Thanks to visit codestin.com
Credit goes to github.com

Skip to content

SONARJAVA-2658 Update rule metadata #1944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
benzonico merged 1 commit into from
Mar 16, 2018
Merged

SONARJAVA-2658 Update rule metadata #1944

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 1 addition & 5 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1116_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,6 @@ <h2>Noncompliant Code Example</h2>
void doSomethingElse() {
System.out.println("Hello, world!");; // Noncompliant - double ;
...
for (int i = 0; i &lt; 3; System.out.println(i), i++); // Noncompliant - Rarely, they are used on purpose as the body of a loop. It is a bad practice to have side-effects outside of the loop body
...
}
</pre>
<h2>Compliant Solution</h2>
Expand All @@ -23,9 +21,7 @@ <h2>Compliant Solution</h2>
void doSomethingElse() {
System.out.println("Hello, world!");
...
for (int i = 0; i &lt; 3; i++){
System.out.println(i);
}
for (int i = 0; i &lt; 3; i++) ; // compliant if unique statement of a loop
...
}
</pre>
Expand Down
2 changes: 0 additions & 2 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1121_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,5 @@ <h2>See</h2>
<li> <a href="https://www.securecoding.cert.org/confluence/x/nYFtAg">CERT, EXP45-C.</a> - Do not perform assignments in selection statements </li>
<li> <a href="https://www.securecoding.cert.org/confluence/x/1gCTAw">CERT, EXP51-J.</a> - Do not perform assignments in conditional expressions
</li>
<li> <a href="https://www.securecoding.cert.org/confluence/x/KQvhAg">CERT, EXP19-CPP.</a> - Do not perform assignments in conditional expressions
</li>
</ul>

34 changes: 8 additions & 26 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1854_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,18 @@
<p>A dead store happens when a local variable is assigned a value, including <code>null</code>, that is not read by any subsequent instruction.
Calculating or retrieving a value only to then overwrite it or throw it away, could indicate a serious error in the code. Even if it's not an error,
it is at best a waste of resources. </p>
<p>Even assigning <code>null</code> to a variable is a dead store if the variable is not subsequently used. Assigning null as a hint to the garbage
collector used to be common practice, but is no longer needed and such code should be eliminated.</p>
<p>A dead store happens when a local variable is assigned a value that is not read by any subsequent instruction. Calculating or retrieving a value
only to then overwrite it or throw it away, could indicate a serious error in the code. Even if it's not an error, it is at best a waste of resources.
Therefore all calculated values should be used.</p>
<h2>Noncompliant Code Example</h2>
<pre>
public void pow(int a, int b) {
if(b == 0) {
return 0;
}
int x = a;
for(int i= 1, i &lt; b, i++) {
x = x * a; //Dead store because the last return statement should return x instead of returning a
}
return a;
}
i = a + b; // Noncompliant; calculation result not used before value is overwritten
i = compute();
</pre>
<h2>Compliant Solution</h2>
<pre>
public void pow(int a, int b) {
if(b == 0) {
return 0;
}
int x = a;
for(int i= 1, i &lt; b, i++) {
x = x * a;
}
return x;
}
i = a + b;
i += compute();
</pre>
<h2>Exceptions</h2>
<p>This rule ignores initializations to -1, 0, 1, <code>null</code>, empty string (<code>""</code>), <code>true</code>, and <code>false</code>.</p>
<p>This rule ignores initializations to -1, 0, 1, <code>null</code>, <code>true</code>, <code>false</code> and <code>""</code>.</p>
<h2>See</h2>
<ul>
<li> <a href="http://cwe.mitre.org/data/definitions/563.html">MITRE, CWE-563</a> - Assignment to Variable without Use ('Unused Variable') </li>
Expand Down
2 changes: 1 addition & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1989_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"cwe",
"error-handling",
"cert",
"owasp-a6"
"owasp-a3"
],
"standards": [
"CWE",
Expand Down
3 changes: 1 addition & 2 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2070_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,7 @@ <h2>See</h2>
<ul>
<li> <a href="http://cwe.mitre.org/data/definitions/328">MITRE, CWE-328</a> - Reversible One-Way Hash </li>
<li> <a href="http://cwe.mitre.org/data/definitions/327">MITRE, CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
<li> OWASP Top 10 2017 Category A3 - Sensitive Data Exposure </li>
<li> OWASP Top 10 2017 Category A6 - Security Misconfiguration </li>
<li> <a href="http://www.sans.org/top25-software-errors/">SANS Top 25</a> - Porous Defenses </li>
<li> Derived from FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#WEAK_MESSAGE_DIGEST">MessageDigest Is Weak</a> </li>
</ul>

2 changes: 0 additions & 2 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2076_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,5 @@ <h2>See</h2>
<li> <a href="http://cwe.mitre.org/data/definitions/88">MITRE, CWE-88</a> - Argument Injection or Modification </li>
<li> OWASP Top 10 2017 Category A1 - Injection </li>
<li> <a href="http://www.sans.org/top25-software-errors/">SANS Top 25</a> - Insecure Interaction Between Components </li>
<li> Derived from the FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#COMMAND_INJECTION">Potential Command Injection</a>
</li>
</ul>

