Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537)

* Add check for security standard mismatch * Fix security standard mismatches * Fix Resources/Standards links for secrets rules * Fix check * Fix links and update security standard mapping * Fix maintanability issue * Apply review suggestions * Apply suggestions from code review Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Fix typo Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00 · 2024-01-17 17:20:28 +01:00 · 770348d041
commit 770348d041
parent f6ac76fbb1
130 changed files with 443 additions and 223 deletions
--- a/rspec-tools/rspec_tools/cli.py
+++ b/rspec-tools/rspec_tools/cli.py
@ -17,7 +17,8 @@ from rspec_tools.validation.description import (validate_subsections,
                                                validate_parameters,
                                                validate_section_levels,
                                                validate_section_names,
-                                                validate_source_language)
+                                                validate_source_language,
+                                                validate_security_standard_links)
 from rspec_tools.validation.sanitize_asciidoc import sanitize_asciidoc
 from rspec_tools.validation.metadata import validate_rule_metadata

@ -104,6 +105,7 @@ VALIDATORS = [validate_subsections,
              validate_section_levels,
              validate_parameters,
              validate_source_language,
+              validate_security_standard_links,
              ]
 def _validate_rule_specialization(lang_spec_rule: LanguageSpecificRule):
  error_counter = 0
--- a/rspec-tools/rspec_tools/validation/description.py
+++ b/rspec-tools/rspec_tools/validation/description.py
@ -1,6 +1,6 @@
 from bs4 import BeautifulSoup
 from pathlib import Path
-from typing import Final
+from typing import Final, Dict, List

 from rspec_tools.errors import RuleValidationError
 from rspec_tools.rules import LanguageSpecificRule
@ -16,8 +16,35 @@ def parse_names(path):
  section_names_path = read_file(path)
  return [s.replace('* ', '').strip() for s in section_names_path if s.strip()]

+def parse_security_standard_links(descr):
+  link_nodes = descr.find_all('a')
+  security_standards_links: Dict[str, List] = {}
+  for node in link_nodes:
+    href = node.attrs['href']
+    for standard_key in SECURITY_STANDARD_URL:
+      standard = SECURITY_STANDARD_URL[standard_key]
+      url_pattern = standard["url_pattern"]
+      result = re.match(url_pattern, href)
+      if result is not None:
+        convert = standard["convert_id"]
+        category = convert(result[1])
+        if standard_key not in security_standards_links.keys():
+          security_standards_links[standard_key] = []
+        security_standards_links[standard_key].append(category)
+  return security_standards_links
+
 HOW_TO_FIX_IT = 'How to fix it'
 HOW_TO_FIX_IT_REGEX = re.compile(HOW_TO_FIX_IT)
+SECURITY_STANDARD_URL = {
+  "OWASP": {
+    "url_pattern": r"https://(?:www\.)?owasp\.org/www-project-top-ten/2017/A(10|[1-9])_2017-",
+    "convert_id": lambda value: f"A{value.lstrip('0')}",
+  },
+  "OWASP Top 10 2021": {
+    "url_pattern": r"https://(?:www\.)?owasp\.org/Top10/A(10|0[1-9])_2021-",
+    "convert_id": lambda value: f"A{value.lstrip('0')}",
+  },
+}

