SONARJAVA-3464 Update rules metadata before 6.6

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2095_java.html

@@ -2,8 +2,8 @@
 <code>AutoCloseable</code>, needs to be closed after use. Further, that <code>close</code> call must be made in a <code>finally</code> block otherwise
 an exception could keep the call from being made. Preferably, when class implements <code>AutoCloseable</code>, resource should be created using
 "try-with-resources" pattern and will be closed automatically.</p>
-<p>Failure to properly close resources will result in a resource leak which could bring first the application and then perhaps the box it's on to
-their knees.</p>
+<p>Failure to properly close resources will result in a resource leak which could bring first the application and then perhaps the box the application
+is on to their knees.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 private void readTheFile() throws IOException {

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2277_java.json

@@ -7,10 +7,23 @@
     "constantCost": "20min"
   },
   "tags": [
-
+    "cwe",
+    "owasp-a6",
+    "sans-top25-porous",
+    "owasp-a3"
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-2277",
   "sqKey": "S2277",
-  "scope": "Main"
+  "scope": "Main",
+  "securityStandards": {
+    "CWE": [
+      780,
+      327
+    ],
+    "OWASP": [
+      "A3",
+      "A6"
+    ]
+  }
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2278_java.json

@@ -7,10 +7,22 @@
     "constantCost": "20min"
   },
   "tags": [
-
+    "cwe",
+    "cert",
+    "owasp-a6",
+    "sans-top25-porous"
   ],
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-2278",
   "sqKey": "S2278",
-  "scope": "Main"
+  "scope": "Main",
+  "securityStandards": {
+    "CWE": [
+      326,
+      327
+    ],
+    "OWASP": [
+      "A6"
+    ]
+  }
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2647_java.json

@@ -8,7 +8,6 @@
   },
   "tags": [
     "cwe",
-    "owasp-a6",
     "sans-top25-porous",
     "owasp-a3"
   ],
@@ -22,7 +21,6 @@
       311
     ],
     "OWASP": [
-      "A6",
       "A3"
     ]
   }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3011_java.json

@@ -7,16 +7,10 @@
     "constantCost": "30min"
   },
   "tags": [
-    "cert",
-    "owasp-a3"
+    "cert"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-3011",
   "sqKey": "S3011",
-  "scope": "Main",
-  "securityStandards": {
-    "OWASP": [
-      "A3"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3400_java.html

@@ -9,7 +9,7 @@ <h2>Noncompliant Code Example</h2>
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
-static int bestNumber = 12;
+static final int BEST_NUMBER = 12;
 </pre>
 <h2>Exceptions</h2>
 <p>Methods with annotations, such as <code>@Override</code> and Spring's <code>@RequestMapping</code>, are ignored.</p>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4426_java.html

@@ -12,9 +12,9 @@
   <li> n ≥ 224 for ECDH and ECMQV (Examples: <code>secp192r1</code> is a non-compliant curve (<code>n</code> &lt; 224) but <code>secp224k1</code> is
   compliant (<code>n</code> &gt;= 224)) </li>
 </ul>
-<p><strong>Encryption and Decryption</strong>: </p>
+<p><strong>Symmetric keys</strong>: </p>
 <ul>
-  <li> AES-128, 192, 256 </li>
+  <li> key length ≥ 128 bits </li>
 </ul>
 <p>This rule will not raise issues for ciphers that are considered weak (no matter the key size) like <code>DES</code>, <code>Blowfish</code>.</p>
 <h2>Noncompliant Code Example</h2>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4784_java.json

@@ -3,21 +3,10 @@
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
   "tags": [
-    "cwe",
-    "owasp-a1",
-    "regex"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4784",
   "sqKey": "S4784",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      624,
-      185
-    ],
-    "OWASP": [
-      "A1"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4830_java.json

@@ -11,7 +11,6 @@
     "privacy",
     "cert",
     "owasp-a6",
-    "sans-top25-porous",
     "ssl",
     "owasp-a3"
   ],

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5344_java.html

@@ -58,6 +58,7 @@ <h2>See</h2>
   <li> <a href="http://cwe.mitre.org/data/definitions/328">MITRE, CWE-328</a> - Reversible One-Way Hash </li>
   <li> <a href="http://cwe.mitre.org/data/definitions/327">MITRE, CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
-  <li> https://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html </li>
+  <li> <a href="https://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html
+  ">https://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html</a> </li>
 </ul>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5344_java.json

@@ -11,8 +11,7 @@
     "spring",
     "owasp-a6",
     "sans-top25-porous",
-    "owasp-a2",
-    "owasp-a3"
+    "owasp-a2"
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5344",
@@ -25,8 +24,7 @@
     ],
     "OWASP": [
       "A2",
-      "A6",
-      "A3"
+      "A6"
     ]
   }
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5527_java.json

@@ -10,7 +10,6 @@
     "cwe",
     "privacy",
     "owasp-a6",
-    "sans-top25-porous",
     "ssl",
     "owasp-a3"
   ],

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5542_java.html

@@ -7,7 +7,7 @@
     <ul>
       <li> Electronic Codebook (ECB) mode is vulnerable because it doesn't provide serious message confidentiality: under a given key any given
       plaintext block always gets encrypted to the same ciphertext block. </li>
-      <li> Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is susceptible to padding oracle attacks. </li>
+      <li> Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is vulnerable to padding oracle attacks. </li>
     </ul> </li>
   <li> RSA encryption algorithm should be used with the recommended padding scheme (OAEP) </li>
 </ul>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5547_java.html