4 changes: 2 additions & 2 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2092_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
},
"tags": [
"cwe",
"owasp-a6",
"owasp-a2"
"owasp-a2",
"owasp-a3"
],
"standards": [
"CWE",
Expand Down
2 changes: 1 addition & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2245_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"tags": [
"cwe",
"cert",
"owasp-a6"
"owasp-a3"
],
"standards": [
"CWE",
Expand Down
2 changes: 0 additions & 2 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2254_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,5 @@ <h2>See</h2>
<li> <a href="http://cwe.mitre.org/data/definitions/807">MITRE, CWE-807</a> - Reliance on Untrusted Inputs in a Security Decision </li>
<li> <a href="http://www.sans.org/top25-software-errors/">SANS Top 25</a> - Porous Defenses </li>
<li> OWASP Top 10 2017 Category A2 - Broken Authentication </li>
<li> Derived from FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#SERVLET_SESSION_ID">Untrusted Session Cookie Value</a>
</li>
</ul>

4 changes: 2 additions & 2 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2257_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
},
"tags": [
"cwe",
"owasp-a6",
"sans-top25-porous"
"sans-top25-porous",
"owasp-a3"
],
"standards": [
"CWE",
Expand Down
7 changes: 3 additions & 4 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2258_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,11 @@
any way. As a consequence, the ciphertext is identical to the plaintext. So this class should be used for testing, and never in production code.</p>
<h2>Noncompliant Code Example</h2>
<pre>
NullCipher nc=new NullCipher();
NullCipher nc = new NullCipher();
</pre>
<h2>See</h2>
<ul>
<li> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327</a>: Use of a Broken or Risky Cryptographic Algorithm </li>
<li> OWASP Top 10 2017 Category A3 - Sensitive Data Exposure </li>
<li> Derived from FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#NULL_CIPHER">NullCipher Unsafe</a> </li>
<li> <a href="http://cwe.mitre.org/data/definitions/327.html">CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
<li> OWASP Top 10 2017 Category A6 - Security Misconfiguration </li>
</ul>

2 changes: 1 addition & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2277_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"cwe",
"owasp-a6",
"sans-top25-porous",
"owasp-a5"
"owasp-a3"
],
"standards": [
"CWE",
Expand Down
6 changes: 3 additions & 3 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2278_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ <h2>Compliant Solution</h2>
</pre>
<h2>See</h2>
<ul>
<li> <a href="http://cwe.mitre.org/data/definitions/326.html">MITRE CWE-326</a> - Inadequate Encryption Strength </li>
<li> <a href="http://cwe.mitre.org/data/definitions/327.html">MITRE CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
<li> OWASP Top 10 2017 Category A3 - Sensitive Data Exposure </li>
<li> <a href="http://cwe.mitre.org/data/definitions/326.html">MITRE, CWE-326</a> - Inadequate Encryption Strength </li>
<li> <a href="http://cwe.mitre.org/data/definitions/327.html">MITRE, CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
<li> OWASP Top 10 2017 Category A6 - Security Misconfiguration </li>
<li> <a href="https://www.securecoding.cert.org/confluence/x/VwAZAg">CERT, MSC61-J.</a> - Do not use insecure or weak cryptographic algorithms </li>
<li> Derived from FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#DES_USAGE">DES / DESede Unsafe</a> </li>
</ul>
Expand Down
2 changes: 1 addition & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2694_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<p>If the reference to the outer class isn't used, it is more efficient to make the inner class <code>static</code> (also called nested). If the
reference is used only in the class constructor, then explicitly pass a class reference to the constructor. If the inner class is anonymous, it will
also be necessary to name it. </p>
<p>However, while a nested/<code>static</code> class would be more efficient, it's worth nothing that there are semantic differences between an inner
<p>However, while a nested/<code>static</code> class would be more efficient, it's worth noting that there are semantic differences between an inner
class and a nested one:</p>
<ul>
<li> an inner class can only be instantiated within the context of an instance of the outer class. </li>
Expand Down
2 changes: 1 addition & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2737_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<p>A <code>catch</code> clause that only rethrows the caught exception has the same effect as omitting the <code>catch</code> altogether and letting
it bubble up automatically, but with more code and the additional detrement of leaving maintainers scratching their heads. </p>
it bubble up automatically, but with more code and the additional detriment of leaving maintainers scratching their heads. </p>
<p>Such clauses should either be eliminated or populated with the appropriate logic.</p>
<h2>Noncompliant Code Example</h2>
<pre>
Expand Down
4 changes: 2 additions & 2 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2761_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ <h2>Noncompliant Code Example</h2>
int i = 1;

int j = - - -i; // Noncompliant; just use -i
int k = ~~~i; // Noncompliant; same as i
int k = ~~~i; // Noncompliant; same as i
int m = + +i; // Noncompliant; operators are useless here

boolean b = false;
Expand All @@ -18,7 +18,7 @@ <h2>Compliant Solution</h2>
int i = 1;

