Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914)

* Update JSON schema to include STIG ASD 2023-06-08 mapping * Update rules to add STIG metadata mappings --------- Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
2024-05-06 07:56:31 +01:00 · 2024-05-06 07:56:31 +01:00 · 9ee16daa47
commit 9ee16daa47
parent 9f471b6739
321 changed files with 1372 additions and 361 deletions
--- a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json
+++ b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json
@ -218,6 +218,15 @@
            "pattern": "^\\d+\\.\\d+\\.\\d+$"
          },
          "uniqueItems": true 
+        },
+        "STIG ASD 2023-06-08": {
+          "type": "array",
+          "minItems": 0,
+          "items": {
+            "type": "string",
+            "pattern": "^V-\\d+$"
+          },
+          "uniqueItems": true
        }
      }
    },
--- a/rules/S1079/cfamily/metadata.json
+++ b/rules/S1079/cfamily/metadata.json
@ -45,6 +45,9 @@
    "ASVS 4.0": [
      "14.1.2",
      "5.4.1"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S1079/cfamily/rule.adoc
+++ b/rules/S1079/cfamily/rule.adoc
@ -50,6 +50,7 @@ If this code is given the word ``noncompliant`` as an input, ``noncompli␀`` wi
 * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities]
 * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input] ('Classic Buffer Overflow')
 * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.


 ifdef::env-github,rspecator-view[]
--- a/rules/S1081/cfamily/metadata.json
+++ b/rules/S1081/cfamily/metadata.json
@ -41,6 +41,9 @@
    ],
    "CERT": [
      "STR07-C."
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S1081/common/resources/standards.adoc
+++ b/rules/S1081/common/resources/standards.adoc
@ -5,3 +5,5 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities]
 * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function]
 * CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+
--- a/rules/S1913/cfamily/metadata.json
+++ b/rules/S1913/cfamily/metadata.json
@ -24,6 +24,11 @@
  "ruleSpecification": "RSPEC-1913",
  "sqKey": "S1913",
  "scope": "Main",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222612"
+    ]
+  },
  "defaultQualityProfiles": [
    "Sonar way"
  ],
--- a/rules/S1913/cfamily/rule.adoc
+++ b/rules/S1913/cfamily/rule.adoc
@ -45,6 +45,10 @@ void function() {

 * {cpp} reference - https://en.cppreference.com/w/cpp/language/sizeof[`sizeof` operator]

+=== Standards
+
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S2053/common/resources/standards.adoc
+++ b/rules/S2053/common/resources/standards.adoc
@ -4,4 +4,5 @@
 * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * CWE - https://cwe.mitre.org/data/definitions/759[CWE-759 - Use of a One-Way Hash without a Salt]
 * CWE - https://cwe.mitre.org/data/definitions/760[CWE-760 - Use of a One-Way Hash with a Predictable Salt]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords.

