SONARJAVA-5114 Undo SONARJAVA-5102 (#4856)

Re-enable SE rules in default quality profile

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.html

@@ -1,6 +1,3 @@
-<p>This rule is deprecated, and will eventually be removed.</p>
-<p><em>We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open
-Source for the community as a separate plugin and will receive no further updates by SonarSource.</em></p>
 <h2>Why is this an issue?</h2>
 <p>A reference to <code>null</code> should never be dereferenced/accessed. Doing so will cause a <code>NullPointerException</code> to be thrown. At
 best, such an exception will cause abrupt program termination. At worst, it could expose debugging information that would be useful to an attacker, or

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.json

@@ -7,12 +7,16 @@
     },
     "attribute": "LOGICAL"
   },
-  "status": "deprecated",
+  "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "10min"
   },
-  "tags": [],
+  "tags": [
+    "cwe",
+    "cert",
+    "symbolic-execution"
+  ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-2259",
   "sqKey": "S2259",

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.html

@@ -1,6 +1,3 @@
-<p>This rule is deprecated, and will eventually be removed.</p>
-<p><em>We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open
-Source for the community as a separate plugin and will receive no further updates by SonarSource.</em></p>
 <h2>Why is this an issue?</h2>
 <p>Conditional expressions which are always <code>true</code> or <code>false</code> can lead to <a
 href="https://en.wikipedia.org/wiki/Unreachable_code">unreachable code</a>.</p>

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.json

@@ -7,12 +7,19 @@
     },
     "attribute": "LOGICAL"
   },
-  "status": "deprecated",
+  "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "15min"
   },
-  "tags": [],
+  "tags": [
+    "cwe",
+    "cert",
+    "unused",
+    "suspicious",
+    "pitfall",
+    "symbolic-execution"
+  ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-2583",
   "sqKey": "S2583",

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.html

@@ -1,6 +1,3 @@
-<p>This rule is deprecated, and will eventually be removed.</p>
-<p><em>We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open
-Source for the community as a separate plugin and will receive no further updates by SonarSource.</em></p>
 <p>Gratuitous boolean expressions are conditions that do not change the evaluation of a program. This issue can indicate logical errors and affect the
 correctness of an application, as well as its maintainability.</p>
 <h2>Why is this an issue?</h2>

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.json

@@ -7,12 +7,17 @@
     },
     "attribute": "LOGICAL"
   },
-  "status": "deprecated",
+  "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "10min"
   },
-  "tags": [],
+  "tags": [
+    "cwe",
+    "suspicious",
+    "redundant",
+    "symbolic-execution"
+  ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-2589",
   "sqKey": "S2589",

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2755.html

@@ -22,52 +22,43 @@ <h3>Code examples</h3>
 <p>The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE
 attacks if an attacker can control the XML file that is processed.</p>
 <h4>Noncompliant code example</h4>
-<pre>
-DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant
-</pre>
-<h4>Compliant solution</h4>
-<p>Protection from XXE can be done in several different ways. Choose one depending on how the affected parser object is used in your code.</p>
-<p><strong>1.</strong> The first way is to completely disable <code>DOCTYPE</code> declarations:</p>
-<pre>
-// Applicable to:
-// - DocumentBuilderFactory
-// - SAXParserFactory
-// - SchemaFactory
-factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilderFactory;
 
-// For XMLInputFactory:
-factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+public void decode() {
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant
+}
 </pre>
-<p><strong>2.</strong> Disable external entity declarations completely:</p>
-<pre>
-// Applicable to:
-// - DocumentBuilderFactory
-// - SAXParserFactory
-factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+<pre data-diff-id="2" data-diff-type="noncompliant">
+import javax.xml.stream.XMLInputFactory;
 
-// For XMLInputFactory:
-factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+public void decode() {
+    XMLInputFactory factory = XMLInputFactory.newInstance(); // Noncompliant
+}
 </pre>
-<p><strong>3.</strong> Prohibit the use of all protocols by external entities:</p>
-<pre>
-// `setAttribute` variant, applicable to:
-// - DocumentBuilderFactory
-// - TransformerFactory
-factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+<h4>Compliant solution</h4>
+<p>For <code>DocumentBuilderFactory</code>, <code>SAXParserFactory</code>, <code>TransformerFactory</code>, and <code>SchemaFactory</code> set
+<code>XMLConstants.FEATURE_SECURE_PROCESSING</code> to <code>true</code>.</p>
+<pre data-diff-id="1" data-diff-type="compliant">
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilderFactory;
 
-// `setProperty` variant, applicable to:
-// - XMLInputFactory
-// - SchemaFactory
-factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+public void decode() {
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+}
+</pre>
+<p>For <code>XMLInputFactory</code> set <code>SUPPORT_DTD</code> to <code>false</code>.</p>
+<pre data-diff-id="2" data-diff-type="compliant">
+import javax.xml.stream.XMLInputFactory;
 
