From 30cc6f99d928a1ba9af35919ef431d7c1c25e9a4 Mon Sep 17 00:00:00 2001 From: Michael Gumowski Date: Fri, 16 Mar 2018 14:53:49 +0100 Subject: [PATCH] SONARJAVA-2658 Update rule metadata --- .../l10n/java/rules/squid/S1116_java.html | 6 +--- .../l10n/java/rules/squid/S1121_java.html | 2 -- .../l10n/java/rules/squid/S1854_java.html | 34 +++++-------------- .../l10n/java/rules/squid/S1989_java.json | 2 +- .../l10n/java/rules/squid/S2070_java.html | 3 +- .../l10n/java/rules/squid/S2076_java.html | 2 -- .../l10n/java/rules/squid/S2092_java.json | 4 +-- .../l10n/java/rules/squid/S2245_java.json | 2 +- .../l10n/java/rules/squid/S2254_java.html | 2 -- .../l10n/java/rules/squid/S2257_java.json | 4 +-- .../l10n/java/rules/squid/S2258_java.html | 7 ++-- .../l10n/java/rules/squid/S2277_java.json | 2 +- .../l10n/java/rules/squid/S2278_java.html | 6 ++-- .../l10n/java/rules/squid/S2694_java.html | 2 +- .../l10n/java/rules/squid/S2737_java.html | 2 +- .../l10n/java/rules/squid/S2761_java.html | 4 +-- .../l10n/java/rules/squid/S2976_java.json | 3 ++ .../l10n/java/rules/squid/S3306_java.json | 2 ++ .../l10n/java/rules/squid/S3318_java.html | 1 + .../l10n/java/rules/squid/S3318_java.json | 6 ++-- .../l10n/java/rules/squid/S3369_java.html | 2 +- .../l10n/java/rules/squid/S3369_java.json | 2 +- .../l10n/java/rules/squid/S3749_java.html | 4 +++ .../l10n/java/rules/squid/S3749_java.json | 6 +++- .../l10n/java/rules/squid/S4065_java.html | 2 +- .../l10n/java/rules/squid/S4142_java.html | 2 ++ .../l10n/java/rules/squid/S4142_java.json | 4 +-- .../l10n/java/rules/squid/S4347_java.html | 10 ++++++ .../l10n/java/rules/squid/S4347_java.json | 8 ++++- sonarpedia.json | 2 +- 30 files changed, 71 insertions(+), 67 deletions(-) diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1116_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1116_java.html index b8f160f96ef..e47d4cf7a33 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1116_java.html +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1116_java.html @@ -12,8 +12,6 @@

Noncompliant Code Example

void doSomethingElse() { System.out.println("Hello, world!");; // Noncompliant - double ; ... - for (int i = 0; i < 3; System.out.println(i), i++); // Noncompliant - Rarely, they are used on purpose as the body of a loop. It is a bad practice to have side-effects outside of the loop body - ... }

Compliant Solution

@@ -23,9 +21,7 @@

Compliant Solution

void doSomethingElse() { System.out.println("Hello, world!"); ... - for (int i = 0; i < 3; i++){ - System.out.println(i); - } + for (int i = 0; i < 3; i++) ; // compliant if unique statement of a loop ... } diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1121_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1121_java.html index dc16bc731ea..086dff5d295 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1121_java.html +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1121_java.html @@ -33,7 +33,5 @@

See

CERT, EXP45-C. - Do not perform assignments in selection statements

CERT, EXP51-J. - Do not perform assignments in conditional expressions

CERT, EXP19-CPP. - Do not perform assignments in conditional expressions -

diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1854_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1854_java.html index 9e611a02362..4dc130443d1 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1854_java.html +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1854_java.html @@ -1,36 +1,18 @@ -

A dead store happens when a local variable is assigned a value, including null, that is not read by any subsequent instruction. -Calculating or retrieving a value only to then overwrite it or throw it away, could indicate a serious error in the code. Even if it's not an error, -it is at best a waste of resources.

Even assigning null to a variable is a dead store if the variable is not subsequently used. Assigning null as a hint to the garbage -collector used to be common practice, but is no longer needed and such code should be eliminated.

A dead store happens when a local variable is assigned a value that is not read by any subsequent instruction. Calculating or retrieving a value +only to then overwrite it or throw it away, could indicate a serious error in the code. Even if it's not an error, it is at best a waste of resources. +Therefore all calculated values should be used.

