++ b/rules/S6910/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6987/secrets/metadata.json b/rules/S6987/secrets/metadata.json index ff831afd2d1..b71e7594d65 100644 --- a/rules/S6987/secrets/metadata.json +++ b/rules/S6987/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,12 +17,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6290", diff --git a/rules/S6988/secrets/metadata.json b/rules/S6988/secrets/metadata.json index 2704b7a5bce..6d6011b19bb 100644 --- a/rules/S6988/secrets/metadata.json +++ b/rules/S6988/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, @@ -17,12 +17,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6988", diff --git a/rules/S6989/secrets/metadata.json b/rules/S6989/secrets/metadata.json index 7dcf0cd9bd8..a49112a2f8a 100644 --- a/rules/S6989/secrets/metadata.json +++ b/rules/S6989/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6990/secrets/metadata.json b/rules/S6990/secrets/metadata.json index a553726baac..25e402a8085 100644 --- a/rules/S6990/secrets/metadata.json +++ b/rules/S6990/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6992/secrets/metadata.json b/rules/S6992/secrets/metadata.json index f1b22c8ca4d..759d97617f4 100644 --- a/rules/S6992/secrets/metadata.json +++ b/rules/S6992/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6993/secrets/metadata.json b/rules/S6993/secrets/metadata.json index e82ee030d8b..819b5d137ca 100644 --- a/rules/S6993/secrets/metadata.json +++ b/rules/S6993/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6995/secrets/metadata.json b/rules/S6995/secrets/metadata.json index 4731de9ff6f..97fb492f5c8 100644 --- a/rules/S6995/secrets/metadata.json +++ b/rules/S6995/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6997/secrets/metadata.json b/rules/S6997/secrets/metadata.json index 1264889bf38..92cd7ef57d2 100644 --- a/rules/S6997/secrets/metadata.json +++ b/rules/S6997/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6998/secrets/metadata.json b/rules/S6998/secrets/metadata.json index 5a7c99b87a4..feaf7ce91bc 100644 --- a/rules/S6998/secrets/metadata.json +++ b/rules/S6998/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S6999/secrets/metadata.json b/rules/S6999/secrets/metadata.json index a9908105e59..63124190b80 100644 --- a/rules/S6999/secrets/metadata.json +++ b/rules/S6999/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7000/secrets/metadata.json b/rules/S7000/secrets/metadata.json index 88b9163eece..02f424732f3 100644 --- a/rules/S7000/secrets/metadata.json +++ b/rules/S7000/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7001/secrets/metadata.json b/rules/S7001/secrets/metadata.json index 653e9ea79b8..341fa161adf 100644 --- a/rules/S7001/secrets/metadata.json +++ b/rules/S7001/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7002/secrets/metadata.json b/rules/S7002/secrets/metadata.json index b16dd081f29..b8ae436b4d1 100644 --- a/rules/S7002/secrets/metadata.json +++ b/rules/S7002/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7003/secrets/metadata.json b/rules/S7003/secrets/metadata.json index 60c6323a818..60dc2f72f61 100644 --- a/rules/S7003/secrets/metadata.json +++ b/rules/S7003/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7004/secrets/metadata.json b/rules/S7004/secrets/metadata.json index 00e605d4be5..a28f9b03e4e 100644 --- a/rules/S7004/secrets/metadata.json +++ b/rules/S7004/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7006/secrets/metadata.json b/rules/S7006/secrets/metadata.json index a08f95a22c8..990d5578ec6 100644 --- a/rules/S7006/secrets/metadata.json +++ b/rules/S7006/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7007/secrets/metadata.json b/rules/S7007/secrets/metadata.json index e16bd02bca2..0c54461f27d 100644 --- a/rules/S7007/secrets/metadata.json +++ b/rules/S7007/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7008/secrets/metadata.json b/rules/S7008/secrets/metadata.json index 670e0102923..f10b6928bf0 100644 --- a/rules/S7008/secrets/metadata.json +++ b/rules/S7008/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7009/secrets/metadata.json b/rules/S7009/secrets/metadata.json index 75a3bff2db4..7d6a3049176 100644 --- a/rules/S7009/secrets/metadata.json +++ b/rules/S7009/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7010/secrets/metadata.json b/rules/S7010/secrets/metadata.json index 3140059614c..5939511d81e 100644 --- a/rules/S7010/secrets/metadata.json +++ b/rules/S7010/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7011/secrets/metadata.json b/rules/S7011/secrets/metadata.json index 7bb8758091b..e66ae3b733a 100644 --- a/rules/S7011/secrets/metadata.json +++ b/rules/S7011/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7013/secrets/metadata.json b/rules/S7013/secrets/metadata.json index 1c97f151599..615b9537707 100644 --- a/rules/S7013/secrets/metadata.json +++ b/rules/S7013/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7014/secrets/metadata.json b/rules/S7014/secrets/metadata.json index 27c7b8d7809..cab658061a8 100644 --- a/rules/S7014/secrets/metadata.json +++ b/rules/S7014/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7015/secrets/metadata.json b/rules/S7015/secrets/metadata.json index f9ba17dc168..d54fde3f287 100644 --- a/rules/S7015/secrets/metadata.json +++ b/rules/S7015/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7016/secrets/metadata.json b/rules/S7016/secrets/metadata.json index 19d05c8315b..284e2970e0c 100644 --- a/rules/S7016/secrets/metadata.json +++ b/rules/S7016/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7017/secrets/metadata.json b/rules/S7017/secrets/metadata.json index 96e4866c49d..d4cce9dba38 100644 --- a/rules/S7017/secrets/metadata.json +++ b/rules/S7017/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7022/secrets/metadata.json b/rules/S7022/secrets/metadata.json index 54e64010031..357d0383afd 100644 --- a/rules/S7022/secrets/metadata.json +++ b/rules/S7022/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7024/secrets/metadata.json b/rules/S7024/secrets/metadata.json index 6cfbd6d25d5..c8a5b8ebff1 100644 --- a/rules/S7024/secrets/metadata.json +++ b/rules/S7024/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S7025/secrets/metadata.json b/rules/S7025/secrets/metadata.json index e819b249ee9..0f07769d531 100644 --- a/rules/S7025/secrets/metadata.json +++ b/rules/S7025/secrets/metadata.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH" + "SECURITY": "BLOCKER" }, "attribute": "TRUSTWORTHY" }, diff --git a/rules/S797/cfamily/metadata.json b/rules/S797/cfamily/metadata.json index 1d18d1c5065..aeaf1499047 100644 --- a/rules/S797/cfamily/metadata.json +++ b/rules/S797/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -19,9 +19,7 @@ "suspicious" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "TrigraphUsage" ] diff --git a/rules/S798/cfamily/metadata.json b/rules/S798/cfamily/metadata.json index cfb7a513631..6750107ccda 100644 --- a/rules/S798/cfamily/metadata.json +++ b/rules/S798/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -17,9 +17,7 @@ "obsolete" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "DigraphUsage" ] diff --git a/rules/S912/cfamily/metadata.json b/rules/S912/cfamily/metadata.json index ff0bf2323b8..a7b83da396b 100644 --- a/rules/S912/cfamily/metadata.json +++ b/rules/S912/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -17,9 +17,7 @@ "cert" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "SideEffectInRightHandSideOfLogical" ] diff --git a/rules/S916/cfamily/metadata.json b/rules/S916/cfamily/metadata.json index 42ece721442..fc2d2a31a10 100644 --- a/rules/S916/cfamily/metadata.json +++ b/rules/S916/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -19,9 +19,7 @@ "misra-c2012" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "SwitchLabelPlacement" ] diff --git a/rules/S923/java/metadata.json b/rules/S923/java/metadata.json index cf17da8e399..0c689610ae6 100644 --- a/rules/S923/java/metadata.json +++ b/rules/S923/java/metadata.json @@ -9,7 +9,7 @@ ], "code": { "impacts": { - "MAINTAINABILITY": "LOW" + "MAINTAINABILITY": "INFO" }, "attribute": "CLEAR" }, diff --git a/rules/S930/python/metadata.json b/rules/S930/python/metadata.json index 90082dd0a0e..c6cd02bbe8d 100644 --- a/rules/S930/python/metadata.json +++ b/rules/S930/python/metadata.json @@ -2,7 +2,7 @@ "title": "The number and name of arguments passed to a function should match its parameters", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, diff --git a/rules/S946/cfamily/metadata.json b/rules/S946/cfamily/metadata.json index 2705b9dc900..a324d5a851b 100644 --- a/rules/S946/cfamily/metadata.json +++ b/rules/S946/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -18,12 +18,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-946", diff --git a/rules/S961/cfamily/metadata.json