rspec/rspec-tools/rspec_tools/validation/rule-metadata-schema.json

{
  "id": "http://www.sonarsource.org/rule-schema-v1.1",
  "title": "Rule Implementation",
  "type": "object",
  "description": "we must have one of these files for each implemented rule",
  "additionalProperties": false,
  "properties": {
    "title": {
      "type": "string"
    },
    "type": {
      "type": "string",
      "enum": ["CODE_SMELL","BUG","VULNERABILITY","SECURITY_HOTSPOT"]
    },
    "status": {
      "type": "string",
      "enum": ["beta","ready","deprecated","superseded", "closed"]
    },
    "extra": {
      "type": "object",
      "properties": {
        "additionalProperties": false,
        "replacementRules": {
          "type": "array",
          "items": {
            "type": "string",
            "uniqueItems": true
          },
          "description": "The rule ids that replace this rule"
        },
        "legacyKeys": {
          "type": "array",
          "items": { "type": "string" },
          "uniqueItems": true
        }
      }
    },
    "remediation": {
      "type": "object",
      "oneOf": [
        {
          "additionalProperties": false,
          "properties": {
            "func": {
              "const": "Constant/Issue"
            },
            "constantCost": {
              "$ref": "#/definitions/time"
            }
          }
        }, {
          "additionalProperties": false,
          "properties": {
            "func": {
              "const": "Linear"
            },
            "linearDesc": {
              "type": "string"
            },
            "linearFactor": {
              "$ref": "#/definitions/time"
            }
          }
        }, {
          "additionalProperties": false,
          "properties": {
            "func": {
              "const": "Linear with offset"
            },
            "linearDesc": {
              "type": "string"
            },
            "linearOffset": {
              "$ref": "#/definitions/time"
            },
            "linearFactor": {
              "$ref": "#/definitions/time"
            }
          }
        }
      ]
    },
    "tags": {
      "type": "array",
      "minItems": 0,
      "items": { "type": "string" },
      "uniqueItems": true
    },
    "standards": {
      "type": "array",
      "minItems": 0,
      "items": { "type": "string" },
      "uniqueItems": true
    },
    "defaultSeverity": {
      "type": "string",
      "enum": ["Info","Minor","Major","Critical","Blocker"]
    },

    "ruleSpecification": {
      "type": "string",
      "description": "id of the RSPEC, in the form 'RSPEC-XXXX'"
    },
    "sqKey": {
      "type": "string",
      "description": "the key used to save issues on SQ. Often a legacy key"
    },
    "compatibleLanguages": {
      "type": "array",
      "minItems": 1,
      "items": { "type": "string" },
      "uniqueItems": true
    },
    "scope": {
      "type": "string",
      "enum": ["Main","Tests","All"],
      "description": "scope the rule applies to"
    },
    "template": {
      "type": "boolean"
    },
    "securityStandards": {
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "CWE": {
          "type": "array",
          "minItems": 0,
          "items": { "type": "integer" },
          "uniqueItems": true
        },
        "OWASP": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^A([1-9]|10)$"
          },
          "uniqueItems": true
        },
        "OWASP Top 10 2021": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^A([1-9]|10)$"
          },
          "uniqueItems": true
        },
        "OWASP Mobile": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^M([1-9]|10)$"
          },
          "uniqueItems": true
        },
        "OWASP Mobile Top 10 2024": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^M([1-9]|10)$"
          },
          "uniqueItems": true
        },
        "PCI DSS 3.2": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^([0-9]{1,3}\\.?){1,4}$"
          },
          "uniqueItems": true
        },
        "PCI DSS 4.0": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^([0-9]{1,3}\\.?){1,4}$"
          },
          "uniqueItems": true
        },
        "CIS": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^([0-9]{1,3}\\.?){1,3}$" 
          },
          "uniqueItems": true
        },
        "HIPAA": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^([0-9]{1,3}\\.?){2}$"
          },
          "uniqueItems": true
        },
        "CERT": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^[A-Z0-9]+-[A-Z]+\\.$"
          },
          "uniqueItems": true
        },
        "MASVS": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^MSTG-[A-Z]+-[0-9]+$"
          },
          "uniqueItems": true
        },
        "ASVS 4.0": {
          "type": "array",
          "minItems": 0,
          "items": { 
            "type": "string",
            "pattern": "^\\d+\\.\\d+\\.\\d+$"
          },
          "uniqueItems": true 
        },
        "STIG ASD_V5R3": {
          "type": "array",
          "minItems": 0,
          "items": {
            "type": "string",
            "pattern": "^V-\\d+$"
          },
          "uniqueItems": true
        }
      }
    },
    "defaultQualityProfiles": {
      "type": "array",
      "items": { "type": "string"},
      "uniqueItems": true
    },
    "educationPrinciples": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["defense_in_depth", "never_trust_user_input"]
      },
      "uniqueItems": true
    },
    "quickfix": {
      "type": "string",
      "enum": [
        "unknown",
        "covered",
        "partial",
        "infeasible",
        "targeted"
      ],
      "description": "Can issues of the rule have a quick fix?"