int j = -i;
int k = i;
int k = ~i;
int m = i;

boolean b = false;
Expand Down
3 changes: 3 additions & 0 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2976_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
"tags": [
"owasp-a9"
],
"standards": [
"OWASP Top Ten"
],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-2976",
"sqKey": "S2976"
Expand Down
2 changes: 2 additions & 0 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3306_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@
"constantCost": "5min"
},
"tags": [
"spring",
"design",
"jee",
"pitfall"
],
"defaultSeverity": "Major",
Expand Down
1 change: 1 addition & 0 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,6 @@ <h2>Noncompliant Code Example</h2>
<h2>See</h2>
<ul>
<li> <a href="http://cwe.mitre.org/data/definitions/501">MITRE, CWE-501</a> - Trust Boundary Violation </li>
<li> OWASP Top 10 2017 Category A3 - Sensitive Data Exposure </li>
</ul>

6 changes: 4 additions & 2 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@
"constantCost": "20min"
},
"tags": [
"cwe"
"cwe",
"owasp-a3"
],
"standards": [
"CWE"
"CWE",
"OWASP Top Ten"
],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-3318",
Expand Down
2 changes: 1 addition & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,6 @@
<h2>See</h2>
<ul>
<li> <a href="https://cwe.mitre.org/data/definitions/284.html">MITRE, CWE-284</a> - Improper Access Control </li>
<li> OWASP Top 10 2017 Category A6 - Broken Access Control </li>
<li> OWASP Top 10 2017 Category A5 - Broken Access Control </li>
</ul>

2 changes: 1 addition & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"cwe",
"websphere",
"jee",
"owasp-a7"
"owasp-a5"
],
"standards": [
"CWE",
Expand Down
4 changes: 4 additions & 0 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3749_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,8 @@ <h2>Noncompliant Code Example</h2>
}
}
</pre>
<h2>See</h2>
<ul>
<li> OWASP Top 10 2017 Category A3 - Sensitive Data Exposure </li>
</ul>

6 changes: 5 additions & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3749_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,11 @@
"constantCost": "15min"
},
"tags": [
"spring"
"spring",
"owasp-a3"
],
"standards": [
"OWASP Top Ten"
],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-3749",
Expand Down
2 changes: 1 addition & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S4065_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<p>Java 8 Introduced <code>ThreadLocal.withInitial</code> which is a simpler alternative to creating an anonymous inner class to initialise a
<p>Java 8 introduced <code>ThreadLocal.withInitial</code> which is a simpler alternative to creating an anonymous inner class to initialise a
<code>ThreadLocal</code> instance.</p>
<p>This rule raises an issue when a <code>ThreadLocal</code> anonymous inner class can be replaced by a call to
<code>ThreadLocal.withInitial</code>.</p>
Expand Down
2 changes: 2 additions & 0 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S4142_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,6 @@ <h2>Compliant Solution</h2>
&nbsp;&nbsp;// ...
}
</pre>
<h2>Deprecated</h2>
<p>This rule is deprecated, and will eventually be removed.</p>

4 changes: 2 additions & 2 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S4142_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"title": "Duplicate values should not be passed as arguments",
"type": "CODE_SMELL",
"status": "ready",
"status": "deprecated",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"suspicious"

],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-4142",
Expand Down
10 changes: 10 additions & 0 deletions java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S4347_java.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,14 @@ <h2>Compliant Solution</h2>
SecureRandom sr = new SecureRandom();
int v = sr.next(32);
</pre>
<h2>See</h2>
<ul>
<li> <a href="http://cwe.mitre.org/data/definitions/330.html">MITRE, CWE-330</a> - Use of Insufficiently Random Values </li>
<li> <a href="http://cwe.mitre.org/data/definitions/332.html">MITRE, CWE-332</a> - Insufficient Entropy in PRNG </li>
<li> <a href="http://cwe.mitre.org/data/definitions/336.html">MITRE, CWE-336</a> - Same Seed in Pseudo-Random Number Generator (PRNG) </li>
<li> <a href="http://cwe.mitre.org/data/definitions/337.html">MITRE, CWE-337</a> - Predictable Seed in Pseudo-Random Number Generator (PRNG) </li>
<li> OWASP Top 10 2017 Category A6 - Security Misconfiguration </li>
<li> <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC63J.+Ensure+that+SecureRandom+is+properly+seeded">CERT, MSC63J.</a> - Ensure that
SecureRandom is properly seeded </li>
</ul>

8 changes: 7 additions & 1 deletion java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S4347_java.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,15 @@
"constantCost": "2min"
},
"tags": [
"security",
"cwe",
"cert",
"owasp-a6",
"pitfall"
],
"standards": [
"CWE",
"OWASP Top Ten"
],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4347",
"sqKey": "S4347"
Expand Down
2 changes: 1 addition & 1 deletion sonarpedia.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@
"languages": [
"JAVA"
],
"latest-update": "2018-02-15T07:57:14.924Z"
"latest-update": "2018-03-16T13:47:19.824Z"
}