--- a/rules/S2053/metadata.json
+++ b/rules/S2053/metadata.json
@ -43,6 +43,9 @@
    ],
    "PCI DSS 4.0": [
      "6.2.4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222542"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2076/common/resources/standards.adoc
+++ b/rules/S2076/common/resources/standards.adoc
@ -4,3 +4,6 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/78[CWE-78 - Improper Neutralization of Special Elements used in an OS Command]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222604[Application Security and Development: V-222604] - The application must protect from command injection.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
--- a/rules/S2076/metadata.json
+++ b/rules/S2076/metadata.json
@ -49,6 +49,10 @@
      "5.1.3",
      "5.1.4",
      "5.3.8"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222604",
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2078/common/resources/standards.adoc
+++ b/rules/S2078/common/resources/standards.adoc
@ -6,3 +6,5 @@
 * https://www.ietf.org/rfc/rfc4515.txt[RFC 4515] - LDAP: String Representation of Search Filters
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/90[CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
--- a/rules/S2078/java/metadata.json
+++ b/rules/S2078/java/metadata.json
@ -27,6 +27,9 @@
      "5.1.3",
      "5.1.4",
      "5.3.7"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
    ]
  }
 }
--- a/rules/S2078/metadata.json
+++ b/rules/S2078/metadata.json
@ -48,6 +48,9 @@
      "5.1.3",
      "5.1.4",
      "5.3.7"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2083/common/resources/standards.adoc
+++ b/rules/S2083/common/resources/standards.adoc
@ -6,3 +6,5 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
--- a/rules/S2083/metadata.json
+++ b/rules/S2083/metadata.json
@ -50,6 +50,9 @@
      "12.3.1",
      "5.1.3",
      "5.1.4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2091/common/resources/standards.adoc
+++ b/rules/S2091/common/resources/standards.adoc
@ -4,3 +4,6 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/643[CWE-643 - Improper Neutralization of Data within XPath Expressions]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
--- a/rules/S2091/java/metadata.json
+++ b/rules/S2091/java/metadata.json
@ -27,6 +27,10 @@
      "5.1.3",
      "5.1.4",
      "5.3.10"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608",
+      "V-222609"
    ]
  }
 }
--- a/rules/S2091/metadata.json
+++ b/rules/S2091/metadata.json
@ -48,6 +48,10 @@
      "5.1.3",
      "5.1.4",
      "5.3.10"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608",
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2092/metadata.json
+++ b/rules/S2092/metadata.json
@ -52,6 +52,9 @@
      "6.1.1",
      "6.1.2",
      "6.1.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222576"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2092/see.adoc
+++ b/rules/S2092/see.adoc
@ -6,3 +6,5 @@
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
 * CWE - https://cwe.mitre.org/data/definitions/315[CWE-315 - Cleartext Storage of Sensitive Information in a Cookie]
 * CWE - https://cwe.mitre.org/data/definitions/614[CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222576[Application Security and Development: V-222576] - The application must set the secure flag on session cookies.
+
--- a/rules/S2184/cfamily/metadata.json
+++ b/rules/S2184/cfamily/metadata.json
@ -18,6 +18,9 @@
    ],
    "ASVS 4.0": [
      "5.4.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  }
 }
--- a/rules/S2184/cfamily/rule.adoc
+++ b/rules/S2184/cfamily/rule.adoc
@ -33,9 +33,13 @@ void compliant2() {

 == Resources

+=== Standards
+
 * MISRA {cpp}:2008, 5-0-8 - An explicit integral or floating-point conversion shall not increase the size of the underlying type of a cvalue expression.
 * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound]
 * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S2184/csharp/rule.adoc
+++ b/rules/S2184/csharp/rule.adoc
@ -30,7 +30,10 @@ static void Method(float f) { }

 == Resources

+=== Standards
+
 * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.


 ifdef::env-github,rspecator-view[]
--- a/rules/S2184/java/metadata.json
+++ b/rules/S2184/java/metadata.json
@ -14,6 +14,9 @@
    ],
    "ASVS 4.0": [
      "5.4.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  }
 }
--- a/rules/S2184/java/rule.adoc
+++ b/rules/S2184/java/rule.adoc
@ -62,9 +62,13 @@ public float compute2(float factor){

 == Resources

+=== Standards
+
 * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound]
 * https://wiki.sei.cmu.edu/confluence/x/AjdGBQ[CERT, NUM50-J.] - Convert integers to floating point for floating-point operations
 * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S2184/metadata.json
+++ b/rules/S2184/metadata.json
@ -34,6 +34,9 @@
    ],
    "ASVS 4.0": [
      "5.4.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2226/java/metadata.json
+++ b/rules/S2226/java/metadata.json
@ -32,6 +32,9 @@
  "securityStandards": {
    "CERT": [
      "MSC11-J."
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222567"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2226/java/rule.adoc
+++ b/rules/S2226/java/rule.adoc
@ -169,6 +169,11 @@ public class MyServlet extends HttpServlet {
 * https://www.devinline.com/2013/08/how-to-make-thread-safe-servlet.html[Nikhil Ranjan: How to make thread safe servlet ?]
 * https://objectcomputing.com/resources/publications/sett/april-2000-tips-for-creating-thread-safe-code-avoiding-race-conditions[Object Computing: Tips for creating thread-safe code]