    },
    "code": {
      "type": "object",
      "description": "Information related to clean code taxonomy",
      "additionalProperties": false,
      "properties": {
        "impacts": {
          "type": "object",
          "description": "Software qualities",
          "additionalProperties": false,
          "minProperties": 1,
          "properties": {
            "MAINTAINABILITY": {
              "type": "string",
              "enum": ["INFO", "LOW", "MEDIUM", "HIGH", "BLOCKER"]
            },
            "RELIABILITY": {
              "type": "string",
              "enum": ["INFO", "LOW", "MEDIUM", "HIGH", "BLOCKER"]
            },
            "SECURITY": {
              "type": "string",
              "enum": ["INFO", "LOW", "MEDIUM", "HIGH", "BLOCKER"]
            }
          }
        },
        "attribute": {
          "type": "string",
          "description": "Clean code attribute",
          "enum": ["FORMATTED", "CONVENTIONAL", "IDENTIFIABLE", "CLEAR", "LOGICAL", "COMPLETE", "EFFICIENT", "FOCUSED", "DISTINCT", "MODULAR", "TESTED", "LAWFUL", "TRUSTWORTHY", "RESPECTFUL"]
        }
      },
      "required": ["impacts", "attribute"]
    }
  },
  "if": {
    "properties": {"status": {"const": "closed"}}
  },
  "then": {
    "required": []
  },
  "else": {
    "if": {
      "properties": {"type": {"const": "SECURITY_HOTSPOT"}}
    },
    "then": {
      "required": ["title","type","status","tags","defaultSeverity","ruleSpecification","sqKey","scope"]
    },
    "else": {
      "required": ["title","type","status","remediation","tags","defaultSeverity","ruleSpecification","sqKey","scope", "quickfix"]
    }
  },
  "definitions": {
    "time": {
      "type": "string",
      "pattern": "^[ ]*[0-9]+[ ]*(min|h|d)$"
    }
  }
}
Improve rules' metadata.json validation 2021-02-23 20:41:11 +01:00			`{`
			`"id": "http://www.sonarsource.org/rule-schema-v1.1",`
			`"title": "Rule Implementation",`
			`"type": "object",`
			`"description": "we must have one of these files for each implemented rule",`
RULEAPI-654: Clarify the rule creation process (#115) 2021-06-11 07:58:58 +02:00			`"additionalProperties": false,`
Improve rules' metadata.json validation 2021-02-23 20:41:11 +01:00			`"properties": {`
			`"title": {`
			`"type": "string"`
			`},`
			`"type": {`
			`"type": "string",`
			`"enum": ["CODE_SMELL","BUG","VULNERABILITY","SECURITY_HOTSPOT"]`
			`},`
			`"status": {`
			`"type": "string",`
RUELAPI-615 Ignore closed RSPEC in "validate_asciidoc" check 2021-05-25 11:00:40 +02:00			`"enum": ["beta","ready","deprecated","superseded", "closed"]`
Improve rules' metadata.json validation 2021-02-23 20:41:11 +01:00			`},`
RULEAPI-654: Clarify the rule creation process (#115) 2021-06-11 07:58:58 +02:00			`"extra": {`
			`"type": "object",`
			`"properties": {`
			`"additionalProperties": false,`
			`"replacementRules": {`
			`"type": "array",`
			`"items": {`
			`"type": "string",`
			`"uniqueItems": true`
			`},`
			`"description": "The rule ids that replace this rule"`
RULEAPI-687: Migrate legacy keys from Jira RSPEC (#392) 2021-09-24 09:08:46 +02:00			`},`