 # The list of all the sections currently accepted by the script.
 # The list includes multiple variants for each title because they all occur
@ -197,3 +224,27 @@ def validate_subsections_for_section(rule_language: LanguageSpecificRule, sectio
      if name in subsections_seen and not is_duplicate_allowed:
        raise RuleValidationError(f'Rule {rule_language.id} has duplicate "{section_name}" subsections. There are 2 occurences of "{name}"')
      subsections_seen.add(name)
+
+
+def validate_security_standard_links(rule_language: LanguageSpecificRule):
+  descr = rule_language.description
+  security_standards_links = parse_security_standard_links(descr)
+  metadata = rule_language.metadata
+
+  # Avoid raising mismatch issues on deprecated or closed rules
+  if metadata.get('status') != 'ready':
+    return
+  
+  security_standards_metadata = metadata.get('securityStandards', {})
+  for standard in SECURITY_STANDARD_URL.keys():
+
+    metadata_mapping = security_standards_metadata[standard] if standard in security_standards_metadata.keys() else []
+    links_mapping = security_standards_links[standard] if standard in security_standards_links.keys() else []
+
+    extra_links = difference(links_mapping, metadata_mapping)
+    if len(extra_links) > 0:
+      raise RuleValidationError(f'Rule {rule_language.id} has a mismatch for the {standard} security standards. Remove links from the Resources/See section ({extra_links}) or fix the rule metadata')
+    
+    missing_links = difference(metadata_mapping, links_mapping)
+    if len(missing_links) > 0:
+      raise RuleValidationError(f'Rule {rule_language.id} has a mismatch for the {standard} security standards. Add links to the Resources/See section ({missing_links}) or fix the rule metadata')
--- a/rspec-tools/tests/resources/invalid-rules/S100/metadata.json
+++ b/rspec-tools/tests/resources/invalid-rules/S100/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rspec-tools/tests/resources/invalid-rules/S101/metadata.json
+++ b/rspec-tools/tests/resources/invalid-rules/S101/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rspec-tools/tests/resources/invalid-rules/S200/metadata.json
+++ b/rspec-tools/tests/resources/invalid-rules/S200/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rspec-tools/tests/resources/rules/S200/docker/metadata.json
+++ b/rspec-tools/tests/resources/rules/S200/docker/metadata.json
@ -0,0 +1,10 @@
+{
+  "securityStandards": {
+    "OWASP": [
+      "A1","A10"
+    ],
+    "OWASP Top 10 2021": [
+    
+    ]
+  }
+}
--- a/rspec-tools/tests/resources/rules/S200/docker/rule.adoc
+++ b/rspec-tools/tests/resources/rules/S200/docker/rule.adoc
@ -0,0 +1,12 @@
+== Why is this an issue?
+== How to fix it
+== Resources
+=== Documentation
+
+* OWASP - https://www.owasp.org/index.php/HTTP_Response_Splitting[HTTP Response Splitting]
+
+=== Standards
+
+* OWASP - https://www.owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
+* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
+* CWE - https://cwe.mitre.org/data/definitions/113[CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')]
--- a/rspec-tools/tests/resources/rules/S200/docker/rule.html
+++ b/rspec-tools/tests/resources/rules/S200/docker/rule.html
@ -0,0 +1,43 @@
+<div class="sect1">
+<h2 id="_why_is_this_an_issue">Why is this an issue?</h2>
+<div class="sectionbody">
+
+</div>
+</div>
+<div class="sect1">
+<h2 id="_how_to_fix_it">How to fix it</h2>
+<div class="sectionbody">
+
+</div>
+</div>
+<div class="sect1">
+<h2 id="_resources">Resources</h2>
+<div class="sectionbody">
+<div class="sect2">
+<h3 id="_documentation">Documentation</h3>
+<div class="ulist">
+<ul>
+<li>
+<p>OWASP - <a href="https://www.owasp.org/index.php/HTTP_Response_Splitting">HTTP Response Splitting</a></p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_standards">Standards</h3>
+<div class="ulist">
+<ul>
+<li>
+<p>OWASP - <a href="https://www.owasp.org/www-project-top-ten/2017/A1_2017-Injection">Top 10 2017 Category A1 - Injection</a></p>
+</li>
+<li>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/20">CWE-20 - Improper Input Validation</a></p>
+</li>
+<li>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/113">CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+</div>
--- a/rspec-tools/tests/resources/rules/S200/python/metadata.json
+++ b/rspec-tools/tests/resources/rules/S200/python/metadata.json
@ -0,0 +1,13 @@
+{
+  "securityStandards": {
+    "ASVS 4.0": [
+      "1.23.4"
+    ],
+    "OWASP": [
+      "A1","A10"
+    ],
+    "OWASP Top 10 2021": [
+      "A3"
+    ]
+  }
+}
--- a/rspec-tools/tests/resources/rules/S200/python/rule.adoc
+++ b/rspec-tools/tests/resources/rules/S200/python/rule.adoc
@ -0,0 +1,14 @@
+== Why is this an issue?
+== How to fix it
+== Resources
+=== Documentation
+
+* OWASP - https://www.owasp.org/index.php/HTTP_Response_Splitting[HTTP Response Splitting]
+
+=== Standards
+
+* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring]
+* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
+* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
+* CWE - https://cwe.mitre.org/data/definitions/113[CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')]
--- a/rspec-tools/tests/resources/rules/S200/python/rule.html
+++ b/rspec-tools/tests/resources/rules/S200/python/rule.html
@ -0,0 +1,49 @@
+<div class="sect1">
+<h2 id="_why_is_this_an_issue">Why is this an issue?</h2>
+<div class="sectionbody">
+
+</div>
+</div>
+<div class="sect1">
+<h2 id="_how_to_fix_it">How to fix it</h2>
+<div class="sectionbody">
+
+</div>
+</div>
+<div class="sect1">
+<h2 id="_resources">Resources</h2>
+<div class="sectionbody">
+<div class="sect2">
+<h3 id="_documentation">Documentation</h3>
+<div class="ulist">
+<ul>
+<li>
+<p>OWASP - <a href="https://www.owasp.org/index.php/HTTP_Response_Splitting">HTTP Response Splitting</a></p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_standards">Standards</h3>
+<div class="ulist">
+<ul>
+<li>
+<p>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A1_2017-Injection">Top 10 2017 Category A1 - Injection</a></p>
+</li>
+<li>
+<p>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring">Top 10 2017 Category A10 - Insufficient Logging & Monitoring</a></p>
+</li>
+<li>
+<p>OWASP - <a href="https://owasp.org/Top10/A03_2021-Injection/">Top 10 2021 Category A3 - Injection</a></p>
+</li>
+<li>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/20">CWE-20 - Improper Input Validation</a></p>
+</li>
+<li>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/113">CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+</div>
--- a/rspec-tools/tests/resources/rules/S200/terraform/metadata.json
+++ b/rspec-tools/tests/resources/rules/S200/terraform/metadata.json
@ -0,0 +1,10 @@
+{
+  "securityStandards": {
+    "OWASP": [
+      "A1"
+    ],
+    "OWASP Top 10 2021": [
+      "A3"
+    ]
+  }
+}
--- a/rspec-tools/tests/resources/rules/S200/terraform/rule.adoc
+++ b/rspec-tools/tests/resources/rules/S200/terraform/rule.adoc
@ -0,0 +1,14 @@
+== Why is this an issue?
+== How to fix it
+== Resources
+=== Documentation
+
+* OWASP - https://www.owasp.org/index.php/HTTP_Response_Splitting[HTTP Response Splitting]
+
+=== Standards
+
+* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring]
+* OWASP - https://www.owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
+* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
+* CWE - https://cwe.mitre.org/data/definitions/113[CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')]
--- a/rspec-tools/tests/resources/rules/S200/terraform/rule.html
+++ b/rspec-tools/tests/resources/rules/S200/terraform/rule.html
@ -0,0 +1,49 @@
+<div class="sect1">
+<h2 id="_why_is_this_an_issue">Why is this an issue?</h2>
+<div class="sectionbody">
+
+</div>
+</div>
+<div class="sect1">
+<h2 id="_how_to_fix_it">How to fix it</h2>
+<div class="sectionbody">
+
+</div>
+</div>
+<div class="sect1">
+<h2 id="_resources">Resources</h2>
+<div class="sectionbody">
+<div class="sect2">
+<h3 id="_documentation">Documentation</h3>
+<div class="ulist">
+<ul>
+<li>
+<p>OWASP - <a href="https://www.owasp.org/index.php/HTTP_Response_Splitting">HTTP Response Splitting</a></p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_standards">Standards</h3>
+<div class="ulist">
+<ul>
+<li>
+<p>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A1_2017-Injection">Top 10 2017 Category A1 - Injection</a></p>
+</li>
+<li>
+<p>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring">Top 10 2017 Category A10 - Insufficient Logging & Monitoring</a></p>
+</li>
+<li>
+<p>OWASP - <a href="https://www.owasp.org/Top10/A03_2021-Injection/">Top 10 2021 Category A3 - Injection</a></p>
+</li>
+<li>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/20">CWE-20 - Improper Input Validation</a></p>
+</li>
+<li>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/113">CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+</div>
--- a/rspec-tools/tests/validation/test_description_validation.py
+++ b/rspec-tools/tests/validation/test_description_validation.py
@ -5,7 +5,8 @@ import pytest
 from rspec_tools.errors import RuleValidationError
 from rspec_tools.rules import RulesRepository
 from rspec_tools.validation.description import validate_section_names, \
-  validate_section_levels, validate_parameters, validate_source_language, validate_subsections
+  validate_section_levels, validate_parameters, validate_source_language, \
+  validate_subsections, validate_security_standard_links