+=== Standards
+
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions.
+
+
 ifdef::env-github,rspecator-view[]

 '''
--- a/rules/S2254/java/metadata.json
+++ b/rules/S2254/java/metadata.json
@ -16,8 +16,12 @@
    "cwe"
  ],
  "extra": {
-    "replacementRules": [],
-    "legacyKeys": []
+    "replacementRules": [
+
+    ],
+    "legacyKeys": [
+
+    ]
  },
  "defaultSeverity": "Critical",
  "ruleSpecification": "RSPEC-2254",
@ -32,10 +36,13 @@
    ],
    "OWASP Top 10 2021": [
      "A4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222582"
    ]
  },
  "defaultQualityProfiles": [
    "Sonar way"
  ],
  "quickfix": "unknown"
-}
+}
--- a/rules/S2254/java/rule.adoc
+++ b/rules/S2254/java/rule.adoc
@ -64,6 +64,7 @@ The compliant example instead uses the server's session ID to verify if the sess
 * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
 * CWE - https://cwe.mitre.org/data/definitions/807[CWE-807 - Reliance on Untrusted Inputs in a Security Decision]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs.


 ifdef::env-github,rspecator-view[]
--- a/rules/S2435/cfamily/metadata.json
+++ b/rules/S2435/cfamily/metadata.json
@ -12,6 +12,9 @@
    ],
    "OWASP Top 10 2021": [
      "A3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608"
    ]
  }
 }
--- a/rules/S2435/cfamily/rule.adoc
+++ b/rules/S2435/cfamily/rule.adoc
@ -4,10 +4,14 @@ include::../rule-except-see.adoc[]

 == Resources

+=== Standards
+
 * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)]
 * CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S2435/java/metadata.json
+++ b/rules/S2435/java/metadata.json
@ -15,6 +15,9 @@
    ],
    "OWASP Top 10 2021": [
      "A3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608"
    ]
  }
 }
--- a/rules/S2435/java/rule.adoc
+++ b/rules/S2435/java/rule.adoc
@ -4,11 +4,15 @@ include::../rule-except-see.adoc[]