			`"legacyKeys": {`
			`"type": "array",`
			`"items": { "type": "string" },`
			`"uniqueItems": true`
RULEAPI-654: Clarify the rule creation process (#115) 2021-06-11 07:58:58 +02:00			`}`
			`}`
			`},`
Improve rules' metadata.json validation 2021-02-23 20:41:11 +01:00			`"remediation": {`
			`"type": "object",`
			`"oneOf": [`
			`{`
			`"additionalProperties": false,`
			`"properties": {`
			`"func": {`
			`"const": "Constant/Issue"`
			`},`
			`"constantCost": {`
			`"$ref": "#/definitions/time"`
			`}`
			`}`
			`}, {`
			`"additionalProperties": false,`
			`"properties": {`
			`"func": {`
			`"const": "Linear"`
			`},`
			`"linearDesc": {`
			`"type": "string"`
			`},`
			`"linearFactor": {`
			`"$ref": "#/definitions/time"`
			`}`
			`}`
			`}, {`
			`"additionalProperties": false,`
			`"properties": {`
			`"func": {`
			`"const": "Linear with offset"`
			`},`
			`"linearDesc": {`
			`"type": "string"`
			`},`
			`"linearOffset": {`
			`"$ref": "#/definitions/time"`
			`},`
			`"linearFactor": {`
			`"$ref": "#/definitions/time"`
			`}`
			`}`
			`}`
			`]`
			`},`
			`"tags": {`
			`"type": "array",`
			`"minItems": 0,`
			`"items": { "type": "string" },`
			`"uniqueItems": true`
			`},`
			`"standards": {`
			`"type": "array",`
			`"minItems": 0,`
			`"items": { "type": "string" },`
			`"uniqueItems": true`
			`},`
			`"defaultSeverity": {`
			`"type": "string",`
			`"enum": ["Info","Minor","Major","Critical","Blocker"]`
			`},`

			`"ruleSpecification": {`
			`"type": "string",`
			`"description": "id of the RSPEC, in the form 'RSPEC-XXXX'"`
			`},`
			`"sqKey": {`
			`"type": "string",`
			`"description": "the key used to save issues on SQ. Often a legacy key"`
			`},`
			`"compatibleLanguages": {`
			`"type": "array",`
			`"minItems": 1,`
			`"items": { "type": "string" },`
			`"uniqueItems": true`
			`},`
			`"scope": {`
			`"type": "string",`
			`"enum": ["Main","Tests","All"],`
			`"description": "scope the rule applies to"`
			`},`
			`"template": {`
			`"type": "boolean"`
			`},`
			`"securityStandards": {`
			`"type": "object",`
			`"additionalProperties": false,`
			`"properties": {`
			`"CWE": {`
			`"type": "array",`
			`"minItems": 0,`
			`"items": { "type": "integer" },`
			`"uniqueItems": true`
			`},`
			`"OWASP": {`
			`"type": "array",`
			`"minItems": 0,`
[RULEAPI-761] JSON schema fails to restrict the format of security-standard items (#1013) 2022-05-25 16:36:49 +02:00			`"items": {`
			`"type": "string",`
			`"pattern": "^A([1-9]\|10)$"`
			`},`
			`"uniqueItems": true`
add owasp mobile security standard to schema validation (#94) 2021-06-07 11:20:46 +02:00			`},`
RULEAPI-698: Support OWASP Top 10 2021 security standard (#466) 2021-10-15 09:37:46 +02:00			`"OWASP Top 10 2021": {`
			`"type": "array",`
			`"minItems": 0,`
[RULEAPI-761] JSON schema fails to restrict the format of security-standard items (#1013) 2022-05-25 16:36:49 +02:00			`"items": {`
			`"type": "string",`
			`"pattern": "^A([1-9]\|10)$"`
			`},`
			`"uniqueItems": true`