@@ -1,6 +1,7 @@
 <p><a href="https://en.wikipedia.org/wiki/Strong_cryptography">Strong cipher algorithms</a> are cryptographic systems resistant to cryptanalysis, they
 are not vulnerable to well-known attacks like brute force attacks for example. </p>
-<p>It is recommended to use only cipher algorithms intensively tested and promoted by the cryptographic community.</p>
+<p>A general recomandation is to only use cipher algorithms intensively tested and promoted by the cryptographic community.</p>
+<p>More specifically for block cipher, it's not recommended to use algorithm with a block size inferior than 128 bits.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 import javax.crypto.Cipher;

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5841_java.html

@@ -1,8 +1,9 @@
 <p>AssertJ assertions <code>allMatch</code> and <code>doesNotContains</code> on an empty list always&nbsp;returns true whatever the content of the
 predicate. Despite being correct, you should make explicit if you expect an empty list or not, by adding
-<code>isEmpty()</code>/<code>isNotEmpty()</code> before calling the assertion. It will justify the useless predicate to improve clarity or increase
-the reliability of the test.</p>
-<p>This rule raises an issue when any of the methods listed are used without asserting that the list is empty or not.</p>
+<code>isEmpty()</code>/<code>isNotEmpty()</code> in addition to calling the assertion, or by testing the list's content further. It will justify the
+useless predicate to improve clarity or increase the reliability of the test.</p>
+<p>This rule raises an issue when any of the methods listed are used without asserting that the list is empty or not and without testing the
+content.</p>
 <p>Targetted methods:</p>
 <ul>
   <li> <code>allMatch</code> </li>
@@ -30,6 +31,8 @@ <h2>Compliant Solution</h2>
 assertThat(logs).isEmpty();
 
 // Despite being redundant, this is also acceptable since it explains why you expect an empty list
-assertThat(logs).isEmpty().doesNotContain("error");
+assertThat(logs).doesNotContain("error").isEmpty();
+// or test the content of the list further
+assertThat(logs).contains("warning").doesNotContain("error");
 </pre>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5852_java.html

@@ -61,6 +61,7 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>See</h2>
 <ul>
+  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>
   <li> <a href="https://cwe.mitre.org/data/definitions/400.html">MITRE, CWE-400</a> - Uncontrolled Resource Consumption </li>
   <li> <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">owasp.org</a> - OWASP Regular expression Denial
   of Service - ReDoS </li>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5852_java.json

@@ -8,8 +8,8 @@
   },
   "tags": [
     "cwe",
-    "regex",
-    "owasp-a6"
+    "owasp-a1",
+    "regex"
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5852",
@@ -20,7 +20,7 @@
       400
     ],
     "OWASP": [
-      "A6"
+      "A1"
     ]
   }
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5854_java.html

@@ -4,12 +4,12 @@ <h2>Noncompliant Code Example</h2>
 <pre>
 String s = "e\u0300";
 Pattern p = Pattern.compile("é|ë|è"); // Noncompliant
-System.out.println(p.matcher(s).replaceAll("e")); // print ‘é’
+System.out.println(p.matcher(s).replaceAll("e")); // print 'é'
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
 String s = "e\u0300";
 Pattern p = Pattern.compile("é|ë|è", Pattern.CANON_EQ);
-System.out.println(p.matcher(s).replaceAll("e")); // print ‘e’
+System.out.println(p.matcher(s).replaceAll("e")); // print 'e'
 </pre>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5869_java.html

@@ -1,15 +1,19 @@
 <p>Character classes in regular expressions are a convenient way to match one of several possible characters by listing the allowed characters or
 ranges of characters. If the same character is listed twice in the same character class or if the character class contains overlapping ranges, this
 has no effect.</p>
-<p>Thus duplicate characters in a character class are either a simple oversight or a sign that the author misunderstood how character classes work and
-wanted to match more than one character. A common example of the latter mistake is trying to use a range like <code>[0-99]</code> to match numbers of
-up to two digits, when in fact it is equivalent to <code>[0-9]</code>.</p>
+<p>Thus duplicate characters in a character class are either a simple oversight or a sign that a range in the character class matches more than is
+intended or that the author misunderstood how character classes work and wanted to match more than one character. A common example of the latter
+mistake is trying to use a range like <code>[0-99]</code> to match numbers of up to two digits, when in fact it is equivalent to <code>[0-9]</code>.
+Another common cause is forgetting to escape the `-` character, creating an unintended range that overlaps with other characters in the character
+class.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 str.matches("[0-99]") // Noncompliant, this won't actually match strings with two digits
+str.matches("[0-9.-_]") // Noncompliant, .-_ is a range that already contains 0-9 (as well as various other characters such as capital letters)
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
 str.matches("[0-9]{1,2}")
+str.matches("[0-9.\\-_]")
 </pre>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/Sonar_way_profile.json

@@ -352,7 +352,6 @@
     "S4684",
     "S4719",
     "S4738",
-    "S4784",
     "S4790",
     "S4792",
     "S4830",

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2020-06-18T14:34:25.059019Z",
+  "latest-update": "2020-07-15T12:00:39.489532200Z",
   "options": {
     "no-language-in-filenames": false,
     "preserve-filenames": false