 == Resources

+=== Standards
+
 * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)]
 * CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)]
 * https://wiki.sei.cmu.edu/confluence/x/7jdGBQ[CERT, IDS51-J.] - Properly encode or escape output
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S2435/metadata.json
+++ b/rules/S2435/metadata.json
@ -7,6 +7,7 @@
    "constantCost": "15min"
  },
  "tags": [
+
  ],
  "extra": {
    "replacementRules": [
@ -30,6 +31,9 @@
    ],
    "OWASP Top 10 2021": [
      "A3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2612/cfamily/metadata.json
+++ b/rules/S2612/cfamily/metadata.json
@ -27,6 +27,9 @@
    ],
    "ASVS 4.0": [
      "4.3.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222430"
    ]
  }
 }
--- a/rules/S2612/cfamily/rule.adoc
+++ b/rules/S2612/cfamily/rule.adoc
@ -64,6 +64,8 @@ umask(S_IRWXO); // Compliant: further created files or directories will not have
 * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource]
 * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 -  Incorrect Privilege Assignment]
 * https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions.
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S2612/docker/metadata.json
+++ b/rules/S2612/docker/metadata.json
@ -5,19 +5,28 @@
  ],
  "securityStandards": {
    "CERT": [
+
    ],
    "CWE": [
      732
    ],
    "OWASP": [
+
    ],
    "OWASP Top 10 2021": [
+
    ],
    "PCI DSS 3.2": [
+
    ],
    "PCI DSS 4.0": [
+
    ],
    "ASVS 4.0": [
+
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222430"
    ]
  },
  "quickfix": "unknown"
--- a/rules/S2612/docker/rule.adoc
+++ b/rules/S2612/docker/rule.adoc
@ -45,6 +45,8 @@ RUN chmod +t resource
 * https://docs.docker.com/engine/reference/builder/#copy[COPY] - Docker COPY command
 * https://man.archlinux.org/man/core/man-pages/chmod.1p.en[chmod reference] - `chmod` command
 * https://man.archlinux.org/man/chown.1.en[chown reference] - `chown` command
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions.
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S2612/java/metadata.json
+++ b/rules/S2612/java/metadata.json
@ -27,6 +27,9 @@
    ],
    "ASVS 4.0": [
      "4.3.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222430"
    ]
  },
  "quickfix": "unknown"
--- a/rules/S2612/java/rule.adoc
+++ b/rules/S2612/java/rule.adoc
@ -72,6 +72,8 @@ On operating systems that implement POSIX standard. This will throw a ``++Unsupp
 * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 -  Incorrect Privilege Assignment]
 * https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions[CERT, FIO01-J.] - Create files with appropriate access permissions
 * https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions.
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S2612/metadata.json
+++ b/rules/S2612/metadata.json
@ -47,6 +47,9 @@
    ],
    "ASVS 4.0": [
      "4.3.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222430"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2612/see.adoc
+++ b/rules/S2612/see.adoc
@ -6,3 +6,5 @@
 * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission[OWASP File Permission]
 * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource]
 * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 -  Incorrect Privilege Assignment]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions.
+
--- a/rules/S2631/common/resources/standards.adoc
+++ b/rules/S2631/common/resources/standards.adoc
@ -5,3 +5,7 @@
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption]
 * CWE - https://cwe.mitre.org/data/definitions/1333[CWE-1333 - Inefficient Regular Expression Complexity]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222594[Application Security and Development: V-222594] - The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented.
+
--- a/rules/S2631/metadata.json
+++ b/rules/S2631/metadata.json
@ -50,6 +50,11 @@
      "12.1.1",
      "5.1.3",
      "5.1.4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222594",
+      "V-222609",
+      "V-222667"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2647/common/resources/standards.adoc
+++ b/rules/S2647/common/resources/standards.adoc
@ -4,3 +4,5 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html#user-authentication[OWASP Web Service Security Cheat Sheet]
 * CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222533[Application Security and Development: V-222533] - The application must authenticate all network connected endpoint devices before establishing any connection.
+
--- a/rules/S2647/metadata.json
+++ b/rules/S2647/metadata.json
@ -12,10 +12,16 @@
    "func": "Constant\/Issue",
    "constantCost": "2h"
  },
-  "tags": [],
+  "tags": [
+
+  ],
  "extra": {
-    "replacementRules": [],
-    "legacyKeys": []
+    "replacementRules": [
+
+    ],
+    "legacyKeys": [
+
+    ]
  },
  "defaultSeverity": "Critical",
  "ruleSpecification": "RSPEC-2647",
@ -39,8 +45,13 @@
    ],
    "ASVS 4.0": [
      "2.10.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222533"
    ]
  },
-  "defaultQualityProfiles": [],
+  "defaultQualityProfiles": [
+
+  ],
  "quickfix": "unknown"
-}
+}
--- a/rules/S2696/common/resources/standards.adoc
+++ b/rules/S2696/common/resources/standards.adoc
@ -0,0 +1,4 @@
+=== Standards
+
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions.
+
--- a/rules/S2696/csharp/rule.adoc
+++ b/rules/S2696/csharp/rule.adoc
@ -40,6 +40,9 @@ interface MyInterface

 * https://www.c-sharpcorner.com/UploadFile/1d42da/race-conditions-in-threading-C-Sharp/[Race Conditions in C#]

+include::../common/resources/standards.adoc[]
+
+
 ifdef::env-github,rspecator-view[]

 '''
--- a/rules/S2696/java/rule.adoc
+++ b/rules/S2696/java/rule.adoc
@ -22,6 +22,11 @@ public class MyClass {
 ----


+== Resources
+
+include::../common/resources/standards.adoc[]
+
+
 ifdef::env-github,rspecator-view[]

 '''
--- a/rules/S2696/metadata.json
+++ b/rules/S2696/metadata.json
@ -27,6 +27,11 @@
  "ruleSpecification": "RSPEC-2696",
  "sqKey": "S2696",
  "scope": "Main",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222567"
+    ]
+  },
  "defaultQualityProfiles": [
    "Sonar way"
  ],
--- a/rules/S2755/common/resources/standards.adoc
+++ b/rules/S2755/common/resources/standards.adoc
@ -4,4 +4,5 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)]
 * CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Information Exposure Through XML External Entity Reference]
 * CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.

