SONARKT-664 Update rules metadata

Author: Godin

sonar-kotlin-plugin/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "KOTLIN"
   ],
-  "latest-update": "2025-05-23T10:23:16.597800Z",
+  "latest-update": "2025-07-12T19:40:22.641523Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S1313.html

@@ -1,7 +1,7 @@
 <p>Hardcoding IP addresses is security-sensitive. It has led in the past to the following vulnerabilities:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5901">CVE-2006-5901</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3725">CVE-2005-3725</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2006-5901">CVE-2006-5901</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2005-3725">CVE-2005-3725</a> </li>
 </ul>
 <p>Today’s services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always
 have the same IP address. When it does change, the hardcoded IP will have to be modified too. This will have an impact on the product development,

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S2068.html

@@ -2,13 +2,12 @@
 for applications that are distributed or that are open-source.</p>
 <p>In the past, it has led to the following vulnerabilities:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466">CVE-2019-13466</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389">CVE-2018-15389</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2019-13466">CVE-2019-13466</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2018-15389">CVE-2018-15389</a> </li>
 </ul>
 <p>Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.</p>
 <p>This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
 strings, and for variable names that match any of the patterns from the provided list.</p>
-<p>It’s recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", …​</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> Credentials allow access to a sensitive component like a database, a file storage, an API or a service. </li>

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S2245.html

@@ -7,9 +7,9 @@
 values that must remain confidential and resistant to guessing attacks.</p>
 <p>For example, the use of non-cryptographic PRNGs has led to vulnerabilities such as:</p>
 <ul>
-  <li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386">CVE-2013-6386</a> </li>
-  <li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419">CVE-2006-3419</a> </li>
-  <li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102">CVE-2008-4102</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2013-6386">CVE-2013-6386</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2006-3419">CVE-2006-3419</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2008-4102">CVE-2008-4102</a> </li>
 </ul>
 <p>When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that
 will be generated, and use this guess to impersonate another user or access sensitive information. Therefore, it is critical to use CSPRNGs in any

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5320.html

@@ -1,6 +1,6 @@
 <p>In Android applications, broadcasting intents is security-sensitive. For example, it has led in the past to the following vulnerability:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9489">CVE-2018-9489</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2018-9489">CVE-2018-9489</a> </li>
 </ul>
 <p>By default, broadcasted intents are visible to every application, exposing all sensitive information they contain.</p>
 <p>This rule raises an issue when an intent is broadcasted without specifying any "receiver permission".</p>

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5322.html

@@ -1,8 +1,8 @@
 <p>Android applications can receive broadcasts from the system or other applications. Receiving intents is security-sensitive. For example, it has led
 in the past to the following vulnerabilities:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1677">CVE-2019-1677</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1275">CVE-2015-1275</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2019-1677">CVE-2019-1677</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2015-1275">CVE-2015-1275</a> </li>
 </ul>
 <p>Receivers can be declared in the manifest or in the code to make them context-specific. If the receiver is declared in the manifest Android will
 start the application if it is not already running once a matching broadcast is received. The receiver is an entry point into the application.</p>

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6418.html

@@ -2,8 +2,8 @@
 applications that are distributed or that are open-source.</p>
 <p>In the past, it has led to the following vulnerabilities:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25510">CVE-2022-25510</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42635">CVE-2021-42635</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2022-25510">CVE-2022-25510</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2021-42635">CVE-2021-42635</a> </li>
 </ul>
 <p>Secrets should be stored outside of the source code in a configuration file or a management service for secrets.</p>
 <p>This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a
@@ -87,6 +87,8 @@ <h2>See</h2>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication">Top 10 2017 Category A2 - Broken Authentication</a>
   </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage.html">Mobile Top 10 2024 Category M1 -
+  Improper Credential Usage</a> </li>
   <li> MSC - <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">MSC03-J - Never hard code sensitive information</a> </li>
 </ul>
 

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6418.json

@@ -32,6 +32,9 @@
     "OWASP Top 10 2021": [
       "A7"
     ],
+    "OWASP Mobile Top 10 2024": [
+      "M1"
+    ],
     "PCI DSS 3.2": [
       "6.5.10"
     ],

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S7409.json

@@ -29,7 +29,7 @@
       79
     ]
   },
-  "quickfix": "partial",
+  "quickfix": "unknown",
   "code": {
     "impacts": {
       "SECURITY": "MEDIUM"