Noncompliant Code Example

-public void pow(int a, int b) {
-  if(b == 0) {
-    return 0;
-  }
-  int x = a;
-  for(int i= 1, i < b, i++) {
-    x = x * a;  //Dead store because the last return statement should return x instead of returning a
-  }
-  return a;
-}
+i = a + b; // Noncompliant; calculation result not used before value is overwritten
+i = compute();

Compliant Solution

-public void pow(int a, int b) {
-  if(b == 0) {
-    return 0;
-  }
-  int x = a;
-  for(int i= 1, i < b, i++) {
-    x = x * a;
-  }
-  return x;
-}
+i = a + b;
+i += compute();

Exceptions

This rule ignores initializations to -1, 0, 1, null, empty string (""), true, and false.

This rule ignores initializations to -1, 0, 1, null, true, false and "".

See

MITRE, CWE-563 - Assignment to Variable without Use ('Unused Variable')

See

MITRE, CWE-328 - Reversible One-Way Hash
MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
OWASP Top 10 2017 Category A6 - Security Misconfiguration
SANS Top 25 - Porous Defenses
Derived from FindSecBugs rule MessageDigest Is Weak

See

MITRE, CWE-88 - Argument Injection or Modification
OWASP Top 10 2017 Category A1 - Injection
SANS Top 25 - Insecure Interaction Between Components
Derived from the FindSecBugs rule Potential Command Injection -

diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2092_java.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2092_java.json index 76458f869a8..137a8a997f7 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2092_java.json +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2092_java.json @@ -8,8 +8,8 @@ }, "tags": [ "cwe", - "owasp-a6", - "owasp-a2" + "owasp-a2", + "owasp-a3" ], "standards": [ "CWE", diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2245_java.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2245_java.json index 8c5b39d9234..6d9bc0589cc 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2245_java.json +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2245_java.json @@ -9,7 +9,7 @@ "tags": [ "cwe", "cert", - "owasp-a6" + "owasp-a3" ], "standards": [ "CWE", diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2254_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2254_java.html index ccfda32ff0c..c247f7a454f 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2254_java.html +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2254_java.html @@ -26,7 +26,5 @@

See

MITRE, CWE-807 - Reliance on Untrusted Inputs in a Security Decision

SANS Top 25 - Porous Defenses

OWASP Top 10 2017 Category A2 - Broken Authentication

Derived from FindSecBugs rule Untrusted Session Cookie Value -

diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2257_java.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2257_java.json index 8383d46da7b..f2bbd1671ab 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2257_java.json +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2257_java.json @@ -8,8 +8,8 @@ }, "tags": [ "cwe", - "owasp-a6", - "sans-top25-porous" + "sans-top25-porous", + "owasp-a3" ], "standards": [ "CWE", diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2258_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2258_java.html index 7e17ecee3e9..b736d0e33b0 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2258_java.html +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2258_java.html @@ -2,12 +2,11 @@ any way. As a consequence, the ciphertext is identical to the plaintext. So this class should be used for testing, and never in production code.

Noncompliant Code Example

-NullCipher nc=new NullCipher();
+NullCipher nc = new NullCipher();

See

CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
Derived from FindSecBugs rule NullCipher Unsafe
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10 2017 Category A6 - Security Misconfiguration

diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2277_java.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2277_java.json index f5ced6a1774..d3685b5332d 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2277_java.json +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2277_java.json @@ -10,7 +10,7 @@ "cwe", "owasp-a6", "sans-top25-porous", - "owasp-a5" + "owasp-a3" ], "standards": [ "CWE", diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2278_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2278_java.html index e559fa898d3..34c237ae6ea 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2278_java.html +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2278_java.html @@ -15,9 +15,9 @@

Compliant Solution

See

MITRE CWE-326 - Inadequate Encryption Strength
MITRE CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
MITRE, CWE-326 - Inadequate Encryption Strength
MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10 2017 Category A6 - Security Misconfiguration
CERT, MSC61-J. - Do not use insecure or weak cryptographic algorithms
Derived from FindSecBugs rule DES / DESede Unsafe

diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2694_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2694_java.html index 5433f2e73c0..31a92716737 100644 --- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2694_java.html +++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2694_java.html @@ -3,7 +3,7 @@

If the reference to the outer class isn't used, it is more efficient to make the inner class static (also called nested). If the reference is used only in the class constructor, then explicitly pass a class reference to the constructor. If the inner class is anonymous, it will also be necessary to name it.