--- a/rules/S2755/metadata.json
+++ b/rules/S2755/metadata.json
@ -46,6 +46,9 @@
    ],
    "ASVS 4.0": [
      "5.5.2"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2885/java/metadata.json
+++ b/rules/S2885/java/metadata.json
@ -19,6 +19,11 @@
  "ruleSpecification": "RSPEC-2885",
  "sqKey": "S2885",
  "scope": "Main",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222567"
+    ]
+  },
  "defaultQualityProfiles": [
    "Sonar way"
  ],
--- a/rules/S2885/java/rule.adoc
+++ b/rules/S2885/java/rule.adoc
@ -48,12 +48,18 @@ public class MyClass {
 ----

 == Resources
+
 === Articles & blog posts

 * https://web.mit.edu/6.005/www/fa14/classes/18-thread-safety/[MIT - Thread safety]
 * https://www.baeldung.com/java-thread-safety[Baeldung - Thread safety]
 * https://www.baeldung.com/java-static[Baeldung - Static]

+=== Standards
+
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions.
+
+
 ifdef::env-github,rspecator-view[]

 '''
--- a/rules/S2886/java/metadata.json
+++ b/rules/S2886/java/metadata.json
@ -23,6 +23,9 @@
  "securityStandards": {
    "CERT": [
      "VNA01-J."
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222567"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S2886/java/rule.adoc
+++ b/rules/S2886/java/rule.adoc
@ -82,15 +82,17 @@ public class Person {
 * https://docs.oracle.com/javase/tutorial/essential/concurrency/syncmeth.html[Oracle Java - Synchronized Methods]
 * https://docs.oracle.com/javase/specs/jls/se20/html/jls-8.html#jls-8.4.3.6[Oracle SE 20 - Synchronized Methods]

-=== Standards
-
-* https://wiki.sei.cmu.edu/confluence/x/4jdGBQ[CERT, VNA01-J.] - Ensure visibility of shared references to immutable objects
-
 === Articles & blog posts

 * https://web.mit.edu/6.005/www/fa14/classes/18-thread-safety/[MIT - Thread safety]
 * https://www.baeldung.com/java-thread-safety[Baeldung - Thread safety]

+=== Standards
+
+* https://wiki.sei.cmu.edu/confluence/x/4jdGBQ[CERT, VNA01-J.] - Ensure visibility of shared references to immutable objects
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions.
+
+
 ifdef::env-github,rspecator-view[]

 '''
--- a/rules/S3330/metadata.json
+++ b/rules/S3330/metadata.json
@ -46,6 +46,9 @@
    ],
    "ASVS 4.0": [
      "3.4.2"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222575"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S3330/see.adoc
+++ b/rules/S3330/see.adoc
@ -4,4 +4,6 @@
 * https://owasp.org/www-community/HttpOnly[OWASP HttpOnly]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
 * CWE - https://cwe.mitre.org/data/definitions/1004[CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag]
-* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE[HTTPONLY_COOKIE]
+* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE[HTTPONLY_COOKIE]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222575[Application Security and Development: V-222575] - The application must set the HTTPOnly flag on session cookies.
+
--- a/rules/S3518/cfamily/metadata.json
+++ b/rules/S3518/cfamily/metadata.json
@ -16,6 +16,9 @@
    ],
    "CWE": [
      369
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  }
 }
--- a/rules/S3518/cfamily/rule.adoc
+++ b/rules/S3518/cfamily/rule.adoc
@ -138,6 +138,7 @@ std::optional<int> safe_division(int a, int b) {
 * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow[INT32-C. Ensure that operations on signed integers do not result in overflow]
 * CERT - https://wiki.sei.cmu.edu/confluence/x/ftYxBQ[INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors]
 * CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.

