From d0852a728f4928c24b07c085d8d7e242b23843ac Mon Sep 17 00:00:00 2001 From: Johann Beleites Date: Mon, 9 Sep 2024 16:09:12 +0200 Subject: [PATCH] SONARJAVA-5114 Undo SONARJAVA-5102 (#4856) Re-enable SE rules in default quality profile --- .../sonar/l10n/java/rules/javase/S2259.html | 3 - .../sonar/l10n/java/rules/javase/S2259.json | 8 +- .../sonar/l10n/java/rules/javase/S2583.html | 3 - .../sonar/l10n/java/rules/javase/S2583.json | 11 +- .../sonar/l10n/java/rules/javase/S2589.html | 3 - .../sonar/l10n/java/rules/javase/S2589.json | 9 +- .../sonar/l10n/java/rules/javase/S2755.html | 106 +++++++++++------- .../sonar/l10n/java/rules/javase/S3518.html | 3 - .../sonar/l10n/java/rules/javase/S3518.json | 9 +- .../sonar/l10n/java/rules/javase/S3655.html | 3 - .../sonar/l10n/java/rules/javase/S3655.json | 7 +- .../sonar/l10n/java/rules/javase/S3959.html | 2 - .../sonar/l10n/java/rules/javase/S3959.json | 7 +- .../java/rules/javase/Sonar_way_profile.json | 6 + java-symbolic-execution/sonarpedia.json | 2 +- 15 files changed, 110 insertions(+), 72 deletions(-) diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.html index 281a98b839f..25a93c7f4df 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.html +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.html @@ -1,6 +1,3 @@ -

This rule is deprecated, and will eventually be removed.

-

We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open -Source for the community as a separate plugin and will receive no further updates by SonarSource.

Why is this an issue?

A reference to null should never be dereferenced/accessed. Doing so will cause a NullPointerException to be thrown. At best, such an exception will cause abrupt program termination. At worst, it could expose debugging information that would be useful to an attacker, or diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.json index 8af0ec16035..996c08831db 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.json +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.json @@ -7,12 +7,16 @@ }, "attribute": "LOGICAL" }, - "status": "deprecated", + "status": "ready", "remediation": { "func": "Constant\/Issue", "constantCost": "10min" }, - "tags": [], + "tags": [ + "cwe", + "cert", + "symbolic-execution" + ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2259", "sqKey": "S2259", diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.html index 64a067ce286..7ed81864ec5 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.html +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.html @@ -1,6 +1,3 @@ -

This rule is deprecated, and will eventually be removed.

-

We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open -Source for the community as a separate plugin and will receive no further updates by SonarSource.

Why is this an issue?

Conditional expressions which are always true or false can lead to unreachable code.

diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.json index a5e24f5c34f..209234d914e 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.json +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.json @@ -7,12 +7,19 @@ }, "attribute": "LOGICAL" }, - "status": "deprecated", + "status": "ready", "remediation": { "func": "Constant\/Issue", "constantCost": "15min" }, - "tags": [], + "tags": [ + "cwe", + "cert", + "unused", + "suspicious", + "pitfall", + "symbolic-execution" + ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2583", "sqKey": "S2583", diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.html index d41184cde24..27c4b357eba 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.html +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.html @@ -1,6 +1,3 @@ -

This rule is deprecated, and will eventually be removed.

-

We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open -Source for the community as a separate plugin and will receive no further updates by SonarSource.

Gratuitous boolean expressions are conditions that do not change the evaluation of a program. This issue can indicate logical errors and affect the correctness of an application, as well as its maintainability.

Why is this an issue?

diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.json index 0d5000de732..7d4f2978b40 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.json +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2589.json @@ -7,12 +7,17 @@ }, "attribute": "LOGICAL" }, - "status": "deprecated", + "status": "ready", "remediation": { "func": "Constant\/Issue", "constantCost": "10min" }, - "tags": [], + "tags": [ + "cwe", + "suspicious", + "redundant", + "symbolic-execution" + ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2589", "sqKey": "S2589", diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2755.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2755.html index c3d23046475..e5b9d5169ca 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2755.html +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2755.html @@ -22,52 +22,43 @@

Code examples

The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE attacks if an attacker can control the XML file that is processed.

Noncompliant code example

-
-DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant
-
-

Compliant solution

-

Protection from XXE can be done in several different ways. Choose one depending on how the affected parser object is used in your code.

-

1. The first way is to completely disable DOCTYPE declarations:

-
-// Applicable to:
-// - DocumentBuilderFactory
-// - SAXParserFactory
-// - SchemaFactory
-factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilderFactory;
 
-// For XMLInputFactory:
-factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+public void decode() {
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant
+}
 
-

2. Disable external entity declarations completely:

-
-// Applicable to:
-// - DocumentBuilderFactory
-// - SAXParserFactory
-factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
+import javax.xml.stream.XMLInputFactory;
 
-// For XMLInputFactory:
-factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+public void decode() {
+    XMLInputFactory factory = XMLInputFactory.newInstance(); // Noncompliant
+}
 
-

3. Prohibit the use of all protocols by external entities:

-
-// `setAttribute` variant, applicable to:
-// - DocumentBuilderFactory
-// - TransformerFactory
-factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+

Compliant solution

+

For DocumentBuilderFactory, SAXParserFactory, TransformerFactory, and SchemaFactory set +XMLConstants.FEATURE_SECURE_PROCESSING to true.

+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilderFactory;
 
-// `setProperty` variant, applicable to:
-// - XMLInputFactory
-// - SchemaFactory
-factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+public void decode() {
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+}
+
+

For XMLInputFactory set SUPPORT_DTD to false.