@pytest.fixture
@ -186,3 +187,20 @@ def test_valid_why_is_this_an_issue_subsections_validation(rule_language):
  '''Check that any substitle is considered valid in the "why is this an issue?" section'''
  rule = rule_language('S200', 'java')
  validate_subsections(rule)
+
+def test_valid_security_standard_links(rule_language):
+  '''Check that the security standards links match what is define in th rule metadata'''
+  rule = rule_language('S200', 'python')
+  validate_security_standard_links(rule)
+
+def test_missing_security_standard_links_fails_validation(rule_language):
+  '''Check that the security standards links match what is define in th rule metadata'''
+  rule = rule_language('S200', 'docker')
+  with pytest.raises(RuleValidationError, match=re.escape('Rule docker:S200 has a mismatch for the OWASP security standards. Add links to the Resources/See section ([\'A10\']) or fix the rule metadata')):
+    validate_security_standard_links(rule)
+
+def test_extra_security_standard_links_fails_validation(rule_language):
+  '''Check that the security standards links match what is define in th rule metadata'''
+  rule = rule_language('S200', 'terraform')
+  with pytest.raises(RuleValidationError, match=re.escape('Rule terraform:S200 has a mismatch for the OWASP security standards. Remove links from the Resources/See section ([\'A10\']) or fix the rule metadata')):
+    validate_security_standard_links(rule)
--- a/rules/S106/csharp/rule.adoc
+++ b/rules/S106/csharp/rule.adoc
@ -53,6 +53,7 @@ public class MyClass
 == Resources

 * OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures]
+* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]

 ifdef::env-github,rspecator-view[]

--- a/rules/S1081/cfamily/metadata.json
+++ b/rules/S1081/cfamily/metadata.json
@ -33,6 +33,9 @@
      676,
      119
    ],
+    "OWASP Top 10 2021": [
+      "A6"
+    ],
    "OWASP": [
      "A9"
    ],
--- a/rules/S2073/metadata.json
+++ b/rules/S2073/metadata.json
@ -27,7 +27,7 @@
      780
    ],
    "OWASP": [
-      "A5"
+      "A7"
    ],
    "OWASP Top 10 2021": [
      "A2"
--- a/rules/S2073/rule.adoc
+++ b/rules/S2073/rule.adoc
@ -23,5 +23,5 @@ Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");

 * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
 * CWE - https://cwe.mitre.org/data/definitions/780[CWE-780 - Use of RSA Algorithm without OAEP]
-* OWASP - https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf[Top 10 2013 Category A5 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A7 - Security Misconfiguration]

--- a/rules/S2083/common/resources/standards.adoc
+++ b/rules/S2083/common/resources/standards.adoc
@ -5,4 +5,4 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
-* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
--- a/rules/S2210/see.adoc
+++ b/rules/S2210/see.adoc
@ -1,3 +1,3 @@
 == Resources