However, while a nested/static class would be more efficient, it's worth nothing that there are semantic differences between an inner +

However, while a nested/static class would be more efficient, it's worth noting that there are semantic differences between an inner class and a nested one:

an inner class can only be instantiated within the context of an instance of the outer class.

A catch clause that only rethrows the caught exception has the same effect as omitting the catch altogether and letting -it bubble up automatically, but with more code and the additional detrement of leaving maintainers scratching their heads.

Such clauses should either be eliminated or populated with the appropriate logic.

Noncompliant Code Example

diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2761_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2761_java.html
index 7d99a685cbf..a467d2dd86d 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2761_java.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2761_java.html
@@ -7,7 +7,7 @@ Noncompliant Code Example
 int i = 1;
 
 int j = - - -i;  // Noncompliant; just use -i
-int k = ~~~i;     // Noncompliant; same as i
+int k = ~~~i;    // Noncompliant; same as i
 int m = + +i;    // Noncompliant; operators are useless here
 
 boolean b = false;
@@ -18,7 +18,7 @@ Compliant Solution
 int i =  1;
 
 int j = -i;
-int k =  i;
+int k = ~i;
 int m =  i;
 
 boolean b = false;
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2976_java.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2976_java.json
index 4825e7c436c..0372211aadf 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2976_java.json
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S2976_java.json
@@ -9,6 +9,9 @@
   "tags": [
     "owasp-a9"
   ],
+  "standards": [
+    "OWASP Top Ten"
+  ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-2976",
   "sqKey": "S2976"
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3306_java.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3306_java.json
index c8903a1477a..ea20ec97011 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3306_java.json
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3306_java.json
@@ -7,7 +7,9 @@
     "constantCost": "5min"
   },
   "tags": [
+    "spring",
     "design",
+    "jee",
     "pitfall"
   ],
   "defaultSeverity": "Major",
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.html
index cf8da4ac433..cfffbf77f17 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.html
@@ -9,5 +9,6 @@ Noncompliant Code Example
 See
 
    MITRE, CWE-501 - Trust Boundary Violation 
+   OWASP Top 10 2017 Category A3 - Sensitive Data Exposure 
 
 
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.json
index 73fe7b71b56..97a0d23f8eb 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.json
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3318_java.json
@@ -7,10 +7,12 @@
     "constantCost": "20min"
   },
   "tags": [
-    "cwe"
+    "cwe",
+    "owasp-a3"
   ],
   "standards": [
-    "CWE"
+    "CWE",
+    "OWASP Top Ten"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-3318",
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.html
index da1aebb8a8a..7cbb4be9590 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.html
@@ -4,6 +4,6 @@
 See
 
    MITRE, CWE-284 - Improper Access Control 
-   OWASP Top 10 2017 Category A6 - Broken Access Control 
+   OWASP Top 10 2017 Category A5 - Broken Access Control 
 
 
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.json b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.json
index 9f5f72f53d9..320b198cdb8 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.json
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3369_java.json
@@ -10,7 +10,7 @@
     "cwe",
     "websphere",
     "jee",
-    "owasp-a7"
+    "owasp-a5"
   ],
   "standards": [
     "CWE",
diff --git a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3749_java.html b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3749_java.html
index b2b69247d38..3c77f1e62c0 100644
--- a/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3749_java.html
+++ b/java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S3749_java.html
@@ -30,4 +30,8 @@ Noncompliant Code Example
   }
 }

See

OWASP Top 10 2017 Category A3 - Sensitive Data Exposure

Java 8 Introduced ThreadLocal.withInitial which is a simpler alternative to creating an anonymous inner class to initialise a +

Java 8 introduced ThreadLocal.withInitial which is a simpler alternative to creating an anonymous inner class to initialise a ThreadLocal instance.

This rule raises an issue when a ThreadLocal anonymous inner class can be replaced by a call to ThreadLocal.withInitial.

Compliant Solution

Deprecated

This rule is deprecated, and will eventually be removed.

Compliant Solution

See

MITRE, CWE-330 - Use of Insufficiently Random Values
MITRE, CWE-332 - Insufficient Entropy in PRNG
MITRE, CWE-336 - Same Seed in Pseudo-Random Number Generator (PRNG)
MITRE, CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)
OWASP Top 10 2017 Category A6 - Security Misconfiguration
CERT, MSC63J. - Ensure that + SecureRandom is properly seeded