 === External coding guidelines

--- a/rules/S3518/java/metadata.json
+++ b/rules/S3518/java/metadata.json
@ -12,6 +12,9 @@
    ],
    "CWE": [
      369
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  }
 }
--- a/rules/S3518/java/rule.adoc
+++ b/rules/S3518/java/rule.adoc
@ -59,16 +59,15 @@ void test_divide() {
 === Documentation

 * https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/ArithmeticException.html[ArithmeticException]
-
-=== Articles & blog posts
-
-* CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero]
-* https://wiki.sei.cmu.edu/confluence/x/CTZGBQ[CERT, NUM02-J.] - Ensure that division and remainder operations do not result in divide-by-zero errors
+* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.2[The Division Operator in the JLS]
+* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.3[The Remainder Operator in the JLS]

 === Standards

-* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.2[The Division Operator in the JLS]
-* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.3[The Remainder Operator in the JLS]
+* CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero]
+* https://wiki.sei.cmu.edu/confluence/x/CTZGBQ[CERT, NUM02-J.] - Ensure that division and remainder operations do not result in divide-by-zero errors
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S3518/metadata.json
+++ b/rules/S3518/metadata.json
@ -31,6 +31,9 @@
  "securityStandards": {
    "CWE": [
      369
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S3518/python/metadata.json
+++ b/rules/S3518/python/metadata.json
@ -11,6 +11,9 @@
    ],
    "CWE": [
      369
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  }
 }
--- a/rules/S3518/python/rule.adoc
+++ b/rules/S3518/python/rule.adoc
@ -104,10 +104,8 @@ if the denominator is zero.
 * https://docs.python.org/3/reference/expressions.html#binary-arithmetic-operations[Binary arithmetic operations]
 * https://docs.python.org/3/library/exceptions.html#ZeroDivisionError[ZeroDivisionError]

-=== Articles & blog posts
+=== Standards

 * CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.

-//=== Articles & blog posts
-//=== Conference presentations
-//=== Standards
--- a/rules/S3519/cfamily/metadata.json
+++ b/rules/S3519/cfamily/metadata.json
@ -47,6 +47,9 @@
    ],
    "PCI DSS 4.0": [
      "6.2.4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S3519/cfamily/rule.adoc
+++ b/rules/S3519/cfamily/rule.adoc
@ -389,6 +389,7 @@ void tar(std::string const &s) {
 * CWE - https://cwe.mitre.org/data/definitions/131[CWE-131 Incorrect Calculation of Buffer Size]
 * CWE - https://cwe.mitre.org/data/definitions/193[CWE-193 Off-by-one Error]
 * CWE - https://cwe.mitre.org/data/definitions/788[CWE-788 Access of Memory Location After End of Buffer]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.

 === Related rules

--- a/rules/S3649/common/resources/standards.adoc
+++ b/rules/S3649/common/resources/standards.adoc
@ -5,3 +5,6 @@
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command]
 * https://wiki.sei.cmu.edu/confluence/x/ITdGBQ[CERT, IDS00-J.] - Prevent SQL injection
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222607[Application Security and Development: V-222607] - The application must not be vulnerable to SQL Injection.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
--- a/rules/S3649/metadata.json
+++ b/rules/S3649/metadata.json
@ -50,6 +50,10 @@
      "5.1.4",
      "5.3.4",
      "5.3.5"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222607",
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S3687/cfamily/metadata.json
+++ b/rules/S3687/cfamily/metadata.json
@ -31,6 +31,11 @@
  "ruleSpecification": "RSPEC-3687",
  "sqKey": "S3687",
  "scope": "All",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222567"
+    ]
+  },
  "defaultQualityProfiles": [
    "Sonar way"
  ],
--- a/rules/S3687/cfamily/rule.adoc
+++ b/rules/S3687/cfamily/rule.adoc
@ -38,8 +38,11 @@ User volatile * pvUser;

 == Resources

+=== Standards
+
 * https://wiki.sei.cmu.edu/confluence/display/c/CON02-C.+Do+not+use+volatile+as+a+synchronization+primitive[CERT CON02-C] - Do not use volatile as a synchronization primitive
 * {cpp} Core Guidelines - https://github.com/isocpp/CppCoreGuidelines/blob/e49158a/CppCoreGuidelines.md#cp200-use-volatile-only-to-talk-to-non-c-memory[CP.200: Use `volatile` only to talk to non-{cpp} memory]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions.