-// For SAXParserFactory, the prohibition is done on child objects:
-SAXParser parser = factory.newSAXParser();
-parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+public void decode() {
+    XMLInputFactory factory = XMLInputFactory.newInstance();
+    factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+}
 </pre>
+<p>Other combinations of settings are secure, but in general, it is recommendable to use the approaches shown here, as they are the most clear.</p>
 <h3>How does this work?</h3>
 <h4>Disable external entities</h4>
 <p>The most effective approach to prevent XXE vulnerabilities is to disable external entity processing entirely, unless it is explicitly required for
@@ -88,15 +79,15 @@ <h3>Code examples</h3>
 <p>The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE
 attacks if an attacker can control the XML file that is processed.</p>
 <h4>Noncompliant code example</h4>
-<pre data-diff-id="1" data-diff-type="noncompliant">
+<pre data-diff-id="21" data-diff-type="noncompliant">
 import org.dom4j.io.SAXReader;
 
 public void decode() {
     SAXReader xmlReader = new SAXReader(); // Noncompliant
 }
 </pre>
 <h4>Compliant solution</h4>
-<pre data-diff-id="1" data-diff-type="compliant">
+<pre data-diff-id="21" data-diff-type="compliant">
 import org.dom4j.io.SAXReader;
 
 public void decode() {
@@ -131,7 +122,38 @@ <h4>Compliant solution</h4>
 public void decode() {
     SAXBuilder builder = new SAXBuilder();
     builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-    builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+}
+</pre>
+<h3>How does this work?</h3>
+<h4>Disable external entities</h4>
+<p>The most effective approach to prevent XXE vulnerabilities is to disable external entity processing entirely, unless it is explicitly required for
+specific use cases. By default, XML parsers should be configured to reject the processing of external entities. This can be achieved by setting the
+appropriate properties or options in your XML parser library or framework.</p>
+<p>If external entity processing is necessary for certain scenarios, adopt a whitelisting approach to restrict the entities that can be resolved
+during XML parsing. Create a list of trusted external entities and disallow all others. This approach ensures that only known and safe entities are
+processed.<br> You should rely on features provided by your XML parser to restrict the external entities.</p>
+<h2>How to fix it in SAX</h2>
+<h3>Code examples</h3>
+<p>The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE
+attacks if an attacker can control the XML file that is processed.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="31" data-diff-type="noncompliant">
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+public void decode() {
+    XMLReader reader = XMLReaderFactory.createXMLReader(); // Noncompliant
+}
+</pre>
+<h4>Compliant solution</h4>
+<p>Set <code>disallow-doctype-decl</code> to <code>true</code>.</p>
+<pre data-diff-id="31" data-diff-type="compliant">
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+public void decode() {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 }
 </pre>
 <h3>How does this work?</h3>

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html

@@ -1,6 +1,3 @@
-<p>This rule is deprecated, and will eventually be removed.</p>
-<p><em>We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open
-Source for the community as a separate plugin and will receive no further updates by SonarSource.</em></p>
 <p>If the denominator to an integer division or remainder operation is zero, a <code>ArithmeticException</code> is thrown.</p>
 <p>This error will crash your program in most cases. To fix it, you need to ensure that the denominator value in all division operations is always
 non-zero, or check the value against zero before performing the division.</p>

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.json

@@ -7,12 +7,17 @@
     },
     "attribute": "LOGICAL"
   },
-  "status": "deprecated",
+  "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "5 min"
   },
-  "tags": [],
+  "tags": [
+    "cwe",
+    "denial-of-service",
+    "cert",
+    "symbolic-execution"
+  ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-3518",
   "sqKey": "S3518",

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.html

@@ -1,6 +1,3 @@
-<p>This rule is deprecated, and will eventually be removed.</p>
-<p><em>We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open
-Source for the community as a separate plugin and will receive no further updates by SonarSource.</em></p>
 <h2>Why is this an issue?</h2>
 <p><code>Optional</code> value can hold either a value or not. The value held in the <code>Optional</code> can be accessed using the
 <code>get()</code> method, but it will throw a</p>

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.json

@@ -7,12 +7,15 @@
     },
     "attribute": "COMPLETE"
   },
-  "status": "deprecated",
+  "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "10min"
   },
-  "tags": [],
+  "tags": [
+    "cwe",
+    "symbolic-execution"
+  ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-3655",
   "sqKey": "S3655",

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.html

@@ -1,5 +1,3 @@
-<p><em>We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open
-Source for the community as a separate plugin and will receive no further updates by SonarSource.</em></p>
 <h2>Why is this an issue?</h2>
 <p>Stream operations are divided into intermediate and terminal operations, and are combined to form stream pipelines. After the terminal operation is
 performed, the stream pipeline is considered consumed, and cannot be used again. Such a reuse will yield unexpected results.</p>

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.json

@@ -7,12 +7,15 @@
     },
     "attribute": "LOGICAL"
   },
-  "status": "deprecated",
+  "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "10min"
   },
-  "tags": [],
+  "tags": [
+    "java8",
+    "symbolic-execution"
+  ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-3959",
   "sqKey": "S3959",

java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/Sonar_way_profile.json

@@ -4,13 +4,19 @@
     "S2095",
     "S2189",
     "S2222",
+    "S2259",
+    "S2583",
+    "S2589",
     "S2637",
     "S2689",
     "S2755",
     "S3065",
     "S3516",
+    "S3518",
+    "S3655",
     "S3824",
     "S3958",
+    "S3959",
     "S4165",
     "S4449",
     "S6373",

java-symbolic-execution/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2024-08-30T06:58:12.220861855Z",
+  "latest-update": "2024-09-09T13:33:21.851483206Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false