RULEAPI-698: Support OWASP Top 10 2021 security standard (#466) 2021-10-15 09:37:46 +02:00			`},`
add owasp mobile security standard to schema validation (#94) 2021-06-07 11:20:46 +02:00			`"OWASP Mobile": {`
			`"type": "array",`
			`"minItems": 0,`
[RULEAPI-761] JSON schema fails to restrict the format of security-standard items (#1013) 2022-05-25 16:36:49 +02:00			`"items": {`
			`"type": "string",`
			`"pattern": "^M([1-9]\|10)$"`
			`},`
			`"uniqueItems": true`
add missing and future security standards (#103) 2021-06-07 19:13:19 +02:00			`},`
Update security rules: add OWASP Mobile Top 10 2024 security standard (APPSEC-2383) (#4660) 2025-02-19 17:19:00 +01:00			`"OWASP Mobile Top 10 2024": {`
			`"type": "array",`
			`"minItems": 0,`
			`"items": {`
			`"type": "string",`
			`"pattern": "^M([1-9]\|10)$"`
			`},`
			`"uniqueItems": true`
			`},`
Support of PCI DSS v3.2 (#925) * Rename "PCI DSS" to "PCI DSS 3.2" because the security standard is versioned * Update metadata.json of one rule using the wrong "PCI DSS" 2022-04-12 21:58:21 +02:00			`"PCI DSS 3.2": {`
add missing and future security standards (#103) 2021-06-07 19:13:19 +02:00			`"type": "array",`
			`"minItems": 0,`
[APPSEC-3] Security rules are mapped to PCI DSS 4.0 (#1007) 2022-05-24 16:19:27 +02:00			`"items": {`
			`"type": "string",`
			`"pattern": "^([0-9]{1,3}\\.?){1,4}$"`
			`},`
			`"uniqueItems": true`
			`},`
			`"PCI DSS 4.0": {`
			`"type": "array",`
			`"minItems": 0,`
			`"items": {`
			`"type": "string",`
			`"pattern": "^([0-9]{1,3}\\.?){1,4}$"`
			`},`
			`"uniqueItems": true`
add missing and future security standards (#103) 2021-06-07 19:13:19 +02:00			`},`
			`"CIS": {`
			`"type": "array",`
			`"minItems": 0,`
[RULEAPI-761] JSON schema fails to restrict the format of security-standard items (#1013) 2022-05-25 16:36:49 +02:00			`"items": {`
			`"type": "string",`
			`"pattern": "^([0-9]{1,3}\\.?){1,3}$"`
			`},`
			`"uniqueItems": true`
add missing and future security standards (#103) 2021-06-07 19:13:19 +02:00			`},`
			`"HIPAA": {`
			`"type": "array",`
			`"minItems": 0,`
[RULEAPI-761] JSON schema fails to restrict the format of security-standard items (#1013) 2022-05-25 16:36:49 +02:00			`"items": {`
			`"type": "string",`
			`"pattern": "^([0-9]{1,3}\\.?){2}$"`
			`},`
			`"uniqueItems": true`
add missing and future security standards (#103) 2021-06-07 19:13:19 +02:00			`},`
			`"CERT": {`
			`"type": "array",`
			`"minItems": 0,`
[RULEAPI-761] JSON schema fails to restrict the format of security-standard items (#1013) 2022-05-25 16:36:49 +02:00			`"items": {`
			`"type": "string",`
			`"pattern": "^[A-Z0-9]+-[A-Z]+\\.$"`
			`},`
			`"uniqueItems": true`
add missing and future security standards (#103) 2021-06-07 19:13:19 +02:00			`},`
			`"MASVS": {`
			`"type": "array",`
			`"minItems": 0,`
[RULEAPI-761] JSON schema fails to restrict the format of security-standard items (#1013) 2022-05-25 16:36:49 +02:00			`"items": {`
			`"type": "string",`
			`"pattern": "^MSTG-[A-Z]+-[0-9]+$"`
			`},`
			`"uniqueItems": true`
