Nightly update

rules/S2180/java/metadata.json

@@ -8,7 +8,8 @@
   },
   "tags": [
     "multi-threading",
-    "cert"
+    "cert",
+    "AWS"
   ],
   "extra": {
     "coveredLanguages": [

rules/S2577/java/rule.adoc

@@ -34,8 +34,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) {
 ----
 
 
+:link-with-uscores1: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse
+
 == See
 
 * https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
-* https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse[OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet] - Rule #3.1
+* {link-with-uscores1}[OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet] - Rule #3.1
 

rules/S4529/recommended.adoc

@@ -1,9 +1,12 @@
+:link-with-uscores1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
+:link-with-uscores2: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
+
 == Recommended Secure Coding Practices
 
 Never trust any part of the request to be safe. Make sure that the URI, header and body are properly https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet[sanitized] before being used. Their content, length, encoding, name (ex: name of URL query parameters) should be checked. Validate that the values are in a predefined whitelist. The opposite, i.e. searching for dangerous values in a given input, can easily miss some of them.
 
 
-Do not rely solely on cookies when you implement your authentication and permission logic. Use additional protections such as   https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet[CSRF] tokens when possible.
+Do not rely solely on cookies when you implement your authentication and permission logic. Use additional protections such as   {link-with-uscores1}[CSRF] tokens when possible.
 
 
 Do not expose sensitive information in your response. If the endpoint serves files, limit the access to a dedicated directory. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Cookies[Protect your sensitive cookies] so that client-side javascript cannot read or modify them.
@@ -11,7 +14,7 @@ Do not expose sensitive information in your response. If the endpoint serves fil
 
 Sanitize all values before returning them in a response, be it in the body, header or status code. Special care should be taken to avoid the following attacks:
 
-* https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet[Cross-site Scripting (XSS)], which happens when an unsafe value is included in an HTML page.
+* {link-with-uscores2}[Cross-site Scripting (XSS)], which happens when an unsafe value is included in an HTML page.
 * https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet[Unvalidated redirects] which can happen when the ``++Location++`` header is compromised.
 
 Restrict security-sensitive actions, such as file upload, to authenticated users.

rules/S5443/java/rule.adoc

@@ -22,12 +22,20 @@ env.get("TMP"); // Sensitive
 == Compliant Solution
 
 ----
-new File("/myDirectory/myfile.txt");
+new File("/myDirectory/myfile.txt");  // Compliant
 
-File.createTempFile("prefix", "suffix", new File("/mySecureDirectory"));
+File.createTempFile("prefix", "suffix", new File("/mySecureDirectory"));  // Compliant
 
-FileAttribute<Set<PosixFilePermission>> attr = PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("w+"));
-Files.createTempFile("prefix", "suffix", attr); // Compliant, created with explicit attributes.
+if(SystemUtils.IS_OS_UNIX) {
+  FileAttribute<Set<PosixFilePermission>> attr = PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"));
+  Files.createTempFile("prefix", "suffix", attr); // Compliant
+}
+else {
+  File f = Files.createTempFile("prefix", "suffix").toFile();  // Compliant
+  f.setReadable(true, true);
+  f.setWritable(true, true);
+  f.setExecutable(true, true);
+}
 ----
 
 include::../see.adoc[]

rules/S6241/java/metadata.json

@@ -1,5 +1,5 @@
 {
-  "title": "Region should be set when creating a new \"AwsClient\"",
+  "title": "Region should be set explicitly when creating a new \"AwsClient\"",
   "type": "CODE_SMELL",
   "status": "ready",
   "remediation": {

rules/S6241/java/rule.adoc

@@ -34,4 +34,5 @@ S3Client.builder()
 * https://aws.amazon.com/fr/blogs/developer/tuning-the-aws-java-sdk-2-x-to-reduce-startup-time/[Tuning the AWS Java SDK 2.x to reduce startup time]
 * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/lambda-optimize-starttime.html[Optimizing cold start performance for AWS Lambda]
 * https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html[Environment variable configuration]
+* https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-region-selection.html#automatically-determine-the-aws-region-from-the-environment[Automatically Determine the AWS Region]
 

rules/S6242/java/metadata.json

@@ -1,5 +1,5 @@
 {
-  "title": "Credentials Provider should be set when creating a new \"AwsClient\"",
+  "title": "Credentials Provider should be set explicitly when creating a new \"AwsClient\"",
   "type": "CODE_SMELL",
   "status": "ready",
   "remediation": {

