Update rules metadata (SonarSource#862)

guillaume-dequenne · web-flow · commit f9b6e449a403 · 2020-08-28T14:15:58.000+02:00
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S100.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S100.html
@@ -1,7 +1,7 @@
 <p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all method
 names match a provided regular expression.</p>
 <h2>Noncompliant Code Example</h2>
-<p>With default provided regular expression: ^[a-z_][a-z0-9_]{2,30}$</p>
+<p>With default provided regular expression: <code>^[a-z_][a-z0-9_]*$</code></p>
 <pre>
 class MyClass:
     def MyMethod(a,b):
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S107.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S107.html
@@ -11,4 +11,7 @@ <h2>Compliant Solution</h2>
 def do_something(param1, param2, param3, param4):
 	...
 </pre>
+<h2>Exceptions</h2>
+<p>The first argument of non-static methods, i.e. <code>self</code> or <code>cls</code>, is not counted as it is mandatory and it is passed
+automatically.</p>
 
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1542.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1542.html
@@ -1,6 +1,6 @@
 <p>Shared coding conventions allow teams to collaborate efficiently. This rule checks that all function names match a provided regular expression.</p>
 <h2>Noncompliant Code Example</h2>
-<p>With the default provided regular expression: ^[a-z_][a-z0-9_]{2,30}$</p>
+<p>With the default provided regular expression: <code>^[a-z_][a-z0-9_]*$</code></p>
 <pre>
 def MyFunction(a,b):
     ...
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2245.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2245.html
@@ -18,8 +18,8 @@ <h2>Ask Yourself Whether</h2>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
   <li> Only use random number generators which are <a
-  href="https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Use_strong_random_numbers">recommended by OWASP</a> or any other
-  trusted organization. </li>
+  href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation">recommended by
+  OWASP</a> or any other trusted organization. </li>
   <li> Use the generated random values only once. </li>
   <li> You should not expose the generated random value. If you have to store it, make sure that the database or file is secure. </li>
 </ul>
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3827.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3827.html
@@ -1,8 +1,6 @@
 <p>Variables, Classes and functions should be defined before they are used, otherwise the code will fail.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
-unknown_var  # Noncompliant (variable is never defined)
-
 def noncompliant():
     foo()  # Noncompliant
     foo = sum
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4721.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4721.html
@@ -1,28 +1,13 @@
-<p>Arbitrary OS commands can be executed by an attacker when:</p>
-<ul>
-  <li> The OS command name to execute is user-controlled. </li>
-  <li> A shell is spawn rather than a new process, in this case shell meta-chars can be used (when parameters are user-controlled for instance) to
-  inject OS commands. </li>
-  <li> The executable is searched in the directories specified by the PATH variable (which can contain user-controlled or malicious directories).
-  </li>
-</ul>
+<p>Arbitrary OS command injection vulnerabilities are more likely when a shell is spawned rather than a new process, indeed shell meta-chars can be
+used (when parameters are user-controlled for instance) to inject OS commands.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> OS command name or parameters are user-controlled. </li>
-  <li> The relative path of the OS command is specified. </li>
-  <li> OS commands are not executed in an isolated/sandboxed environment. </li>
-  <li> OS command are executed with high privileges. </li>
 </ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
+<p>There is a risk if you answered yes to this question.</p>
 <p> </p>
 <h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li> User-controlled inputs should not be used, for any reasons, to build a dynamically OS command (command name or even parameters when shell is
-  used). </li>
-  <li> Fully qualified/absolute path should be used to specify the OS command to execute. </li>
-  <li> If possible, set the lowest privileges to the new process/shell in which commands are executed. </li>
-  <li> If possible, execute the OS commands in an isolated environment. </li>
-</ul>
+<p>Use functions that don't spawn a shell.</p>
 <h2>Sensitive Code Example</h2>
 <p>Python 3</p>
 <pre>
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4784.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4784.json
@@ -3,21 +3,10 @@
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
   "tags": [
-    "cwe",
-    "owasp-a1",
-    "regex"
+    
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4784",
   "sqKey": "S4784",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      624,
-      185
-    ],
-    "OWASP": [
-      "A1"
-    ]
-  }
+  "scope": "Main"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5247.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5247.json
@@ -4,7 +4,6 @@
   "status": "ready",
   "tags": [
     "cwe",
-    "sans-top25-insecure",
     "owasp-a7"
   ],
   "defaultSeverity": "Major",
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5332.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5332.html
@@ -70,7 +70,7 @@ <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
   </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/200.html">MITRE, CWE-200</a> - Information Exposure </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/200.html">MITRE, CWE-200</a> - Exposure of Sensitive Information to an Unauthorized Actor </li>
   <li> <a href="http://cwe.mitre.org/data/definitions/319">MITRE, CWE-319</a> - Cleartext Transmission of Sensitive Information </li>
