SONARIAC-1789 Align software quality impact and defaultSeverities on …

…IaC Rules (#4485)
SonarSource · Nov 12, 2024 · d870aef · d870aef
1 parent 25b5633
commit d870aef
Show file tree

Hide file tree

Showing 10 changed files with 19 additions and 15 deletions.
diff --git a/rules/S6869/kubernetes/metadata.json b/rules/S6869/kubernetes/metadata.json
@@ -8,7 +8,7 @@
   },
   "tags": [
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-6869",
   "sqKey": "S6869",
   "scope": "All",

diff --git a/rules/S7018/docker/metadata.json b/rules/S7018/docker/metadata.json
@@ -16,9 +16,7 @@
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "MEDIUM",
-      "RELIABILITY": "LOW",
-      "SECURITY": "LOW"
+      "MAINTAINABILITY": "LOW"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7019/docker/metadata.json b/rules/S7019/docker/metadata.json
@@ -17,7 +17,7 @@
   "code": {
     "impacts": {
       "MAINTAINABILITY": "MEDIUM",
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "MEDIUM"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc
@@ -1,8 +1,14 @@
-In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions. The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell. This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers.
+In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions.
+The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell.
+This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers.
 
 == Why is this an issue?
 
-Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues. When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals. This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it. Moreover, the exec form provides more control and predictability over the execution of the command. It does not invoke a command shell, which means it does not have the potential side effects of shell processing. 
+Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues.
+When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals.
+This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it.
+Moreover, the exec form provides more control and predictability over the execution of the command.
+It does not invoke a command shell, which means it does not have the potential side effects of shell processing.
 
 == How to fix it
 

diff --git a/rules/S7020/docker/metadata.json b/rules/S7020/docker/metadata.json
@@ -8,15 +8,15 @@
   },
   "tags": [
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-7020",
   "sqKey": "S7020",
   "scope": "All",
   "defaultQualityProfiles": ["Sonar way"],
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "LOW"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7021/docker/metadata.json b/rules/S7021/docker/metadata.json
@@ -16,7 +16,7 @@
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "MEDIUM"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7023/docker/metadata.json b/rules/S7023/docker/metadata.json
@@ -17,7 +17,7 @@
   "code": {
     "impacts": {
       "MAINTAINABILITY": "MEDIUM",
-      "RELIABILITY": "HIGH",
+      "RELIABILITY": "MEDIUM",
       "SECURITY": "MEDIUM"
     },
     "attribute": "CONVENTIONAL"

diff --git a/rules/S7026/docker/metadata.json b/rules/S7026/docker/metadata.json
@@ -16,7 +16,7 @@
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "MEDIUM"
+      "MAINTAINABILITY": "LOW"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7030/docker/metadata.json b/rules/S7030/docker/metadata.json
@@ -8,7 +8,7 @@
   },
   "tags": [
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-7030",
   "sqKey": "S7030",
   "scope": "All",

diff --git a/rules/S7031/docker/metadata.json b/rules/S7031/docker/metadata.json
@@ -8,15 +8,15 @@
   },
   "tags": [
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-7031",
   "sqKey": "S7031",
   "scope": "All",
   "defaultQualityProfiles": ["Sonar way"],
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "LOW"
     },
     "attribute": "CONVENTIONAL"
   }