SONARKT-645 Update rules metadata

Godin · web-flow · commit f9d8f13d3da9 · 2025-05-23T12:52:10.000+02:00
diff --git a/sonar-kotlin-plugin/sonarpedia.json b/sonar-kotlin-plugin/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "KOTLIN"
   ],
-  "latest-update": "2025-04-03T13:07:10.743415Z",
+  "latest-update": "2025-05-23T10:23:16.597800Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S104.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S104.json
@@ -13,6 +13,7 @@
     "constantCost": "1h"
   },
   "tags": [
+    "architecture",
     "brain-overload"
   ],
   "defaultSeverity": "Major",
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S1313.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S1313.html
@@ -41,8 +41,8 @@ <h2>Exceptions</h2>
   <li> Loopback addresses 127.0.0.0/8 in CIDR notation (from 127.0.0.0 to 127.255.255.255) </li>
   <li> Broadcast address 255.255.255.255 </li>
   <li> Non-routable address 0.0.0.0 </li>
-  <li> Strings of the form <code>2.5.&lt;number&gt;.&lt;number&gt;</code> as they <a href="http://www.oid-info.com/introduction.htm">often match
-  Object Identifiers</a> (OID) </li>
+  <li> Strings of the form <code>2.5.&lt;number&gt;.&lt;number&gt;</code> as they <a href="https://en.wikipedia.org/wiki/Object_identifier">often
+  match Object Identifiers</a> (OID) </li>
   <li> Addresses in the ranges 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, reserved for documentation purposes by <a
   href="https://datatracker.ietf.org/doc/html/rfc5737">RFC 5737</a> </li>
   <li> Addresses in the range 2001:db8::/32, reserved for documentation purposes by <a href="https://datatracker.ietf.org/doc/html/rfc3849">RFC
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S138.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S138.json
@@ -13,6 +13,7 @@
     "constantCost": "20min"
   },
   "tags": [
+    "architecture",
     "brain-overload"
   ],
   "defaultSeverity": "Major",
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S2053.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S2053.html
@@ -71,7 +71,7 @@ <h3>Standards</h3>
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/759">CWE-759 - Use of a One-Way Hash without a Salt</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/760">CWE-760 - Use of a One-Way Hash with a Predictable Salt</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222542">Application Security and
   Development: V-222542</a> - The application must only store cryptographic representations of passwords. </li>
 </ul>
 
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S3776.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S3776.json
@@ -15,6 +15,7 @@
     "linearFactor": "1min"
   },
   "tags": [
+    "architecture",
     "brain-overload"
   ],
   "defaultSeverity": "Critical",
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S4830.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S4830.html
@@ -111,7 +111,7 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-NETWORK/">Mobile AppSec Verification Standard - Network Communication Requirements</a>
   </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/295">CWE-295 - Improper Certificate Validation</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222550">Application Security and
   Development: V-222550</a> - The application must validate certificates by constructing a certification path to an accepted trust anchor. </li>
   <li> CERT - <a
   href="https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms">https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms</a> </li>
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5324.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5324.html
@@ -3,7 +3,7 @@
 <p>Files created on the external storage are globally readable and writable. Therefore, a malicious application having the permissions
 <code>WRITE_EXTERNAL_STORAGE</code> or <code>READ_EXTERNAL_STORAGE</code> could try to read sensitive information from the files that other
 applications have stored on the external storage.</p>
-<p>External storage can also be removed by the user (e.g when based on SD card) making the files unavailable to the application.</p>
+<p>External storage can also be removed by the user (e.g. when based on SD card) making the files unavailable to the application.</p>
 <h2>Ask Yourself Whether</h2>
 <p>Your application uses external storage to:</p>
 <ul>
@@ -22,7 +22,7 @@ <h2>Recommended Secure Coding Practices</h2>
   <li> As some external storage can be removed, make sure to never store files on it that are critical for the usability of your application. </li>
 </ul>
 <h2>Sensitive Code Example</h2>
-<pre>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 import android.content.Context
 
 class AccessExternalFiles {
@@ -33,7 +33,7 @@ <h2>Sensitive Code Example</h2>
 }
 </pre>
 <h2>Compliant Solution</h2>
-<pre>
+<pre data-diff-id="1" data-diff-type="compliant">
 import android.content.Context
 import android.os.Environment
 
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5332.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5332.html
@@ -77,7 +77,7 @@ <h2>Sensitive Code Example</h2>
 </pre>
 <h2>Compliant Solution</h2>
 <p>Use instead these clients from <a href="https://commons.apache.org/proper/commons-net/">Apache commons net</a> and <a
-href="http://www.jcraft.com/jsch/">JSch/ssh</a> library:</p>
+href="https://github.com/mwiede/jsch">JSch</a> library:</p>
 <pre>
 JSch jsch = JSch();
 
@@ -145,27 +145,27 @@ <h3>Standards</h3>
   Communication</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/200">CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/319">CWE-319 - Cleartext Transmission of Sensitive Information</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222397">Application Security and
   Development: V-222397</a> - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222534">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222534">Application Security and
   Development: V-222534</a> - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222562">Application Security and
   Development: V-222562</a> - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of
   maintenance and diagnostic communications. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222563">Application Security and
   Development: V-222563</a> - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of
   maintenance and diagnostic communications. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222577">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222577">Application Security and
   Development: V-222577</a> - The application must not expose session IDs. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222596">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222596">Application Security and
   Development: V-222596</a> - The application must protect the confidentiality and integrity of transmitted information. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222597">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222597">Application Security and
   Development: V-222597</a> - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect
   changes to information during transmission. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222598">Application Security and
   Development: V-222598</a> - The application must maintain the confidentiality and integrity of information during preparation for transmission.
   </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222599">Application Security and
   Development: V-222599</a> - The application must maintain the confidentiality and integrity of information during reception. </li>
 </ul>
 