   <li> <a href="https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html">Google, Moving towards more secure web</a> </li>
   <li> <a href="https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/">Mozilla, Deprecating non secure http</a> </li>
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5542.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5542.html
@@ -7,7 +7,7 @@
     <ul>
       <li> Electronic Codebook (ECB) mode is vulnerable because it doesn't provide serious message confidentiality: under a given key any given
       plaintext block always gets encrypted to the same ciphertext block. </li>
-      <li> Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is susceptible to padding oracle attacks. </li>
+      <li> Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is vulnerable to padding oracle attacks. </li>
     </ul> </li>
   <li> RSA encryption algorithm should be used with the recommended padding scheme (OAEP) </li>
 </ul>
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5542.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5542.json
@@ -6,7 +6,8 @@
     "cwe",
     "privacy",
     "owasp-a6",
-    "sans-top25-porous"
+    "sans-top25-porous",
+    "owasp-a3"
   ],
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-5542",
@@ -18,7 +19,8 @@
       780
     ],
     "OWASP": [
-      "A6"
+      "A6",
+      "A3"
     ]
   }
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5547.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5547.html
@@ -1,6 +1,7 @@
 <p><a href="https://en.wikipedia.org/wiki/Strong_cryptography">Strong cipher algorithms</a> are cryptographic systems resistant to cryptanalysis, they
 are not vulnerable to well-known attacks like brute force attacks for example. </p>
-<p>It is recommended to use only cipher algorithms intensively tested and promoted by the cryptographic community.</p>
+<p>A general recommendation is to only use cipher algorithms intensively tested and promoted by the cryptographic community.</p>
+<p>More specifically for block cipher, it's not recommended to use algorithm with a block size inferior than 128 bits.</p>
 <h2>Noncompliant Code Examples</h2>
 <p><a href="https://pycryptodome.readthedocs.io">pycryptodomex</a> library:</p>
 <pre>
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5547.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5547.json
@@ -5,6 +5,7 @@
   "tags": [
     "cwe",
     "privacy",
+    "owasp-a6",
     "sans-top25-porous",
     "owasp-a3"
   ],
@@ -18,7 +19,8 @@
       326
     ],
     "OWASP": [
-      "A3"
+      "A3",
+      "A6"
     ]
   }
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5632.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5632.json
@@ -2,6 +2,10 @@
   "title": "Raised Exceptions must derive from BaseException",
   "type": "BUG",
   "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
   "tags": [
     "python3"
   ],
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5708.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5708.json
@@ -2,6 +2,10 @@
   "title": "Caught Exceptions must derive from BaseException",
   "type": "BUG",
   "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
   "tags": [
     "python3"
   ],
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5713.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5713.json
@@ -2,6 +2,10 @@
   "title": "A subclass should not be in the same \"except\" statement as a parent class",
   "type": "CODE_SMELL",
   "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "1min"
+  },
   "tags": [
     "unused"
   ],
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5720.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5720.html
@@ -1,4 +1,4 @@
-<p>Instance methods, i.e. methods not annotated with <code>@cassmethod</code> or <code>@staticmethod</code>, are expected to have at least one
+<p>Instance methods, i.e. methods not annotated with <code>@classmethod</code> or <code>@staticmethod</code>, are expected to have at least one
 parameter. This parameter will reference the object instance on which the method is called. By convention, this first parameter is named "self".</p>
 <p>Naming the "self" parameter differently is confusing. It might also indicate that the "self" parameter was forgotten, in which case calling the
 method will most probably fail.</p>
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5724.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5724.html
@@ -65,6 +65,6 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> Python Documentation - Built-in Functions - property[|https://docs.python.org/3/library/functions.html#property] </li>
+  <li> <a href="https://docs.python.org/3/library/functions.html#property">Python Documentation - Built-in Functions - property</a> </li>
 </ul>
 
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5886.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5886.html
@@ -5,20 +5,11 @@ <h2>Noncompliant Code Example</h2>
 <pre>
 def hello() -&gt; str:
     return 42  # Noncompliant. Function's type hint asks for a string return value
-
-def should_return_a_string(condition) -&gt; str:
-    if condition:
-        return "a string"
-    # Noncompliant. The function returns None if the condition is not met
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
 def hello() -&gt; str:
     return "Hello"
-
-def should_return_a_string() -&gt; Optional[str]:
-    if condition:
-        return "a string"
 </pre>
 <h2>See</h2>
 <ul>
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json
@@ -81,7 +81,6 @@
     "S4487",
     "S4502",
     "S4507",
-    "S4784",
     "S4790",
     "S4792",
     "S4828",
diff --git a/sonarpedia.json b/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "PY"
   ],
-  "latest-update": "2020-06-24T13:09:33.697Z",
+  "latest-update": "2020-08-28T08:50:29.632Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true