 ifdef::env-github,rspecator-view[]
--- a/rules/S3949/cfamily/metadata.json
+++ b/rules/S3949/cfamily/metadata.json
@ -13,6 +13,9 @@
  "securityStandards": {
    "CERT": [
      "INT30-C."
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  }
 }
--- a/rules/S3949/cfamily/rule.adoc
+++ b/rules/S3949/cfamily/rule.adoc
@ -20,6 +20,11 @@ void test(char c) {
 }
 ----

+== Resources
+
+include::../common/resources/standards.adoc[]
+
+
 ifdef::env-github,rspecator-view[]

 '''
--- a/rules/S3949/common/resources/standards.adoc
+++ b/rules/S3949/common/resources/standards.adoc
@ -0,0 +1,4 @@
+=== Standards
+
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+
--- a/rules/S3949/csharp/rule.adoc
+++ b/rules/S3949/csharp/rule.adoc
@ -33,4 +33,10 @@ public long Transform(int value)
 }
 ----

+
+== Resources
+
+include::../common/resources/standards.adoc[]
+
+
 include::../rspecator.adoc[]
--- a/rules/S3949/metadata.json
+++ b/rules/S3949/metadata.json
@ -27,6 +27,11 @@
  "ruleSpecification": "RSPEC-3949",
  "sqKey": "S3949",
  "scope": "All",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222612"
+    ]
+  },
  "defaultQualityProfiles": [
    "Sonar way"
  ],
--- a/rules/S3949/vbnet/rule.adoc
+++ b/rules/S3949/vbnet/rule.adoc
@ -24,4 +24,10 @@ Public Function Transform(Value As Integer) As Long
 End Function
 ----

+
+== Resources
+
+include::../common/resources/standards.adoc[]
+
+
 include::../rspecator.adoc[]
--- a/rules/S4502/metadata.json
+++ b/rules/S4502/metadata.json
@ -46,6 +46,9 @@
    "ASVS 4.0": [
      "13.2.3",
      "4.2.2"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222603"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S4502/see.adoc
+++ b/rules/S4502/see.adoc
@ -4,3 +4,5 @@
 * CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
 * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222603[Application Security and Development: V-222603] - The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.
+
--- a/rules/S4830/cfamily/metadata.json
+++ b/rules/S4830/cfamily/metadata.json
@ -41,6 +41,9 @@
    "ASVS 4.0": [
      "1.9.2",
      "9.2.1"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222550"
    ]
  }
 }
--- a/rules/S4830/common/resources/standards.adoc
+++ b/rules/S4830/common/resources/standards.adoc
@ -8,3 +8,5 @@
 * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication]
 * OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements]
 * CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor.
+
--- a/rules/S4830/java/metadata.json
+++ b/rules/S4830/java/metadata.json
@ -39,6 +39,9 @@
    "ASVS 4.0": [
      "1.9.2",
      "9.2.1"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222550"
    ]
  }
 }
--- a/rules/S4830/metadata.json
+++ b/rules/S4830/metadata.json
@ -60,6 +60,9 @@
    "ASVS 4.0": [
      "1.9.2",
      "9.2.1"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222550"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S5034/metadata.json
+++ b/rules/S5034/metadata.json
@ -27,6 +27,11 @@
  "ruleSpecification": "RSPEC-5034",
  "sqKey": "S5034",
  "scope": "All",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222567"
+    ]
+  },
  "defaultQualityProfiles": [
    "Sonar way"
  ],
--- a/rules/S5034/rule.adoc
+++ b/rules/S5034/rule.adoc
@ -49,4 +49,9 @@ int value = await ComputeAsync().AsTask();