-* OWASP - https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf[Top 10 2013 Category A6 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
--- a/rules/S2819/common/resources/standards.adoc
+++ b/rules/S2819/common/resources/standards.adoc
@ -2,5 +2,6 @@
 === Standards

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/345[CWE-345 - Insufficient Verification of Data Authenticity]
--- a/rules/S2819/javascript/metadata.json
+++ b/rules/S2819/javascript/metadata.json
@ -34,7 +34,8 @@
      345
    ],
    "OWASP": [
-      "A3"
+      "A3",
+      "A5"
    ],
    "OWASP Top 10 2021": [
      "A1"
--- a/rules/S3329/common/resources/standards.adoc
+++ b/rules/S3329/common/resources/standards.adoc
@ -2,7 +2,7 @@

 * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements]
-* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/329[CWE-329 - Not Using an Unpredictable IV with CBC Mode]
+* CWE - https://cwe.mitre.org/data/definitions/780[CWE-780 - Use of RSA Algorithm without OAEP]
 * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block  Cipher Modes of Operation 
--- a/rules/S3329/java/metadata.json
+++ b/rules/S3329/java/metadata.json
@ -1,8 +1,5 @@
 {
  "securityStandards": {
-    "CERT": [
-      "MSC61-J."
-    ],
    "CWE": [
      327,
      780
@ -11,12 +8,6 @@
      "A6",
      "A3"
    ],
-    "OWASP Mobile": [
-      "M5"
-    ],
-    "MASVS": [
-      "MSTG-CRYPTO-3"
-    ],
    "OWASP Top 10 2021": [
      "A2"
    ],
@ -33,6 +24,15 @@
      "2.9.3",
      "6.2.2",
      "8.3.7"
+    ],
+    "CERT": [
+      "MSC61-J."
+    ],
+    "OWASP Mobile": [
+      "M5"
+    ],
+    "MASVS": [
+      "MSTG-CRYPTO-3"
    ]
  }
 }
--- a/rules/S3329/java/rule.adoc
+++ b/rules/S3329/java/rule.adoc
@ -21,6 +21,9 @@ include::../common/resources/presentations.adoc[]

 include::../common/resources/standards.adoc[]

+* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography]
+
 ifdef::env-github,rspecator-view[]

 '''
--- a/rules/S3329/kotlin/metadata.json
+++ b/rules/S3329/kotlin/metadata.json
@ -1,8 +1,5 @@
 {
  "securityStandards": {
-    "CERT": [
-      "MSC61-J."
-    ],
    "CWE": [
      327,
      780
@ -11,12 +8,6 @@
      "A6",
      "A3"
    ],
-    "OWASP Mobile": [
-      "M5"
-    ],
-    "MASVS": [
-      "MSTG-CRYPTO-3"
-    ],
    "OWASP Top 10 2021": [
      "A2"
    ],
@ -33,6 +24,15 @@
      "2.9.3",
      "6.2.2",
      "8.3.7"
+    ],
+    "CERT": [
+      "MSC61-J."
+    ],
+    "OWASP Mobile": [
+      "M5"
+    ],
+    "MASVS": [
+      "MSTG-CRYPTO-3"
    ]
  }
 }
--- a/rules/S3329/kotlin/rule.adoc
+++ b/rules/S3329/kotlin/rule.adoc
@ -21,6 +21,9 @@ include::../common/resources/presentations.adoc[]

 include::../common/resources/standards.adoc[]

+* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography]
+
 ifdef::env-github,rspecator-view[]

 '''
--- a/rules/S3329/metadata.json
+++ b/rules/S3329/metadata.json
@ -29,24 +29,29 @@
  "scope": "Main",
  "securityStandards": {
    "CWE": [
-      329
+      327,
+      780
    ],
    "OWASP": [
+      "A6",
      "A3"
    ],
-    "OWASP Mobile": [
-      "M5"
-    ],
-    "MASVS": [
-      "MSTG-CRYPTO-6"
-    ],
    "OWASP Top 10 2021": [
      "A2"
    ],
+    "PCI DSS 3.2": [
+      "4.1",
+      "6.5.3",
+      "6.5.4"
+    ],
+    "PCI DSS 4.0": [
+      "4.2.1",
+      "6.2.4"
+    ],
    "ASVS 4.0": [
-      "2.3.1",
-      "2.6.2",
-      "2.9.2"
+      "2.9.3",
+      "6.2.2",
+      "8.3.7"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S3371/java/rule.adoc
+++ b/rules/S3371/java/rule.adoc
@ -29,7 +29,7 @@ PreparedStatement stmt = null;
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command]
-* OWASP - https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf[Top 10 2013 Category A1 - Injection]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1 - Injection]


 ifdef::env-github,rspecator-view[]
--- a/rules/S3749/java/rule.adoc
+++ b/rules/S3749/java/rule.adoc
@ -36,12 +36,6 @@ public class HelloWorld {
 }
 ----

-
-== Resources
-
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-
-
 ifdef::env-github,rspecator-view[]

 '''
--- a/rules/S3752/java/rule.adoc
+++ b/rules/S3752/java/rule.adoc
@ -37,7 +37,7 @@ String delete2(@RequestParam("id") String id) {