RULEAPI-699: Support OWASP ASVS 4 security standard 2021-10-08 10:23:39 +02:00			`},`
Map rules to OWASP ASVS 4 (#1110) https://sonarsource.atlassian.net/browse/MMF-2794 2022-07-29 13:35:38 +02:00			`"ASVS 4.0": {`
RULEAPI-699: Support OWASP ASVS 4 security standard 2021-10-08 10:23:39 +02:00			`"type": "array",`
			`"minItems": 0,`
[RULEAPI-761] JSON schema fails to restrict the format of security-standard items (#1013) 2022-05-25 16:36:49 +02:00			`"items": {`
			`"type": "string",`
			`"pattern": "^\\d+\\.\\d+\\.\\d+$"`
			`},`
			`"uniqueItems": true`
Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) * Update JSON schema to include STIG ASD 2023-06-08 mapping * Update rules to add STIG metadata mappings --------- Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> 2024-05-06 07:56:31 +01:00			`},`
Modify rules: Rename STIG version in metadata (#4098) The Security Technical Implementation Guide security standard is being renamed from its release date (`2023-06-08`) to its official version and revision number (`V5R3`). This helps to align with the version number being used internally for reporting purposes. 2024-07-30 15:10:03 +01:00			`"STIG ASD_V5R3": {`
Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) * Update JSON schema to include STIG ASD 2023-06-08 mapping * Update rules to add STIG metadata mappings --------- Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> 2024-05-06 07:56:31 +01:00			`"type": "array",`
			`"minItems": 0,`
			`"items": {`
			`"type": "string",`
			`"pattern": "^V-\\d+$"`
			`},`
			`"uniqueItems": true`
Improve rules' metadata.json validation 2021-02-23 20:41:11 +01:00			`}`
			`}`
RULEAPI-654: Clarify the rule creation process (#115) 2021-06-11 07:58:58 +02:00			`},`
			`"defaultQualityProfiles": {`
			`"type": "array",`
			`"items": { "type": "string"},`
			`"uniqueItems": true`
RULEAPI-706: Add quick fixes metadata 2021-10-07 11:23:15 +02:00			`},`
SONARSEC-3163 Add education principles to S5131 metadata json file (#1155) 2022-08-09 12:06:31 +02:00			`"educationPrinciples": {`
			`"type": "array",`
			`"items": {`
			`"type": "string",`
			`"enum": ["defense_in_depth", "never_trust_user_input"]`
			`},`
			`"uniqueItems": true`
			`},`
RULEAPI-706: Add quick fixes metadata 2021-10-07 11:23:15 +02:00			`"quickfix": {`
			`"type": "string",`
			`"enum": [`
			`"unknown",`
			`"covered",`
			`"partial",`
			`"infeasible",`
			`"targeted"`
			`],`
			`"description": "Can issues of the rule have a quick fix?"`
Add clean code taxonomy properties to metadata schema (#2792) 2023-08-04 16:55:03 +02:00			`},`
			`"code": {`
			`"type": "object",`
			`"description": "Information related to clean code taxonomy",`
			`"additionalProperties": false,`
			`"properties": {`
			`"impacts": {`
			`"type": "object",`
			`"description": "Software qualities",`
			`"additionalProperties": false,`
			`"minProperties": 1,`
			`"properties": {`
			`"MAINTAINABILITY": {`
			`"type": "string",`
allow INFO and BLOCKER for CCT rule quality severity to support Multi-Quality Rule mode 2024-10-31 16:24:31 +01:00			`"enum": ["INFO", "LOW", "MEDIUM", "HIGH", "BLOCKER"]`
