rspec/rules/S6377/java/rule.adoc

include::../common/rationale.adoc[]

== Why is this an issue?

Before Java 17, XML Digital Signature API does not apply restrictions on XML signature validation unless the application runs with a security manager, which is rare.

== What is the potential impact

include::../common/impact.adoc[]

include::./how-to-fix/java-se.adoc[]

== Resources

include::../common/resources/docs.adoc[]

include::../common/resources/standards.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Set the 'org.jcp.xml.dsig.secureValidation' property to true on the 'DOMValidateContext' to validate this XML signature securely.


'''
== Comments And Links
(visible only on this page)

=== on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote:
Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code.

endif::env-github,rspecator-view[]
Create rule S6377: XML signature should be verified securely (Python) (APPSEC-1588) (#3763) 2024-03-18 17:11:22 +01:00			`include::../common/rationale.adoc[]`
Modify rule S6377: Change text to education framework format (APPSEC-1110) (#3164) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 15:47:49 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Modify rule S6377: Change text to education framework format (APPSEC-1110) (#3164) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 15:47:49 +02:00			`Before Java 17, XML Digital Signature API does not apply restrictions on XML signature validation unless the application runs with a security manager, which is rare.`

			`== What is the potential impact`

Create rule S6377: XML signature should be verified securely (Python) (APPSEC-1588) (#3763) 2024-03-18 17:11:22 +01:00			`include::../common/impact.adoc[]`
Modify rule S6377: Change text to education framework format (APPSEC-1110) (#3164) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 15:47:49 +02:00
Create rule S6377: XML signature should be verified securely (Python) (APPSEC-1588) (#3763) 2024-03-18 17:11:22 +01:00			`include::./how-to-fix/java-se.adoc[]`
Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00
Create rule S6377: XML signature should be verified securely (Python) (APPSEC-1588) (#3763) 2024-03-18 17:11:22 +01:00			`include::../common/resources/docs.adoc[]`
Modify rule S6377: Change text to education framework format (APPSEC-1110) (#3164) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 15:47:49 +02:00
Create rule S6377: XML signature should be verified securely (Python) (APPSEC-1588) (#3763) 2024-03-18 17:11:22 +01:00			`include::../common/resources/standards.adoc[]`
Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Set the 'org.jcp.xml.dsig.secureValidation' property to true on the 'DOMValidateContext' to validate this XML signature securely.`

Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00
			`'''`
Document quick fixes for S2755, S6373, S6374, S6376 and S6377 (#745) 2022-01-25 13:38:33 +01:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote:`
			`Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code.`

Rule S6377[Java]: XML signatures must be validated securely (#567) 2022-01-25 10:52:20 +01:00			`endif::env-github,rspecator-view[]`