+
+import javax.xml.stream.XMLInputFactory;
 
-// For SAXParserFactory, the prohibition is done on child objects:
-SAXParser parser = factory.newSAXParser();
-parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+public void decode() {
+    XMLInputFactory factory = XMLInputFactory.newInstance();
+    factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+}
 
+

Other combinations of settings are secure, but in general, it is recommendable to use the approaches shown here, as they are the most clear.

How does this work?

Disable external entities

The most effective approach to prevent XXE vulnerabilities is to disable external entity processing entirely, unless it is explicitly required for @@ -88,7 +79,7 @@

Code examples

The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE attacks if an attacker can control the XML file that is processed.

Noncompliant code example

-
+
 import org.dom4j.io.SAXReader;
 
 public void decode() {
@@ -96,7 +87,7 @@ 

Noncompliant code example

}

Compliant solution

-
+
 import org.dom4j.io.SAXReader;
 
 public void decode() {
@@ -131,7 +122,38 @@ 

Compliant solution

public void decode() { SAXBuilder builder = new SAXBuilder(); builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); +} +
+

How does this work?

+

Disable external entities

+

The most effective approach to prevent XXE vulnerabilities is to disable external entity processing entirely, unless it is explicitly required for +specific use cases. By default, XML parsers should be configured to reject the processing of external entities. This can be achieved by setting the +appropriate properties or options in your XML parser library or framework.

+

If external entity processing is necessary for certain scenarios, adopt a whitelisting approach to restrict the entities that can be resolved +during XML parsing. Create a list of trusted external entities and disallow all others. This approach ensures that only known and safe entities are +processed.
You should rely on features provided by your XML parser to restrict the external entities.

+

How to fix it in SAX

+

Code examples

+

The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE +attacks if an attacker can control the XML file that is processed.

+

Noncompliant code example

+
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+public void decode() {
+    XMLReader reader = XMLReaderFactory.createXMLReader(); // Noncompliant
+}
+
+

Compliant solution

+

Set disallow-doctype-decl to true.

+
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+public void decode() {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 }
 

How does this work?

diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html index 70c5efefa77..4606b5c6e94 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html @@ -1,6 +1,3 @@ -

This rule is deprecated, and will eventually be removed.

-

We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open -Source for the community as a separate plugin and will receive no further updates by SonarSource.

If the denominator to an integer division or remainder operation is zero, a ArithmeticException is thrown.

This error will crash your program in most cases. To fix it, you need to ensure that the denominator value in all division operations is always non-zero, or check the value against zero before performing the division.

diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.json index 3a87d8bf167..705cd54208a 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.json +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.json @@ -7,12 +7,17 @@ }, "attribute": "LOGICAL" }, - "status": "deprecated", + "status": "ready", "remediation": { "func": "Constant\/Issue", "constantCost": "5 min" }, - "tags": [], + "tags": [ + "cwe", + "denial-of-service", + "cert", + "symbolic-execution" + ], "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-3518", "sqKey": "S3518", diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.html index 1fe428a716e..65425e88561 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.html +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.html @@ -1,6 +1,3 @@ -

This rule is deprecated, and will eventually be removed.

-

We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open -Source for the community as a separate plugin and will receive no further updates by SonarSource.

Why is this an issue?

Optional value can hold either a value or not. The value held in the Optional can be accessed using the get() method, but it will throw a

diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.json index 18f019bcdfb..3df00f4ec4d 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.json +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.json @@ -7,12 +7,15 @@ }, "attribute": "COMPLETE" }, - "status": "deprecated", + "status": "ready", "remediation": { "func": "Constant\/Issue", "constantCost": "10min" }, - "tags": [], + "tags": [ + "cwe", + "symbolic-execution" + ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-3655", "sqKey": "S3655", diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.html index 560fec93157..ca7ea71c547 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.html +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.html @@ -1,5 +1,3 @@ -

We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open -Source for the community as a separate plugin and will receive no further updates by SonarSource.

Why is this an issue?

Stream operations are divided into intermediate and terminal operations, and are combined to form stream pipelines. After the terminal operation is performed, the stream pipeline is considered consumed, and cannot be used again. Such a reuse will yield unexpected results.

diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.json index f4cd2d0cf42..9f52687f34e 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.json +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.json @@ -7,12 +7,15 @@ }, "attribute": "LOGICAL" }, - "status": "deprecated", + "status": "ready", "remediation": { "func": "Constant\/Issue", "constantCost": "10min" }, - "tags": [], + "tags": [ + "java8", + "symbolic-execution" + ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-3959", "sqKey": "S3959", diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/Sonar_way_profile.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/Sonar_way_profile.json index aa8d52dff25..bf73889643a 100644 --- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/Sonar_way_profile.json +++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/Sonar_way_profile.json @@ -4,13 +4,19 @@ "S2095", "S2189", "S2222", + "S2259", + "S2583", + "S2589", "S2637", "S2689", "S2755", "S3065", "S3516", + "S3518", + "S3655", "S3824", "S3958", + "S3959", "S4165", "S4449", "S6373", diff --git a/java-symbolic-execution/sonarpedia.json b/java-symbolic-execution/sonarpedia.json index 946a3fec84a..77e5b4f41f7 100644 --- a/java-symbolic-execution/sonarpedia.json +++ b/java-symbolic-execution/sonarpedia.json @@ -3,7 +3,7 @@ "languages": [ "JAVA" ], - "latest-update": "2024-08-30T06:58:12.220861855Z", + "latest-update": "2024-09-09T13:33:21.851483206Z", "options": { "no-language-in-filenames": true, "preserve-filenames": false