Add clean code taxonomy properties to metadata schema (#2792) 2023-08-04 16:55:03 +02:00			`},`
			`"RELIABILITY": {`
			`"type": "string",`
allow INFO and BLOCKER for CCT rule quality severity to support Multi-Quality Rule mode 2024-10-31 16:24:31 +01:00			`"enum": ["INFO", "LOW", "MEDIUM", "HIGH", "BLOCKER"]`
Add clean code taxonomy properties to metadata schema (#2792) 2023-08-04 16:55:03 +02:00			`},`
			`"SECURITY": {`
			`"type": "string",`
allow INFO and BLOCKER for CCT rule quality severity to support Multi-Quality Rule mode 2024-10-31 16:24:31 +01:00			`"enum": ["INFO", "LOW", "MEDIUM", "HIGH", "BLOCKER"]`
Add clean code taxonomy properties to metadata schema (#2792) 2023-08-04 16:55:03 +02:00			`}`
			`}`
			`},`
			`"attribute": {`
			`"type": "string",`
			`"description": "Clean code attribute",`
			`"enum": ["FORMATTED", "CONVENTIONAL", "IDENTIFIABLE", "CLEAR", "LOGICAL", "COMPLETE", "EFFICIENT", "FOCUSED", "DISTINCT", "MODULAR", "TESTED", "LAWFUL", "TRUSTWORTHY", "RESPECTFUL"]`
			`}`
			`},`
			`"required": ["impacts", "attribute"]`
Improve rules' metadata.json validation 2021-02-23 20:41:11 +01:00			`}`
			`},`
RULEAPI-604 Make an exception for Security Hotspots in the validation schema for "remediation cost" field 2021-04-30 14:11:09 +02:00			`"if": {`
RUELAPI-615 Ignore closed RSPEC in "validate_asciidoc" check 2021-05-25 11:00:40 +02:00			`"properties": {"status": {"const": "closed"}}`
RULEAPI-604 Make an exception for Security Hotspots in the validation schema for "remediation cost" field 2021-04-30 14:11:09 +02:00			`},`
			`"then": {`
RUELAPI-615 Ignore closed RSPEC in "validate_asciidoc" check 2021-05-25 11:00:40 +02:00			`"required": []`
RULEAPI-604 Make an exception for Security Hotspots in the validation schema for "remediation cost" field 2021-04-30 14:11:09 +02:00			`},`
			`"else": {`
RUELAPI-615 Ignore closed RSPEC in "validate_asciidoc" check 2021-05-25 11:00:40 +02:00			`"if": {`
			`"properties": {"type": {"const": "SECURITY_HOTSPOT"}}`
			`},`
			`"then": {`
			`"required": ["title","type","status","tags","defaultSeverity","ruleSpecification","sqKey","scope"]`
			`},`
			`"else": {`
RULEAPI-706: Add quick fixes metadata 2021-10-07 11:23:15 +02:00			`"required": ["title","type","status","remediation","tags","defaultSeverity","ruleSpecification","sqKey","scope", "quickfix"]`
RUELAPI-615 Ignore closed RSPEC in "validate_asciidoc" check 2021-05-25 11:00:40 +02:00			`}`
RULEAPI-604 Make an exception for Security Hotspots in the validation schema for "remediation cost" field 2021-04-30 14:11:09 +02:00			`},`
Improve rules' metadata.json validation 2021-02-23 20:41:11 +01:00			`"definitions": {`
			`"time": {`
			`"type": "string",`
Replace remediation cost time unit 'mn' with 'min' (#1104) 2022-07-13 15:02:38 +02:00			`"pattern": "^[ ][0-9]+[ ](min\|h\|d)$"`
Improve rules' metadata.json validation 2021-02-23 20:41:11 +01:00			`}`
			`}`
RULEAPI-604 Make an exception for Security Hotspots in the validation schema for "remediation cost" field 2021-04-30 14:11:09 +02:00			`}`