rules/S6242/java/rule.adoc

@@ -34,4 +34,5 @@ S3Client.builder()
 * https://aws.amazon.com/fr/blogs/developer/tuning-the-aws-java-sdk-2-x-to-reduce-startup-time/[Tuning the AWS Java SDK 2.x to reduce startup time]
 * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/lambda-optimize-starttime.html[Optimizing cold start performance for AWS Lambda]
 * https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html[Environment variable configuration]
+* https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html[Default Credential Provider Chain]
 

rules/S6244/java/metadata.json

@@ -0,0 +1,27 @@
+{
+  "title": "Consumer Builders should be used",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "AWS"
+  ],
+  "extra": {
+    "coveredLanguages": [
+      
+    ],
+    "replacementRules": [
+      
+    ]
+  },
+  "defaultSeverity": "Minor",
+  "ruleSpecification": "RSPEC-6244",
+  "sqKey": "S6244",
+  "scope": "Main",
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ]
+}

rules/S6244/java/rule.adoc

@@ -0,0 +1,38 @@
+Some API, like the AWS SDK, heavily rely on the builder pattern to create different data structures. Despite all the benefits, this pattern can become really verbose,
+
+especially when dealing with nested structures. In order to reach a more concise code, "Consumer Builders", also called "Consumer Interface" are often introduced.
+
+The idea is to overload the methods taking others structures in a Builder with a Consumer of Builder instead. This enables the user to use a
+
+lambda instead of nesting another Builder, resulting in more concise and more readable code.
+
+
+This rule reports an issue when the Consumer Builder methods could be used instead of the classical ones.
+
+
+== Noncompliant Code Example
+
+----
+SendEmailRequest.builder()
+  .destination(Destination.builder()
+    .toAddresses("to-email@domain.com")
+    .bccAddresses("bcc-email@domain.com")
+    .build())
+.build();
+----
+
+
+== Compliant Solution
+
+----
+SendEmailRequest.builder()
+  .destination(d -> d.toAddresses("to-email@domain.com")
+    .bccAddresses("bcc-email@domain.com"))
+  .build();
+----
+
+
+== See
+
+* https://aws.amazon.com/fr/blogs/developer/consumer-builders-in-the-aws-sdk-for-java-v2/[Consumer Builders in the AWS SDK for Java v2]
+

rules/S6244/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S6246/java/metadata.json

@@ -0,0 +1,22 @@
+{
+  "title": "Lambdas should not invoke other lambdas",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "tags": [
+    "AWS"
+  ],
+  "extra": {
+    "coveredLanguages": [
+      "Java"
+    ],
+    "replacementRules": [
+      
+    ]
+  },
+  "ruleSpecification": "RSPEC-6246",
+  "sqKey": "S6246",
+  "scope": "All",
+  "defaultQualityProfiles": [
+    
+  ]
+}

rules/S6246/java/rule.adoc

@@ -0,0 +1,33 @@
+Invoking other lambdas from a lambda is a scalability anti-pattern.
+
+As the runtime of your function is bounded, waiting for another lambda to finish executing could cause a timeout.
+
+Consider breaking down your function into multiple ones or changing the way you generate or handle events.
+
+----
+ String functionName = args[0];
+
+InvokeRequest invokeRequest = new InvokeRequest()
+         .withFunctionName(functionName)
+         .withPayload("{\n" +
+                 " \"Hello \": \"Paris\",\n" +
+                 " \"countryCode\": \"FR\"\n" +
+         "}");
+        InvokeResult invokeResult = null;
+try {
+	AWSLambda awsLambda = AWSLambdaClientBuilder.standard()
+		.withCredentials(new ProfileCredentialsProvider())
+		.withRegion(Regions.US_WEST_2).build();
+
+	invokeResult = awsLambda.invoke(invokeRequest); // Noncompliant
+
+	String ans = new String(invokeResult.getPayload().array(), StandardCharsets.UTF_8);
+
+	//write out the return value
+	System.out.println(ans);
+
+} catch (ServiceException e) {
+	System.out.println(e);
+}
+----
+

rules/S6246/metadata.json

@@ -0,0 +1,2 @@
+{
+}