b/rules/S961/cfamily/metadata.json index 70ea28d0e6c..50664fe96ae 100644 --- a/rules/S961/cfamily/metadata.json +++ b/rules/S961/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "BUG", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "BLOCKER" }, "attribute": "LOGICAL" }, @@ -18,12 +18,8 @@ "preprocessor" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-961", diff --git a/rules/S963/cfamily/metadata.json b/rules/S963/cfamily/metadata.json index e5fb825e4be..a965077bb87 100644 --- a/rules/S963/cfamily/metadata.json +++ b/rules/S963/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, @@ -18,12 +18,8 @@ "misra-c2004" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-963", @@ -34,7 +30,6 @@ "PRE01-C." ] }, - "defaultQualityProfiles": [ - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S969/cfamily/metadata.json b/rules/S969/cfamily/metadata.json index c1a4312fa99..c5d882e40c0 100644 --- a/rules/S969/cfamily/metadata.json +++ b/rules/S969/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,12 +17,8 @@ "bad-practice" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-969", diff --git a/rules/S978/cfamily/metadata.json b/rules/S978/cfamily/metadata.json index e38eb7a1471..8e45c27e8a0 100644 --- a/rules/S978/cfamily/metadata.json +++ b/rules/S978/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -18,12 +18,8 @@ "cert" ], "extra": { - "replacementRules": [ - - ], - "legacyKeys": [ - - ] + "replacementRules": [], + "legacyKeys": [] }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-978", @@ -35,8 +31,6 @@ "DCL51-CPP." ] }, - "defaultQualityProfiles": [ - - ], + "defaultQualityProfiles": [], "quickfix": "unknown" } diff --git a/rules/S998/cfamily/metadata.json b/rules/S998/cfamily/metadata.json index 67cdd3e144e..d042f18ecf0 100644 --- a/rules/S998/cfamily/metadata.json +++ b/rules/S998/cfamily/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" }, @@ -17,9 +17,7 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "GlobalMainFunction" ] diff --git a/rules/S999/metadata.json b/rules/S999/metadata.json index 9e04b5ed5b1..9b6d3bd3428 100644 --- a/rules/S999/metadata.json +++ b/rules/S999/metadata.json @@ -3,7 +3,7 @@ "type": "CODE_SMELL", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CLEAR" }, @@ -16,9 +16,7 @@ "pitfall" ], "extra": { - "replacementRules": [ - - ], + "replacementRules": [], "legacyKeys": [ "BackJumpWithGoto", "BackwardsGoto" From 4dfe1364d7a8ffbecf7f726181cdf7b2bd7fa87b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 18:07:55 +0000 Subject: [PATCH 51/61] Create rule S6418 (#4470) * Add csharp to rule S6418 * initial commit * update wording to be about c# * revert greg's change * Update Default detections/sensitivity --------- Co-authored-by: alex-meseldzija-sonarsource Co-authored-by: Alex Meseldzija Co-authored-by: Gregory Paidis <115458417+gregory-paidis-sonarsource@users.noreply.github.com> --- rules/S6418/cfamily/rule.adoc | 3 +++ rules/S6418/csharp/metadata.json | 32 ++++++++++++++++++++++++++++++++ rules/S6418/csharp/rule.adoc | 31 +++++++++++++++++++++++++++++++ rules/S6418/description.adoc | 2 +- rules/S6418/java/rule.adoc | 4 ++++ rules/S6418/parameters.adoc | 2 +- rules/S6418/php/rule.adoc | 3 +++ rules/S6418/python/rule.adoc | 3 +++ 8 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 rules/S6418/csharp/metadata.json create mode 100644 rules/S6418/csharp/rule.adoc diff --git a/rules/S6418/cfamily/rule.adoc b/rules/S6418/cfamily/rule.adoc index 772ce44b9f8..c166816a68f 100644 --- a/rules/S6418/cfamily/rule.adoc +++ b/rules/S6418/cfamily/rule.adoc @@ -1,3 +1,6 @@ +:detections: variables/fields +:sensibility: 5 + include::../description.adoc[] include::../ask-yourself.adoc[] diff --git a/rules/S6418/csharp/metadata.json b/rules/S6418/csharp/metadata.json new file mode 100644 index 00000000000..1ca501ab27b --- /dev/null +++ b/rules/S6418/csharp/metadata.json @@ -0,0 +1,32 @@ +{ + "tags": [ + "cwe", + "cert" + ], + "securityStandards": { + "CERT": [ + "MSC03-J." + ], + "CWE": [ + 798 + ], + "OWASP": [ + "A2" + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ] + }, + "quickfix": "infeasible" +} diff --git a/rules/S6418/csharp/rule.adoc b/rules/S6418/csharp/rule.adoc new file mode 100644 index 00000000000..40c53a83a07 --- /dev/null +++ b/rules/S6418/csharp/rule.adoc @@ -0,0 +1,31 @@ +:detections: variables/fields/properties +:sensibility: 3 + +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +[source,csharp] +---- +const string mySecret = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37"; +---- + +include::../see.adoc[] + +* MSC - https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[MSC03-J - Never hard code sensitive information] + +ifdef::env-github,rspecator-view[] +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +include::../parameters.adoc[] + +''' +endif::env-github,rspecator-view[] diff --git a/rules/S6418/description.adoc b/rules/S6418/description.adoc index bb24c43ee26..7440fe66992 100644 --- a/rules/S6418/description.adoc +++ b/rules/S6418/description.adoc @@ -9,6 +9,6 @@ In the past, it has led to the following vulnerabilities: Secrets should be stored outside of the source code in a configuration file or a management service for secrets. -This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. +This rule detects {detections} having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives. diff --git a/rules/S6418/java/rule.adoc b/rules/S6418/java/rule.adoc index 750549e890a..b592ca548b6 100644 --- a/rules/S6418/java/rule.adoc +++ b/rules/S6418/java/rule.adoc @@ -1,3 +1,6 @@ +:detectson: variables/fields +:defaultsensibility: 5 + include::../description.adoc[] include::../ask-yourself.adoc[] @@ -85,6 +88,7 @@ ifdef::env-github,rspecator-view[] include::../message.adoc[] + include::../parameters.adoc[] ''' diff --git a/rules/S6418/parameters.adoc b/rules/S6418/parameters.adoc index 00cbe306efd..fc24247fae5 100644 --- a/rules/S6418/parameters.adoc +++ b/rules/S6418/parameters.adoc @@ -14,7 +14,7 @@ Comma separated list of words identifying potential secret **** ---- -7 +{sensibility} ---- Allows to tune the Randomness Sensibility (from 0 to 10) diff --git a/rules/S6418/php/rule.adoc b/rules/S6418/php/rule.adoc index 148341226e4..df27eace1f7 100644 --- a/rules/S6418/php/rule.adoc +++ b/rules/S6418/php/rule.adoc @@ -1,3 +1,6 @@ +:detectson: variables/fields +:defaultsensibility: 5 + include::../description.adoc[] include::../ask-yourself.adoc[] diff --git a/rules/S6418/python/rule.adoc b/rules/S6418/python/rule.adoc index 3c1509b2784..8bc97dbe274 100644 --- a/rules/S6418/python/rule.adoc +++ b/rules/S6418/python/rule.adoc @@ -1,3 +1,6 @@ +:detections: variables/fields +:sensibility: 3 + include::../description.adoc[] include::../ask-yourself.adoc[] From ff687582bd65980a90c143e7396da75ec4e07e11 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 6 Nov 2024 11:04:13 +0000 Subject: [PATCH 52/61] Create rule S7139: redirect.pizza API tokens should not be disclosed (#4466) --- rules/S7139/metadata.json | 2 ++ rules/S7139/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7139/secrets/rule.adoc | 35 +++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 rules/S7139/metadata.json create mode 100644 rules/S7139/secrets/metadata.json create mode 100644 rules/S7139/secrets/rule.adoc diff --git a/rules/S7139/metadata.json b/rules/S7139/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7139/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7139/secrets/metadata.json b/rules/S7139/secrets/metadata.json new file mode 100644 index 00000000000..c6f3e8520f3 --- /dev/null +++ b/rules/S7139/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "redirect.pizza API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7139", + "sqKey": "S7139", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7139/secrets/rule.adoc b/rules/S7139/secrets/rule.adoc new file mode 100644 index 00000000000..e837d3bf9f7 --- /dev/null +++ b/rules/S7139/secrets/rule.adoc @@ -0,0 +1,35 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: API token + +include::../../../shared_content/secrets/impact/phishing.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: rpi_GjPphKMMHgwqkE8cwwJAhhYFn4h0zMuk4eYdcKdtuGotHCZZX1AS1eorPIO8tcTA +:example_name: redirect-pizza-key +:example_env: REDIRECT_PIZZA_KEY + +include::../../../shared_content/secrets/examples.adoc[] + + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + From 81fc47e203c68d6b4ca33382a61681721073f5a7 Mon Sep 17 00:00:00 2001 From: "Loris S." <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Wed, 6 Nov 2024 14:09:44 +0100 Subject: [PATCH 53/61] Modify S6096: Improve the resources section (#4478) --- rules/S6096/common/resources/articles.