SONARJAVA-3444 Deprecate 10 security-hotspot rules that overlap with …

…security-injection rules (#3040)

The following rules are deprecated and will eventually be removed because their overlap with security-injection rules:

S4508 RSPEC-4508 Deserializing objects from an untrusted source is security-sensitive
S4510 RSPEC-4510 Deserializing with XMLDecoder is security-sensitive
S4530 RSPEC-4530 Using Struts 1 ActionForm is security-sensitive
S4531 RSPEC-4531 Using setters in Struts 2 ActionSupport is security-sensitive
S4818 RSPEC-4818 Using Sockets is security-sensitive
S4823 RSPEC-4823 Using command line arguments is security-sensitive
S4829 RSPEC-4829 Reading the Standard Input is security-sensitive
S5300 RSPEC-5300 Sending emails is security-sensitive
S5304 RSPEC-5304 Using environment variables is security-sensitive
S5326 RSPEC-5326 Validating SSL/TLS connections is security-sensitive

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4508_java.html

@@ -48,4 +48,6 @@ <h2>See</h2>
   <li> <a href="https://cwe.mitre.org/data/definitions/502.html">MITRE, CWE-502</a> - Deserialization of Untrusted Data </li>
   <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION">OBJECT_DESERIALIZATION </a> </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4508_java.json

@@ -1,25 +1,16 @@
 {
   "title": "Deserializing objects from an untrusted source is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "15min"
   },
   "tags": [
-    "cwe",
-    "owasp-a8"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4508",
   "sqKey": "S4508",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      502
-    ],
-    "OWASP": [
-      "A8"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4510_java.html

@@ -36,4 +36,6 @@ <h2>See</h2>
   <li> <a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">OWASP Deserialization of untrusted data</a> </li>
   <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#XML_DECODER">XML_DECODER </a> </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4510_java.json

@@ -1,27 +1,16 @@
 {
   "title": "Deserializing with XMLDecoder is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "15min"
   },
   "tags": [
-    "cwe",
-    "owasp-a1",
-    "owasp-a8"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4510",
   "sqKey": "S4510",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      502
-    ],
-    "OWASP": [
-      "A1",
-      "A8"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4530_java.html

@@ -38,4 +38,6 @@ <h2>See</h2>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>
   <li> <a href="https://cwe.mitre.org/data/definitions/105.html">MITRE, CWE-105</a>: Struts Form Field Without Validator </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4530_java.json

@@ -1,23 +1,16 @@
 {
   "title": "Using Struts 1 ActionForm is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "15min"
   },
   "tags": [
-    "cwe",
-    "owasp-a1",
-    "struts"
+
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-4530",
   "sqKey": "S4530",
-  "scope": "Main",
-  "securityStandards": {
-    "OWASP": [
-      "A1"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4531_java.html

@@ -40,4 +40,6 @@ <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4531_java.json

@@ -1,22 +1,16 @@
 {
   "title": "Using setters in Struts 2 ActionSupport is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "15min"
   },
   "tags": [
-    "owasp-a1",
-    "struts"
+
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-4531",
   "sqKey": "S4531",
-  "scope": "Main",
-  "securityStandards": {
-    "OWASP": [
-      "A1"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4818_java.html

@@ -18,7 +18,7 @@ <h2>Ask Yourself Whether</h2>
   <li> input received from sockets is used without being sanitized. </li>
   <li> sensitive data is sent via sockets without being encrypted. </li>
 </ul>
-<p>You are at risk if you answered yes to any of these questions.</p>
+<p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
   <li> In many cases there is no need to open a socket yourself. Use instead libraries and existing protocols. </li>
@@ -115,4 +115,6 @@ <h2>See</h2>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat2">SANS Top 25</a> - Risky Resource Management </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4818_java.json

@@ -1,25 +1,12 @@
 {
   "title": "Using Sockets is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe",
-    "sans-top25-risky",
-    "sans-top25-porous",
-    "owasp-a3"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4818",
   "sqKey": "S4818",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      20,
-      200,
-      400
-    ],
-    "OWASP": [
-      "A3"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4823_java.html

@@ -116,4 +116,6 @@ <h2>See</h2>
   <li> <a href="https://cwe.mitre.org/data/definitions/214.html">MITRE, CWE-214</a> - Information Exposure Through Process Environment </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat1">SANS Top 25</a> - Insecure Interaction Between Components </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4823_java.json

@@ -1,23 +1,12 @@
 {
   "title": "Using command line arguments is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe",
-    "owasp-a1",
-    "sans-top25-insecure"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4823",
   "sqKey": "S4823",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      88,
-      214
-    ],
-    "OWASP": [
-      "A1"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4829_java.html

@@ -41,4 +41,6 @@ <h2>See:</h2>
 <ul>
   <li> <a href="https://cwe.mitre.org/data/definitions/20.html">MITRE, CWE-20</a> - Improper Input Validation </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4829_java.json

@@ -1,17 +1,12 @@
 {
   "title": "Reading the Standard Input is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4829",
   "sqKey": "S4829",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      20
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5300_java.html

@@ -56,4 +56,6 @@ <h2>See</h2>
   (Basic XSS) </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat1">SANS Top 25</a> - Insecure Interaction Between Components </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5300_java.json

@@ -1,23 +1,12 @@
 {
   "title": "Sending emails is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe",
-    "owasp-a1",
-    "sans-top25-insecure"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5300",
   "sqKey": "S5300",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      93,
-      80
-    ],
-    "OWASP": [
-      "A1"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5304_java.html

@@ -46,4 +46,6 @@ <h2>See</h2>
   <li> <a href="http://cwe.mitre.org/data/definitions/74.html">MITRE, CWE-74</a> - Improper Neutralization of Special Elements in Output Used by a
   Downstream Component ('Injection') </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated, and will eventually be removed.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5304_java.json

@@ -1,18 +1,12 @@
 {
   "title": "Using environment variables is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5304",
   "sqKey": "S5304",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      526,
-      74
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5326_java.html

@@ -62,4 +62,6 @@ <h2>See</h2>
   <li> <a href="http://cwe.mitre.org/data/definitions/295.html">MITRE, CWE-295</a> - Improper Certificate Validation </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
 </ul>
+<h2>Deprecated</h2>
+<p>This rule is deprecated; use {rule:java:S4423}, {rule:java:S4830}, {rule:java:S5527} instead.</p>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S5326_java.json

@@ -1,24 +1,12 @@
 {
   "title": "Validating SSL\/TLS connections is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe",
-    "owasp-a6",
-    "sans-top25-porous",
-    "owasp-a3"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5326",
   "sqKey": "S5326",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      295
-    ],
-    "OWASP": [
-      "A6",
-      "A3"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/Sonar_way_profile.json

@@ -341,8 +341,6 @@
     "S4488",
     "S4502",
     "S4507",
-    "S4508",
-    "S4510",
     "S4512",
     "S4517",
     "S4524",
@@ -357,9 +355,6 @@
     "S4784",
     "S4790",
     "S4792",
-    "S4818",
-    "S4823",
-    "S4829",
     "S4830",
     "S4834",
     "S4838",
@@ -371,13 +366,10 @@
     "S5122",
     "S5164",
     "S5261",
-    "S5300",
     "S5301",
-    "S5304",
     "S5320",
     "S5322",
     "S5324",
-    "S5326",
     "S5344",
     "S5361",
     "S5411",