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)]
 * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery]
 * https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html#csrf-use-proper-verbs[Spring Security Official Documentation: Use proper HTTP verbs (CSRF protection)]
--- a/rules/S3752/python/rule.adoc
+++ b/rules/S3752/python/rule.adoc
@ -80,7 +80,7 @@ def view():

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)]
 * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery]
 * https://docs.djangoproject.com/en/3.1/topics/http/decorators/#allowed-http-methods[Django] - Allowed HTTP Methods
--- a/rules/S4423/azureresourcemanager/rule.adoc
+++ b/rules/S4423/azureresourcemanager/rule.adoc
@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[]

 include::../common/resources/presentations.adoc[]

-include::../common/resources/standards.adoc[]
+include::../common/resources/standards_iac.adoc[]


 ifdef::env-github,rspecator-view[]
--- a/rules/S4423/cloudformation/rule.adoc
+++ b/rules/S4423/cloudformation/rule.adoc
@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[]

 include::../common/resources/presentations.adoc[]

-include::../common/resources/standards.adoc[]
+include::../common/resources/standards_iac.adoc[]


 ifdef::env-github,rspecator-view[]
--- a/rules/S4423/common/resources/standards.adoc
+++ b/rules/S4423/common/resources/standards.adoc
@ -1,5 +1,7 @@
 === Standards

 * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
+* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm]
--- a/rules/S4423/common/resources/standards_iac.adoc
+++ b/rules/S4423/common/resources/standards_iac.adoc
@ -0,0 +1,3 @@
+=== Standards
+
+* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm]
--- a/rules/S4423/docker/rule.adoc
+++ b/rules/S4423/docker/rule.adoc
@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[]

 include::../common/resources/presentations.adoc[]

-include::../common/resources/standards.adoc[]
+include::../common/resources/standards_iac.adoc[]


 ifdef::env-github,rspecator-view[]
--- a/rules/S4423/terraform/rule.adoc
+++ b/rules/S4423/terraform/rule.adoc
@ -25,7 +25,7 @@ include::../common/resources/articles.adoc[]

 include::../common/resources/presentations.adoc[]

-include::../common/resources/standards.adoc[]
+include::../common/resources/standards_iac.adoc[]


 ifdef::env-github,rspecator-view[]
--- a/rules/S4507/xml/rule.adoc
+++ b/rules/S4507/xml/rule.adoc
@ -77,8 +77,10 @@ In a `web.config` file, the `customErrors` element's `mode` attribute is set to
 == See

 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
+* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x12-v7-code_quality_and_build_setting_requirements[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality]
+* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code]
 * CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information]
 * https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release
 * https://learn.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/aspnet-error-handling[learn.microsoft.com] - ASP.NET Error Handling
--- a/rules/S4639/java/metadata.json
+++ b/rules/S4639/java/metadata.json
@ -8,12 +8,15 @@
      "IDS04-J."
    ],
    "CWE": [
-      409
+      20,
+      22
    ],
    "OWASP": [
+      "A5",
      "A1"
    ],
    "OWASP Top 10 2021": [
+      "A1",
      "A3"
    ],
    "ASVS 4.0": [
--- a/rules/S4639/java/rule.adoc
+++ b/rules/S4639/java/rule.adoc
@ -46,9 +46,12 @@ public static void sanitizeAgainstZipFlipVulnerability(String fileName, String c

 == Resources

+* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
-* CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
+* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
 * https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream[CERT, IDS04-J.] - Safely extract files from ZipInputStream
 * Snyk Research Team: https://snyk.io/research/zip-slip-vulnerability[Zip Slip Vulnerability]
 * https://nvd.nist.gov/vuln/detail/CVE-2016-0709
--- a/rules/S4639/see.adoc
+++ b/rules/S4639/see.adoc
@ -1,8 +1,11 @@
 == Resources

+* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
-* CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
+* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
 * Snyk Research Team: https://snyk.io/research/zip-slip-vulnerability[Zip Slip Vulnerability]
 * https://nvd.nist.gov/vuln/detail/CVE-2016-0709
 * https://nvd.nist.gov/vuln/detail/CVE-2017-5946
--- a/rules/S5042/cfamily/rule.adoc
+++ b/rules/S5042/cfamily/rule.adoc
@ -105,7 +105,8 @@ int f(const char *filename, int flags) {

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)]
 * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb

--- a/rules/S5042/java/rule.adoc
+++ b/rules/S5042/java/rule.adoc
@ -73,7 +73,8 @@ while(entries.hasMoreElements()) {

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)]
 * https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream[CERT, IDS04-J.] - Safely extract files from ZipInputStream
 * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb
--- a/rules/S5042/javascript/rule.adoc
+++ b/rules/S5042/javascript/rule.adoc
@ -286,7 +286,8 @@ main();

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)]
 * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb

--- a/rules/S5042/php/rule.adoc
+++ b/rules/S5042/php/rule.adoc
@ -156,7 +156,8 @@ zip_close($zip);

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)]
 * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb

--- a/rules/S5042/see.adoc
+++ b/rules/S5042/see.adoc
@ -2,6 +2,7 @@

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)]
 * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb
--- a/rules/S5144/common/resources/standards.adoc
+++ b/rules/S5144/common/resources/standards.adoc
@ -3,4 +3,4 @@
 * OWASP - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/[Top 10 2021 Category A10 - Server-Side Request Forgery (SSRF)]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
-* CWE - https://cwe.mitre.org/data/definitions/918[CWE-918 - Server-Side Request Forgery (SSRF)]
+* CWE - https://cwe.mitre.org/data/definitions/918[CWE-918 - Server-Side Request Forgery (SSRF)]
--- a/rules/S5146/common/resources/standards.adoc
+++ b/rules/S5146/common/resources/standards.adoc
@ -3,4 +3,4 @@
 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
-* CWE - https://cwe.mitre.org/data/definitions/601[CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')]
+* CWE - https://cwe.mitre.org/data/definitions/601[CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')]
--- a/rules/S5332/cloudformation/rule.adoc
+++ b/rules/S5332/cloudformation/rule.adoc
@ -193,7 +193,14 @@ Resources:
          InCluster: true
 ----

-include::../see.adoc[]
+== See
+
+* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor]
+* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information]
+* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web]
+* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http]
+* https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers
+* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[AWS Documentation] - Stream Encryption

 ifdef::env-github,rspecator-view[]

--- a/rules/S5332/terraform/rule.adoc
+++ b/rules/S5332/terraform/rule.adoc
@ -210,7 +210,14 @@ resource "google_compute_region_backend_service" "example" {

 include::../exceptions.adoc[]

-include::../see.adoc[]
+== See
+
+* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor]
+* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information]
+* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web]
+* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http]
+* https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers
+* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[AWS Documentation] - Stream Encryption

 ifdef::env-github,rspecator-view[]

--- a/rules/S5344/metadata.json
+++ b/rules/S5344/metadata.json
@ -34,8 +34,6 @@
      916
    ],
    "OWASP": [
-      "A2",
-      "A6",
      "A3"
    ],
    "OWASP Top 10 2021": [
--- a/rules/S5542/common/resources/standards.adoc
+++ b/rules/S5542/common/resources/standards.adoc
@ -1,5 +1,6 @@
 === Standards

 * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm]
--- a/rules/S5547/common/resources/standards.adoc
+++ b/rules/S5547/common/resources/standards.adoc
@ -2,4 +2,5 @@

 * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm]
--- a/rules/S5604/xml/rule.adoc
+++ b/rules/S5604/xml/rule.adoc
@ -30,6 +30,7 @@ In AndroidManifest.xml:
 == See

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
+* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage]
 * CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]
--- a/rules/S5725/see.adoc
+++ b/rules/S5725/see.adoc
@ -2,6 +2,6 @@

 * OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures]
 * CWE - https://cwe.mitre.org/data/definitions/353[CWE-353 - Missing Support for Integrity Check]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration.html[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity[developer.mozilla.org] - Subresource Integrity
 * https://en.wikipedia.org/wiki/Watering_hole_attack[Wikipedia, Watering Hole Attacks]
--- a/rules/S5728/see.adoc
+++ b/rules/S5728/see.adoc
@ -2,5 +2,5 @@

 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * https://www.w3.org/TR/CSP3/[w3.org] - Content Security Policy Level 3
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration.html[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP[developer.mozilla.org] - Content Security Policy (CSP)
--- a/rules/S5730/see.adoc
+++ b/rules/S5730/see.adoc
@ -1,7 +1,7 @@
 == See

 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content[developer.mozilla.org] - Mixed-content
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP[developer.mozilla.org] - Content Security Policy (CSP)
 * https://www.w3.org/TR/CSP3/[w3.org] - Content Security Policy Level 3
--- a/rules/S5732/see.adoc
+++ b/rules/S5732/see.adoc
@ -2,7 +2,7 @@

 * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html[OWASP Cheat Sheets] - Clickjacking Defense Cheat Sheet
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors[developer.mozilla.org] - Frame-ancestors
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP[developer.mozilla.org] - Content Security Policy (CSP)
--- a/rules/S5734/see.adoc
+++ b/rules/S5734/see.adoc
@ -1,6 +1,6 @@
 == See

 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options[developer.mozilla.org] - X-Content-Type-Options
 * https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/[blog.mozilla.org] - Mitigating MIME Confusion Attacks in Firefox
--- a/rules/S5736/see.adoc
+++ b/rules/S5736/see.adoc
@ -1,7 +1,7 @@
 == See

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy[developer.mozilla.org] - Referrer-Policy
 * https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns[developer.mozilla.org] - Referer header: privacy and security concerns
 * CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor]
--- a/rules/S5739/see.adoc
+++ b/rules/S5739/see.adoc
@ -1,5 +1,5 @@
 == See

 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[developer.mozilla.org] - Strict Transport Security
--- a/rules/S5742/see.adoc
+++ b/rules/S5742/see.adoc
@ -1,6 +1,6 @@
 == See

 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency[developer.mozilla.org] - Certificate Transparency
 * https://en.wikipedia.org/wiki/Certificate_authority[wikipedia.org] - Certificate Authority
--- a/rules/S5743/see.adoc
+++ b/rules/S5743/see.adoc
@ -1,6 +1,6 @@
 == See