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/S6096/common/resources/articles.adoc b/rules/S6096/common/resources/articles.adoc index f0800c027f3..936f0e0a3b9 100644 --- a/rules/S6096/common/resources/articles.adoc +++ b/rules/S6096/common/resources/articles.adoc @@ -1,3 +1,4 @@ === Articles & blog posts +* Sonar Blog - https://www.sonarsource.com/blog/the-hidden-flaws-of-archives-in-java/[The Hidden Flaws of Archives in Java] * Sonar Blog - https://www.sonarsource.com/blog/openrefine-zip-slip/[Unzipping Dangers: OpenRefine Zip Slip Vulnerability] From f5651454a8790084e823dbdf26768964be4a1040 Mon Sep 17 00:00:00 2001 From: erwan-serandour Date: Wed, 6 Nov 2024 14:19:10 +0100 Subject: [PATCH 54/61] Modify S3281: Manual update of issue severities to MQR (#4456) --- rules/S3281/xml/metadata.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/S3281/xml/metadata.json b/rules/S3281/xml/metadata.json index 66a9c11255f..1816dbc61ab 100644 --- a/rules/S3281/xml/metadata.json +++ b/rules/S3281/xml/metadata.json @@ -3,8 +3,8 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH", - "MAINTAINABILITY": "HIGH" + "SECURITY": "BLOCKER", + "MAINTAINABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, From 65d1ffdb3cf188176fc66c29a4f5d876fff32e06 Mon Sep 17 00:00:00 2001 From: Rudy Regazzoni <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com> Date: Wed, 6 Nov 2024 14:45:42 +0100 Subject: [PATCH 55/61] Modify rule S6937: Extend support to other statements (#3746) * Modify rule S6937: Extend support to other statements * Add more documentation * address review comment --- rules/S6937/jcl/metadata.json | 4 ++-- rules/S6937/jcl/rule.adoc | 14 +++++++++++--- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/rules/S6937/jcl/metadata.json b/rules/S6937/jcl/metadata.json index 84dd004352f..97e53fdb375 100644 --- a/rules/S6937/jcl/metadata.json +++ b/rules/S6937/jcl/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6937", "sqKey": "S6937", "scope": "All", @@ -18,6 +18,6 @@ "impacts": { "RELIABILITY": "HIGH" }, - "attribute": "CONVENTIONAL" + "attribute": "LOGICAL" } } diff --git a/rules/S6937/jcl/rule.adoc b/rules/S6937/jcl/rule.adoc index cca376f72e6..b55d3ed288e 100644 --- a/rules/S6937/jcl/rule.adoc +++ b/rules/S6937/jcl/rule.adoc @@ -1,8 +1,12 @@ -In-stream procedures should always have a name. - == Why is this an issue? -In JCL, it is expected for a PROC statement inside of a job stream to have a name. +In JCL, some statements require to have a label or name defined, otherwise it will trigger a JCL error. +The statements that require a name/label are: +* CNTL +* JOB +* NOTIFY +* OUTPUT +* in-stream PROC == How to fix it @@ -32,4 +36,8 @@ In JCL, it is expected for a PROC statement inside of a job stream to have a nam === Documentation +* https://www.ibm.com/docs/en/zos/3.1.0?topic=description-label-field[IBM Reference - CNTL Label field] +* https://www.ibm.com/docs/en/zos/3.1.0?topic=d-name-field-5[IBM Reference - JOB Name field] +* https://www.ibm.com/docs/en/zos/3.1.0?topic=statement-label-field[IBM Reference - NOTIFY Label field] +* https://www.ibm.com/docs/en/zos/3.1.0?topic=d-name-field-6[IBM Reference - OUTPUT Name field] * https://www.ibm.com/docs/en/zos/3.1.0?topic=d-name-field-8[IBM reference - PROC statement - Name field] From b7902684218c0f1d3e3dbc08b4949a87ff33a534 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 10:09:40 +0100 Subject: [PATCH 56/61] Create rule S7140: SSLMate secrets should not be disclosed (APPSEC-2230) (#4468) --- rules/S7140/metadata.json | 2 ++ rules/S7140/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7140/secrets/rule.adoc | 42 +++++++++++++++++++++++ 3 files changed, 100 insertions(+) create mode 100644 rules/S7140/metadata.json create mode 100644 rules/S7140/secrets/metadata.json create mode 100644 rules/S7140/secrets/rule.adoc diff --git a/rules/S7140/metadata.json b/rules/S7140/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7140/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7140/secrets/metadata.json b/rules/S7140/secrets/metadata.json new file mode 100644 index 00000000000..9d653770434 --- /dev/null +++ b/rules/S7140/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "SSLMate secrets should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7140", + "sqKey": "S7140", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7140/secrets/rule.adoc b/rules/S7140/secrets/rule.adoc new file mode 100644 index 00000000000..82b0c815291 --- /dev/null +++ b/rules/S7140/secrets/rule.adoc @@ -0,0 +1,42 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +If an attacker gains access to an SSLMate secret, they might be able to gain access to the SSL/TLS certificate of organisations. + +=== What is the potential impact? + +SSLMate provides APIs used by organizations to issue and monitor SSL/TLS certificates. +These certificates guaranty the authenticity of the organization's servers, and the confidentiality of the data exchanged with them. +Depending on the permission granted to the API key, an attacker could potentially create, revoke, or modify SSL/TLS certificates of the organization. + +Creating certificates would allow attackers to impersonate the organization's servers. This leads to Man-In-The-Middle attacks that would +affect both the confidentiality and integrity of the communications from clients +to that server. + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +Also, revoke certificates that were issued since the leak. Doing so +will ensure that all people and assets that rely on these certificates are aware of its compromise and stop trusting it. + +include::../../../shared_content/secrets/fix/recent_use.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + + +=== Code examples + +:example_secret: k15341_bc5T6Zbfv5ozwrwb3qyn +:example_name: sslmate.api_key +:example_env: SSLMATE_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] From ad2abcee0b7c4a7ae363e6f8fa7bcfd2a1bc1683 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 12:08:22 +0100 Subject: [PATCH 57/61] Create rule S7143 (#4475) Co-authored-by: pierre-loup-tristant-sonarsource --- rules/S7143/metadata.json | 2 ++ rules/S7143/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7143/secrets/rule.adoc | 43 ++++++++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 rules/S7143/metadata.json create mode 100644 rules/S7143/secrets/metadata.json create mode 100644 rules/S7143/secrets/rule.adoc diff --git a/rules/S7143/metadata.json b/rules/S7143/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7143/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7143/secrets/metadata.json b/rules/S7143/secrets/metadata.json new file mode 100644 index 00000000000..e5299f5ed97 --- /dev/null +++ b/rules/S7143/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Authress Service Client Access Keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7143", + "sqKey": "S7143", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7143/secrets/rule.adoc b/rules/S7143/secrets/rule.adoc new file mode 100644 index 00000000000..2291235759b --- /dev/null +++ b/rules/S7143/secrets/rule.adoc @@ -0,0 +1,43 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +If an attacker gains access to an Authress Service Client Access Key, they will be abble to authenticate to your application or platform as a service. + +=== What is the potential impact? + +Service Client Access Keys are used to authenticate applications, services, or APIs that use Authress for login and access-control. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[] + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: sc_vNyQA.ioDD.acc-8538bc102.MC4CAQAwBQYDK2VwBCIEIEWKdfs4Sfa72U +:example_name: authress.access-key +:example_env: AUTHRESS_ACCESS_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +=== Documentation + +Authress.io - https://authress.io/knowledge-base/docs/authorization/service-clients[Service Clients] + +include::../../../shared_content/secrets/resources/standards.adoc[] From 3763add8720f900e1c8deb2c37b3a5373ba77fc6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 14:55:53 +0100 Subject: [PATCH 58/61] Create rule S7141(secrets): Chief Tools API tokens should not be disclosed (#4471) --- rules/S7141/metadata.json | 2 + rules/S7141/secrets/metadata.json | 56 ++++++++++++++++++++++++++++ rules/S7141/secrets/rule.adoc | 61 +++++++++++++++++++++++++++++++ 3 files changed, 119 insertions(+) create mode 100644 rules/S7141/metadata.json create mode 100644 rules/S7141/secrets/metadata.json create mode 100644 rules/S7141/secrets/rule.adoc diff --git a/rules/S7141/metadata.json b/rules/S7141/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7141/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7141/secrets/metadata.json b/rules/S7141/secrets/metadata.json new file mode 100644 index 00000000000..469a48bbf70 --- /dev/null +++ b/rules/S7141/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Chief Tools API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7141", + "sqKey": "S7141", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7141/secrets/rule.adoc b/rules/S7141/secrets/rule.adoc new file mode 100644 index 00000000000..2ba478c683f --- /dev/null +++ b/rules/S7141/secrets/rule.adoc @@ -0,0 +1,61 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Leaking this secret can allow an attacker to exploit the Chief Tools API, and +therefore any of the Chief apps. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +==== Domain hijacking +If the leaked secret gives an attacker a Cert Chief entitlement, the attacker +can use it to stay informed about the certificates of your domain to +automatically renew and take ownership of the next certificate. This can lead to +a domain hijacking attack. + +==== Supply chain attacks +If the leaked secret gives an attacker a Deploy Chief entitlement, then there +may exist grave consequences beyond the compromise of source code. The attacker +may inject malware, backdoors, or other harmful code into these private +repositories. + +This can cause further security breaches inside the organization, but will also +affect clients if the malicious code gets added to any products. Distributing +code that (unintentionally) contains backdoors or malware can lead to widespread +security vulnerabilities, reputational damage, and potential legal liabilities. + +==== Phishing and spam +I the leaked secret gives an attacker a Tny entitlement, an attacker can use +this API token to hide a malicious domain and use it in spam/phishing campaigns. + +Spam can cause users to be exposed to the following: + +* Unsolicited, inappropriate content +* Fraudulent attempts to trick users into sending information or money +* Abusive or hateful statements +* False advertising or fraudulent claims + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: ctp_em36qdLHVWKcCm25gGc9oPhsrR0KYX2bymJH +:example_name: chief-api-token +:example_env: CHIEF_API_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + From e956bf1f911ca734b7ff5433c1294070b7f3fccb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 14:59:07 +0100 Subject: [PATCH 59/61] Create rule S7138: crates.io API tokens should not be disclosed (#4465) * Create rule S7138 * Update --------- Co-authored-by: loris-s-sonarsource Co-authored-by: Loris Sierra Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> --- rules/S7138/metadata.json | 2 ++ rules/S7138/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7138/secrets/rule.adoc | 41 ++++++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 rules/S7138/metadata.json create mode 100644 rules/S7138/secrets/metadata.json create mode 100644 rules/S7138/secrets/rule.adoc diff --git a/rules/S7138/metadata.json b/rules/S7138/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7138/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7138/secrets/metadata.json b/rules/S7138/secrets/metadata.json new file mode 100644 index 00000000000..a062e8e4306 --- /dev/null +++ b/rules/S7138/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "crates.io API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7138", + "sqKey": "S7138", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7138/secrets/rule.adoc b/rules/S7138/secrets/rule.adoc new file mode 100644 index 00000000000..72bf4c86e6b --- /dev/null +++ b/rules/S7138/secrets/rule.adoc @@ -0,0 +1,41 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Rust's crates.io API token is used to authenticate with the crates.io registry +to publish and manage Rust packages, for a set of crates. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: API token + +The consequences vary depending on the compromised account scope entitlement +and crate restriction, but severe supply chain attacks. + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: cioyVEVms6a97slDKPQNwOaWVgU9opCBF3Q +:example_name: registry.token +:example_env: CARGO_REGISTRY_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] From d81f6652ed6dadf6f290f84fe373e0d928d5efce Mon Sep 17 00:00:00 2001 From: Pavel Mikula <57188685+pavel-mikula-sonarsource@users.noreply.github.com> Date: Thu, 7 Nov 2024 16:41:20 +0100 Subject: [PATCH 60/61] Add Jira integration (#4426) --- .github/workflows/PullRequestClosed.yml | 29 ++++++++++++++++++++++++ .github/workflows/RequestReview.yml | 28 +++++++++++++++++++++++ .github/workflows/SubmitReview.yml | 30 +++++++++++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 .github/workflows/PullRequestClosed.yml create mode 100644 .github/workflows/RequestReview.yml create mode 100644 .github/workflows/SubmitReview.yml diff --git a/.github/workflows/PullRequestClosed.yml b/.github/workflows/PullRequestClosed.yml new file mode 100644 index 00000000000..b50896eba02 --- /dev/null +++ b/.github/workflows/PullRequestClosed.yml @@ -0,0 +1,29 @@ +name: Pull Request Closed + +on: + pull_request: + types: [closed] + +jobs: + PullRequestMerged_job: + name: Pull Request Merged + runs-on: ubuntu-latest + permissions: + id-token: write + pull-requests: read + # For external PR, ticket should be moved manually + if: | + github.event.pull_request.head.repo.full_name == github.repository + && github.event.pull_request.merged + steps: + - id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/kv/data/jira user | JIRA_USER; + development/kv/data/jira token | JIRA_TOKEN; + - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} + jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} diff --git a/.github/workflows/RequestReview.yml b/.github/workflows/RequestReview.yml new file mode 100644 index 00000000000..5eac0d555d6 --- /dev/null +++ b/.github/workflows/RequestReview.yml @@ -0,0 +1,28 @@ +name: Request review + +on: + pull_request: + types: ["review_requested"] + +jobs: + RequestReview_job: + name: Request review + runs-on: ubuntu-latest + permissions: + id-token: write + # For external PR, ticket should be moved manually + if: | + github.event.pull_request.head.repo.full_name == github.repository + steps: + - id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; + development/kv/data/jira user | JIRA_USER; + development/kv/data/jira token | JIRA_TOKEN; + - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2 + with: + github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} + jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} diff --git a/.github/workflows/SubmitReview.yml b/.github/workflows/SubmitReview.yml new file mode 100644 index 00000000000..d5f22e6249e --- /dev/null +++ b/.github/workflows/SubmitReview.yml @@ -0,0 +1,30 @@ +name: Submit Review + +on: + pull_request_review: + types: [submitted] + +jobs: + SubmitReview_job: + name: Submit Review + runs-on: ubuntu-latest + permissions: + id-token: write + pull-requests: read + # For external PR, ticket should be moved manually + if: | + github.event.pull_request.head.repo.full_name == github.repository + && (github.event.review.state == 'changes_requested' + || github.event.review.state == 'approved') + steps: + - id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/kv/data/jira user | JIRA_USER; + development/kv/data/jira token | JIRA_TOKEN; + - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} + jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} From ed65d9debbdac13391483eda49069c7aaeb27dfd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 15:53:20 +0000 Subject: [PATCH 61/61] Create rule S7142: Supabase API keys should not be disclosed (APPSEC-2231) (#4474) --- rules/S7142/metadata.json | 2 ++ rules/S7142/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7142/secrets/rule.adoc | 33 ++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 rules/S7142/metadata.json create mode 100644 rules/S7142/secrets/metadata.json create mode 100644 rules/S7142/secrets/rule.adoc diff --git a/rules/S7142/metadata.json b/rules/S7142/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7142/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7142/secrets/metadata.json b/rules/S7142/secrets/metadata.json new file mode 100644 index 00000000000..3819176d446 --- /dev/null +++ b/rules/S7142/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Supabase API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7142", + "sqKey": "S7142", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7142/secrets/rule.adoc b/rules/S7142/secrets/rule.adoc new file mode 100644 index 00000000000..5ff27c818c2 --- /dev/null +++ b/rules/S7142/secrets/rule.adoc @@ -0,0 +1,33 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: sb_secret_GuhIjOwQAViYHBZrXr0Z4KTvVXE +:example_name: supabase.api-key +:example_env: SUPABASE_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[]