 * https://learn.microsoft.com/en-us/dotnet/api/system.threading.tasks.valuetask[ValueTask]
 * https://learn.microsoft.com/en-us/dotnet/api/system.threading.tasks.valuetask-1[ValueTask<TResult>]
-* https://blogs.msdn.microsoft.com/dotnet/2018/11/07/understanding-the-whys-whats-and-whens-of-valuetask[Understanding the Whys, Whats, and Whens of ValueTask]
+* https://blogs.msdn.microsoft.com/dotnet/2018/11/07/understanding-the-whys-whats-and-whens-of-valuetask[Understanding the Whys, Whats, and Whens of ValueTask]
+
+=== Standards
+
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions.
+
--- a/rules/S5131/common/resources/standards.adoc
+++ b/rules/S5131/common/resources/standards.adoc
@ -3,3 +3,6 @@
 * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
 * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222602[Application Security and Development: V-222602] - The application must protect from Cross-Site Scripting (XSS) vulnerabilities.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
--- a/rules/S5131/metadata.json
+++ b/rules/S5131/metadata.json
@ -45,6 +45,10 @@
    ],
    "ASVS 4.0": [
      "5.3.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222602",
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S5135/common/resources/standards.adoc
+++ b/rules/S5135/common/resources/standards.adoc
@ -4,3 +4,5 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
--- a/rules/S5135/metadata.json
+++ b/rules/S5135/metadata.json
@ -50,6 +50,9 @@
      "5.1.4",
      "5.5.1",
      "5.5.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S5144/common/resources/standards.adoc
+++ b/rules/S5144/common/resources/standards.adoc
@ -4,3 +4,4 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/918[CWE-918 - Server-Side Request Forgery (SSRF)]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
--- a/rules/S5144/metadata.json
+++ b/rules/S5144/metadata.json
@ -49,6 +49,9 @@
      "5.1.3",
      "5.1.4",
      "5.2.6"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S5145/common/resources/standards.adoc
+++ b/rules/S5145/common/resources/standards.adoc
@ -5,4 +5,6 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
-* CWE - https://cwe.mitre.org/data/definitions/117[CWE-117 - Improper Output Neutralization for Logs]
+* CWE - https://cwe.mitre.org/data/definitions/117[CWE-117 - Improper Output Neutralization for Logs]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
--- a/rules/S5145/metadata.json
+++ b/rules/S5145/metadata.json
@ -45,6 +45,9 @@
      "5.1.4",
      "7.3.1",
      "7.3.2"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S5147/common/resources/standards.adoc
+++ b/rules/S5147/common/resources/standards.adoc
@ -4,3 +4,5 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/943[CWE-943 - Improper Neutralization of Special Elements in Data Query Logic]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
--- a/rules/S5147/metadata.json
+++ b/rules/S5147/metadata.json
@ -48,6 +48,9 @@
      "5.1.3",
      "5.1.4",
      "5.3.4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S5273/cfamily/metadata.json
+++ b/rules/S5273/cfamily/metadata.json
@ -17,8 +17,12 @@
    "suspicious"
  ],
  "extra": {
-    "replacementRules": [],
-    "legacyKeys": []
+    "replacementRules": [
+
+    ],
+    "legacyKeys": [
+
+    ]
  },
  "defaultSeverity": "Major",
  "ruleSpecification": "RSPEC-5273",
@ -32,6 +36,9 @@
      121,
      122,
      676
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  },
  "defaultQualityProfiles": [
--- a/rules/S5273/cfamily/rule.adoc
+++ b/rules/S5273/cfamily/rule.adoc
@ -141,7 +141,7 @@ void bar(const char *src) {
 * CWE - https://cwe.mitre.org/data/definitions/121[CWE-121 Stack-based Buffer Overflow]
 * CWE - https://cwe.mitre.org/data/definitions/122[CWE-122 Heap-based Buffer Overflow]
 * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 Use of Potentially Dangerous Function]
-
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.


 ifdef::env-github,rspecator-view[]
--- a/rules/S5283/cfamily/metadata.json
+++ b/rules/S5283/cfamily/metadata.json
@ -31,9 +31,11 @@
  "securityStandards": {
    "CERT": [
      "ARR32-C."
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
    ]
  },
-
  "defaultQualityProfiles": [
    "Sonar way"
  ],
--- a/Show More
+++ b/Show More