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5344.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5344.html
@@ -70,7 +70,7 @@ <h3>Standards</h3>
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/256">CWE-256 - Plaintext Storage of a Password</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/916">CWE-916 - Use of Password Hash With Insufficient Computational Effort</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222542">Application Security and
   Development: V-222542</a> - The application must only store cryptographic representations of passwords. </li>
 </ul>
 
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5344.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5344.json
@@ -53,5 +53,5 @@
       "V-222542"
     ]
   },
-  "quickfix": "unknown"
+  "quickfix": "targeted"
 }
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5527.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5527.html
@@ -103,7 +103,7 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication">Mobile Top 10 2024 Category M5 - Insecure
   Communication</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/297">CWE-297 - Improper Validation of Certificate with Host Mismatch</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222550">Application Security and
   Development: V-222550</a> - The application must validate certificates by constructing a certification path to an accepted trust anchor. </li>
   <li> <a
   href="https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms">https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms</a> </li>
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5547.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5547.html
@@ -77,7 +77,7 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography">Mobile Top 10 2024 Category M10 -
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/327">CWE-327 - Use of a Broken or Risky Cryptographic Algorithm</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222396">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222396">Application Security and
   Development: V-222396</a> - The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. </li>
 </ul>
 
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6291.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6291.html
@@ -1,3 +1,4 @@
+<p>This rule is deprecated, and will eventually be removed.</p>
 <p>Storing data locally is a common task for mobile applications. Such data includes preferences or authentication tokens for external services, among
 other things. There are many convenient solutions that allow storing data persistently, for example SQLiteDatabase, SharedPreferences, and Realm. By
 default these systems store the data unencrypted, thus an attacker with physical access to the device can read them out easily. Access to sensitive
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6291.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6291.json
@@ -7,15 +7,12 @@
     },
     "attribute": "TRUSTWORTHY"
   },
-  "status": "ready",
+  "status": "deprecated",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "10min"
   },
-  "tags": [
-    "cwe",
-    "android"
-  ],
+  "tags": [],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-6291",
   "sqKey": "S6291",
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6300.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6300.html
@@ -1,3 +1,4 @@
+<p>This rule is deprecated, and will eventually be removed.</p>
 <p>Storing files locally is a common task for mobile applications. Files that are stored unencrypted can be read out and modified by an attacker with
 physical access to the device. Access to sensitive data can be harmful for the user of the application, for example when the device gets stolen.</p>
 <h2>Ask Yourself Whether</h2>
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6300.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6300.json
@@ -7,15 +7,12 @@
     },
     "attribute": "TRUSTWORTHY"
   },
-  "status": "ready",
+  "status": "deprecated",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "10min"
   },
-  "tags": [
-    "cwe",
-    "android"
-  ],
+  "tags": [],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-6300",
   "sqKey": "S6300",
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6363.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6363.html
@@ -65,8 +65,8 @@ <h2>Compliant Solution</h2>
 )
 </pre>
 <p>The compliant solution uses <code>WebViewAssetLoader</code> to load local files instead of directly accessing them via <code>file://</code> URLs.
-This approach serves assets over a secure <code><a href="https://appassets.androidplatform.net">https://appassets.androidplatform.net</a></code> URL,
-effectively isolating the WebView from the local file system.</p>
+This approach serves assets over a secure <code>https://appassets.androidplatform.net</code> URL, effectively isolating the WebView from the local
+file system.</p>
 <p>The file access settings are disabled by default in modern Android versions. To prevent possible security issues in
 <code>Build.VERSION_CODES.Q</code> and earlier, it is still recommended to explicitly set those values to false.</p>
 <h2>See</h2>
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6474.html b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6474.html
@@ -65,7 +65,7 @@ <h2>See</h2>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m2-inadequate-supply-chain-security">Mobile Top 10 2024 Category M2 -
   Inadequate Supply Chain Security</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/494">CWE-494 - Download of Code Without Integrity Check</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222618">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222618">Application Security and
   Development: V-222618</a> - Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy. </li>
   <li> Gradle - <a href="https://docs.gradle.org/current/userguide/dependency_verification.html">Verifying dependencies</a> </li>
 </ul>
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S7409.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S7409.json
@@ -1,5 +1,5 @@
 {
-  "title": "Exposing Java objects through JavaScript interfaces is security-sensitive",
+  "title": "Exposing native code through JavaScript interfaces is security-sensitive",
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
   "remediation": {
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S7435.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S7435.json
@@ -24,7 +24,7 @@
       213
     ]
   },
-  "quickfix": "unknown",
+  "quickfix": "infeasible",
   "code": {
     "impacts": {
       "SECURITY": "LOW"
diff --git a/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/Sonar_way_profile.json b/sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/Sonar_way_profile.json
@@ -78,9 +78,7 @@
     "S6207",
     "S6218",
     "S6288",
-    "S6291",
     "S6293",
-    "S6300",
     "S6301",
     "S6305",
     "S6306",