 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control[developer.mozilla.org] - X-DNS-Prefetch-Control
 * https://developer.mozilla.org/en-US/docs/Web/Performance/dns-prefetch[developer.mozilla.org] - Using dns-prefetch
--- a/rules/S5750/see.adoc
+++ b/rules/S5750/see.adoc
@ -3,5 +3,5 @@
 * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/525[CWE-525 - Use of Web Browser Cache Containing Sensitive Information]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control[developer.mozilla.org] - Cache-Control
--- a/rules/S5757/see.adoc
+++ b/rules/S5757/see.adoc
@ -2,4 +2,4 @@

 * OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures]
 * CWE - https://cwe.mitre.org/data/definitions/532[CWE-532 - Insertion of Sensitive Information into Log File]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
--- a/rules/S5759/see.adoc
+++ b/rules/S5759/see.adoc
@ -1,5 +1,5 @@
 == See

 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For[developer.mozilla.org] - X-Forwarded-For
--- a/rules/S5782/cfamily/metadata.json
+++ b/rules/S5782/cfamily/metadata.json
@ -39,6 +39,9 @@
    "OWASP": [
      "A9"
    ],
+    "OWASP Top 10 2021": [
+      "A6"
+    ],
    "CERT": [
      "STR50-CPP.",
      "ARR30-C."
--- a/rules/S5802/see.adoc
+++ b/rules/S5802/see.adoc
@ -1,7 +1,7 @@
 == See

 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/243[CWE-243 - Creation of chroot Jail Without Changing Working Directory]
 * https://man7.org/linux/man-pages/man2/chdir.2.html[man7.org] - chdir
 * https://man7.org/linux/man-pages/man2/chroot.2.html[man7.org] - chroot
--- a/rules/S5804/see.adoc
+++ b/rules/S5804/see.adoc
@ -1,5 +1,5 @@
 == See

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
 * CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor]
--- a/rules/S5832/cfamily/rule.adoc
+++ b/rules/S5832/cfamily/rule.adoc
@ -54,7 +54,7 @@ The account validity is checked with ``++pam_acct_mgmt++`` when authenticating a
 === Standards

 * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/304[CWE-304 - Missing Critical Step in Authentication]


--- a/rules/S5876/common/resources/standards.adoc
+++ b/rules/S5876/common/resources/standards.adoc
@ -1,6 +1,6 @@
 === Standards

 * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
 * https://owasp.org/www-community/attacks/Session_fixation[OWASP Sesssion Fixation]
 * CWE - https://cwe.mitre.org/data/definitions/384[CWE-384 - Session Fixation]
--- a/rules/S5982/cfamily/rule.adoc
+++ b/rules/S5982/cfamily/rule.adoc
@ -49,7 +49,7 @@ if(fchdir(fd) == -1) {
 == See

 * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/252[CWE-252 - Unchecked Return Value]
 * https://man7.org/linux/man-pages/man2/chdir.2.html[man7.org] - chdir

@ -61,7 +61,7 @@ ifdef::env-github,rspecator-view[]

 === Message

-Make sure that changing the current working directory without verifying the success if safe here.
+Make sure that changing the current working directory without verifying the success is safe here.


 endif::env-github,rspecator-view[]
--- a/rules/S6245/see.adoc
+++ b/rules/S6245/see.adoc
@ -1,8 +1,3 @@
 == See

-* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html[AWS documentation] - Protecting data using server-side encryption
--- a/rules/S6249/see.adoc
+++ b/rules/S6249/see.adoc
@ -1,9 +1,5 @@
 == See

-* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#transit[AWS documentation] - Enforce encryption of data in transit
 * https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5[AWS Foundational Security Best Practices controls] - S3 buckets should require requests to use Secure Socket Layer
 * CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information]
--- a/rules/S6252/see.adoc
+++ b/rules/S6252/see.adoc
@ -1,5 +1,3 @@
 == See

-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html[AWS documentation] - Using versioning in S3 buckets
--- a/rules/S6255/terraform/rule.adoc
+++ b/rules/S6255/terraform/rule.adoc
@ -85,10 +85,8 @@ resource "aws_s3_bucket_versioning" "example" {

 == See

-* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
 * https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html[AWS documentation] - Configuring MFA delete
 * CWE - https://cwe.mitre.org/data/definitions/308[CWE-308 - Use of Single-factor Authentication]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication ]

 ifdef::env-github,rspecator-view[]

--- a/rules/S6258/see.adoc
+++ b/rules/S6258/see.adoc
@ -1,6 +1,4 @@
 == See

-* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures]
 * https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html[AWS Documentation] - Logging requests using server access logging
 * CWE - https://cwe.mitre.org/data/definitions/778[CWE-778 - Insufficient Logging]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring]
--- a/rules/S6265/see.adoc
+++ b/rules/S6265/see.adoc
@ -1,8 +1,6 @@
 == See

-* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl[AWS Documentation] - Access control list (ACL) overview (canned ACLs)
 * https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html[AWS Documentation] - Controlling access to a bucket with user policies
 * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource]
 * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
--- a/rules/S6270/see.adoc
+++ b/rules/S6270/see.adoc
@ -1,7 +1,5 @@
 == See

-* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege[AWS Documentation] - Grant least privilege
 * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource]
 * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
--- a/rules/S6275/see.adoc
+++ b/rules/S6275/see.adoc
@ -1,8 +1,4 @@
 == See

-* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html[Amazon EBS encryption]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
-* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
+* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
--- a/rules/S6281/see.adoc
+++ b/rules/S6281/see.adoc
@ -1,7 +1,4 @@
 == See

-* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html[AWS Documentation] - Blocking public access to your Amazon S3 storage
 * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
--- a/rules/S6287/common/resources/standards.adoc
+++ b/rules/S6287/common/resources/standards.adoc
@ -3,4 +3,4 @@
 * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
-* CWE - https://cwe.mitre.org/data/definitions/384[CWE-384 - Session Fixation]
+* CWE - https://cwe.mitre.org/data/definitions/384[CWE-384 - Session Fixation]
--- a/rules/S6291/see.adoc
+++ b/rules/S6291/see.adoc
@ -3,8 +3,8 @@
 * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
 * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements]
-* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage]
+* https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard] - Data Storage and Privacy Requirements
+* https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2] - Insecure Data Storage
 * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
--- a/rules/S6301/common/resources/standards.adoc
+++ b/rules/S6301/common/resources/standards.adoc
@ -7,4 +7,4 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
-* CWE - https://cwe.mitre.org/data/definitions/321[CWE-321 - Use of Hard-coded Cryptographic Key]
+* CWE - https://cwe.mitre.org/data/definitions/321[CWE-321 - Use of Hard-coded Cryptographic Key]
--- a/rules/S6302/see.adoc
+++ b/rules/S6302/see.adoc
@ -1,8 +1,6 @@
 == See

-* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege[AWS Documentation] - Grant least privilege
 * https://cloud.google.com/iam/docs/understanding-roles[Google Cloud Documentation] - Understanding roles
 * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource]
 * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
--- a/rules/S6304/see.adoc
+++ b/rules/S6304/see.adoc
@ -1,7 +1,5 @@
 == See

-* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege[AWS Documentation] - Grant least privilege
 * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource]
 * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
--- a/rules/S6308/elasticsearch_see.adoc
+++ b/rules/S6308/elasticsearch_see.adoc
@ -1,9 +1,4 @@
 == See

-* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
-* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html[AWS Documentation] - Encryption of data at rest for Amazon Elasticsearch Service
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
--- a/rules/S6308/opensearch_see.adoc
+++ b/rules/S6308/opensearch_see.adoc
@ -1,9 +1,4 @@
 == See

-* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
-* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html[AWS Documentation] - Encryption of data at rest for Amazon OpenSearch Service
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
--- a/rules/S6317/common/resources/standards.adoc
+++ b/rules/S6317/common/resources/standards.adoc
@ -1,5 +1,3 @@
 === Standards

-* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
-* CWE - https://cwe.mitre.org/data/definitions/284[CWE-269 - Improper Privilege Management]
+* CWE - https://cwe.mitre.org/data/definitions/284[CWE-269 - Improper Privilege Management]
--- a/rules/S6319/see.adoc
+++ b/rules/S6319/see.adoc
@ -1,9 +1,4 @@
 == See

-* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
-* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html[Protect Data at Rest Using Encryption]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
--- a/rules/S6321/common/resources/standards.adoc
+++ b/rules/S6321/common/resources/standards.adoc
@ -1,5 +1,3 @@
 === Standards

 * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
-* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
--- a/rules/S6327/see.adoc
+++ b/rules/S6327/see.adoc
@ -1,10 +1,5 @@
 == See

-* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
-* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html[AWS Documentation] - Encryption at rest
 * https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/[Encrypting messages published to Amazon SNS with AWS KMS]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
--- a/rules/S6329/see.adoc
+++ b/rules/S6329/see.adoc
@ -1,9 +1,7 @@
 == See

-* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html[AWS Documentation] - Amazon EC2 instance IP addressing
 * https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html[AWS Documentation] - Public and private replication instances
 * https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html[AWS Documentation] - VPC Peering
 * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
--- a/rules/S6330/see.adoc
+++ b/rules/S6330/see.adoc
@ -1,9 +1,4 @@
 == See

-* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
-* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html[AWS Documentation] - Encryption at rest
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
--- a/rules/S6332/see.adoc
+++ b/rules/S6332/see.adoc
@ -1,9 +1,4 @@
 == See

-* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
-* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * https://docs.aws.amazon.com/efs/latest/ug/encryption.html[AWS Documentation] - Data encryption in Amazon EFS
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
--- a/rules/S6333/see.adoc
+++ b/rules/S6333/see.adoc
@ -1,6 +1,4 @@
 == See

 * https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html[AWS Documentation] - Controlling and managing access to a REST API in API Gateway
-* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
--- a/rules/S6341/php/rule.adoc
+++ b/rules/S6341/php/rule.adoc
@ -49,4 +49,4 @@ define( 'DISALLOW_FILE_EDIT', true );
 * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
 * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
 * CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code ('Code Injection')]
-* CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')]
+* CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')]
--- a/rules/S6346/php/rule.adoc
+++ b/rules/S6346/php/rule.adoc
@ -33,4 +33,4 @@ define( 'WP_ALLOW_REPAIR', false );
 * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
 * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
 * https://wordpress.org/support/article/editing-wp-config-php/#automatic-database-optimizing[wordpress.org] - Automatic Database Optimizing
-* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
--- a/Show More
+++ b/Show More