diff --git a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json index 7dd0ac04e2..bd3e3705c8 100644 --- a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json +++ b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json @@ -218,6 +218,15 @@ "pattern": "^\\d+\\.\\d+\\.\\d+$" }, "uniqueItems": true + }, + "STIG ASD 2023-06-08": { + "type": "array", + "minItems": 0, + "items": { + "type": "string", + "pattern": "^V-\\d+$" + }, + "uniqueItems": true } } }, diff --git a/rules/S1079/cfamily/metadata.json b/rules/S1079/cfamily/metadata.json index d62a90d414..53fee3ed70 100644 --- a/rules/S1079/cfamily/metadata.json +++ b/rules/S1079/cfamily/metadata.json @@ -45,6 +45,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S1079/cfamily/rule.adoc b/rules/S1079/cfamily/rule.adoc index 07b6b758d1..6d36c0756c 100644 --- a/rules/S1079/cfamily/rule.adoc +++ b/rules/S1079/cfamily/rule.adoc @@ -50,6 +50,7 @@ If this code is given the word ``noncompliant`` as an input, ``noncompliā€`` wi * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input] ('Classic Buffer Overflow') * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S1081/cfamily/metadata.json b/rules/S1081/cfamily/metadata.json index f265180921..cc8f2cf7d0 100644 --- a/rules/S1081/cfamily/metadata.json +++ b/rules/S1081/cfamily/metadata.json @@ -41,6 +41,9 @@ ], "CERT": [ "STR07-C." + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S1081/common/resources/standards.adoc b/rules/S1081/common/resources/standards.adoc index fb1af91d6f..3ed57bf2bd 100644 --- a/rules/S1081/common/resources/standards.adoc +++ b/rules/S1081/common/resources/standards.adoc @@ -5,3 +5,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function] * CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + diff --git a/rules/S1913/cfamily/metadata.json b/rules/S1913/cfamily/metadata.json index 498aa2fbb7..99bee4bc6b 100644 --- a/rules/S1913/cfamily/metadata.json +++ b/rules/S1913/cfamily/metadata.json @@ -24,6 +24,11 @@ "ruleSpecification": "RSPEC-1913", "sqKey": "S1913", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222612" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S1913/cfamily/rule.adoc b/rules/S1913/cfamily/rule.adoc index d0bc9cbf80..c1fa544df1 100644 --- a/rules/S1913/cfamily/rule.adoc +++ b/rules/S1913/cfamily/rule.adoc @@ -45,6 +45,10 @@ void function() { * {cpp} reference - https://en.cppreference.com/w/cpp/language/sizeof[`sizeof` operator] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2053/common/resources/standards.adoc b/rules/S2053/common/resources/standards.adoc index ebc61597dd..a69aee6dd6 100644 --- a/rules/S2053/common/resources/standards.adoc +++ b/rules/S2053/common/resources/standards.adoc @@ -4,4 +4,5 @@ * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/759[CWE-759 - Use of a One-Way Hash without a Salt] * CWE - https://cwe.mitre.org/data/definitions/760[CWE-760 - Use of a One-Way Hash with a Predictable Salt] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords. diff --git a/rules/S2053/metadata.json b/rules/S2053/metadata.json index 257da7c37e..868fb1d0e0 100644 --- a/rules/S2053/metadata.json +++ b/rules/S2053/metadata.json @@ -43,6 +43,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222542" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2076/common/resources/standards.adoc b/rules/S2076/common/resources/standards.adoc index d216c2b89d..8ef32399e5 100644 --- a/rules/S2076/common/resources/standards.adoc +++ b/rules/S2076/common/resources/standards.adoc @@ -4,3 +4,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/78[CWE-78 - Improper Neutralization of Special Elements used in an OS Command] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222604[Application Security and Development: V-222604] - The application must protect from command injection. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2076/metadata.json b/rules/S2076/metadata.json index 6685700dc9..d204efe493 100644 --- a/rules/S2076/metadata.json +++ b/rules/S2076/metadata.json @@ -49,6 +49,10 @@ "5.1.3", "5.1.4", "5.3.8" + ], + "STIG ASD 2023-06-08": [ + "V-222604", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2078/common/resources/standards.adoc b/rules/S2078/common/resources/standards.adoc index 7642868def..4359017f06 100644 --- a/rules/S2078/common/resources/standards.adoc +++ b/rules/S2078/common/resources/standards.adoc @@ -6,3 +6,5 @@ * https://www.ietf.org/rfc/rfc4515.txt[RFC 4515] - LDAP: String Representation of Search Filters * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/90[CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2078/java/metadata.json b/rules/S2078/java/metadata.json index f0e25b5ee8..f7e4b236ca 100644 --- a/rules/S2078/java/metadata.json +++ b/rules/S2078/java/metadata.json @@ -27,6 +27,9 @@ "5.1.3", "5.1.4", "5.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] } } diff --git a/rules/S2078/metadata.json b/rules/S2078/metadata.json index 0364131ea4..8c473862b5 100644 --- a/rules/S2078/metadata.json +++ b/rules/S2078/metadata.json @@ -48,6 +48,9 @@ "5.1.3", "5.1.4", "5.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2083/common/resources/standards.adoc b/rules/S2083/common/resources/standards.adoc index 2ae72b4f8d..97a216c107 100644 --- a/rules/S2083/common/resources/standards.adoc +++ b/rules/S2083/common/resources/standards.adoc @@ -6,3 +6,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2083/metadata.json b/rules/S2083/metadata.json index 79bfc72978..fcce89f782 100644 --- a/rules/S2083/metadata.json +++ b/rules/S2083/metadata.json @@ -50,6 +50,9 @@ "12.3.1", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2091/common/resources/standards.adoc b/rules/S2091/common/resources/standards.adoc index 33a488a32f..c9f79c9320 100644 --- a/rules/S2091/common/resources/standards.adoc +++ b/rules/S2091/common/resources/standards.adoc @@ -4,3 +4,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/643[CWE-643 - Improper Neutralization of Data within XPath Expressions] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2091/java/metadata.json b/rules/S2091/java/metadata.json index 10f231dce3..31db2b9482 100644 --- a/rules/S2091/java/metadata.json +++ b/rules/S2091/java/metadata.json @@ -27,6 +27,10 @@ "5.1.3", "5.1.4", "5.3.10" + ], + "STIG ASD 2023-06-08": [ + "V-222608", + "V-222609" ] } } diff --git a/rules/S2091/metadata.json b/rules/S2091/metadata.json index bcab225468..a662530756 100644 --- a/rules/S2091/metadata.json +++ b/rules/S2091/metadata.json @@ -48,6 +48,10 @@ "5.1.3", "5.1.4", "5.3.10" + ], + "STIG ASD 2023-06-08": [ + "V-222608", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2092/metadata.json b/rules/S2092/metadata.json index 8336c0d484..ab9c49b569 100644 --- a/rules/S2092/metadata.json +++ b/rules/S2092/metadata.json @@ -52,6 +52,9 @@ "6.1.1", "6.1.2", "6.1.3" + ], + "STIG ASD 2023-06-08": [ + "V-222576" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2092/see.adoc b/rules/S2092/see.adoc index 63cea73634..1a0ae5af63 100644 --- a/rules/S2092/see.adoc +++ b/rules/S2092/see.adoc @@ -6,3 +6,5 @@ * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] * CWE - https://cwe.mitre.org/data/definitions/315[CWE-315 - Cleartext Storage of Sensitive Information in a Cookie] * CWE - https://cwe.mitre.org/data/definitions/614[CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222576[Application Security and Development: V-222576] - The application must set the secure flag on session cookies. + diff --git a/rules/S2184/cfamily/metadata.json b/rules/S2184/cfamily/metadata.json index 4f45fdc4f5..53d2bcf271 100644 --- a/rules/S2184/cfamily/metadata.json +++ b/rules/S2184/cfamily/metadata.json @@ -18,6 +18,9 @@ ], "ASVS 4.0": [ "5.4.3" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S2184/cfamily/rule.adoc b/rules/S2184/cfamily/rule.adoc index 354c37a603..48a934510c 100644 --- a/rules/S2184/cfamily/rule.adoc +++ b/rules/S2184/cfamily/rule.adoc @@ -33,9 +33,13 @@ void compliant2() { == Resources +=== Standards + * MISRA {cpp}:2008, 5-0-8 - An explicit integral or floating-point conversion shall not increase the size of the underlying type of a cvalue expression. * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound] * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2184/csharp/rule.adoc b/rules/S2184/csharp/rule.adoc index 373567fdba..54f1f9921f 100644 --- a/rules/S2184/csharp/rule.adoc +++ b/rules/S2184/csharp/rule.adoc @@ -30,7 +30,10 @@ static void Method(float f) { } == Resources +=== Standards + * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S2184/java/metadata.json b/rules/S2184/java/metadata.json index feff987871..66214ce145 100644 --- a/rules/S2184/java/metadata.json +++ b/rules/S2184/java/metadata.json @@ -14,6 +14,9 @@ ], "ASVS 4.0": [ "5.4.3" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S2184/java/rule.adoc b/rules/S2184/java/rule.adoc index c375c9e65b..1c64fc450e 100644 --- a/rules/S2184/java/rule.adoc +++ b/rules/S2184/java/rule.adoc @@ -62,9 +62,13 @@ public float compute2(float factor){ == Resources +=== Standards + * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound] * https://wiki.sei.cmu.edu/confluence/x/AjdGBQ[CERT, NUM50-J.] - Convert integers to floating point for floating-point operations * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2184/metadata.json b/rules/S2184/metadata.json index 96c978d299..d417d1b210 100644 --- a/rules/S2184/metadata.json +++ b/rules/S2184/metadata.json @@ -34,6 +34,9 @@ ], "ASVS 4.0": [ "5.4.3" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2226/java/metadata.json b/rules/S2226/java/metadata.json index 7c9ab04f3a..355b10c598 100644 --- a/rules/S2226/java/metadata.json +++ b/rules/S2226/java/metadata.json @@ -32,6 +32,9 @@ "securityStandards": { "CERT": [ "MSC11-J." + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2226/java/rule.adoc b/rules/S2226/java/rule.adoc index 42e5d9137d..bfb00cc862 100644 --- a/rules/S2226/java/rule.adoc +++ b/rules/S2226/java/rule.adoc @@ -169,6 +169,11 @@ public class MyServlet extends HttpServlet { * https://www.devinline.com/2013/08/how-to-make-thread-safe-servlet.html[Nikhil Ranjan: How to make thread safe servlet ?] * https://objectcomputing.com/resources/publications/sett/april-2000-tips-for-creating-thread-safe-code-avoiding-race-conditions[Object Computing: Tips for creating thread-safe code] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2254/java/metadata.json b/rules/S2254/java/metadata.json index a34fab19fb..ba48324b7d 100644 --- a/rules/S2254/java/metadata.json +++ b/rules/S2254/java/metadata.json @@ -16,8 +16,12 @@ "cwe" ], "extra": { - "replacementRules": [], - "legacyKeys": [] + "replacementRules": [ + + ], + "legacyKeys": [ + + ] }, "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-2254", @@ -32,10 +36,13 @@ ], "OWASP Top 10 2021": [ "A4" + ], + "STIG ASD 2023-06-08": [ + "V-222582" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S2254/java/rule.adoc b/rules/S2254/java/rule.adoc index d56127cebf..eeb1738fb0 100644 --- a/rules/S2254/java/rule.adoc +++ b/rules/S2254/java/rule.adoc @@ -64,6 +64,7 @@ The compliant example instead uses the server's session ID to verify if the sess * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] * CWE - https://cwe.mitre.org/data/definitions/807[CWE-807 - Reliance on Untrusted Inputs in a Security Decision] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs. ifdef::env-github,rspecator-view[] diff --git a/rules/S2435/cfamily/metadata.json b/rules/S2435/cfamily/metadata.json index 5cc7dc1668..b1318e5974 100644 --- a/rules/S2435/cfamily/metadata.json +++ b/rules/S2435/cfamily/metadata.json @@ -12,6 +12,9 @@ ], "OWASP Top 10 2021": [ "A3" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] } } diff --git a/rules/S2435/cfamily/rule.adoc b/rules/S2435/cfamily/rule.adoc index ec3c537453..d0f9876a1c 100644 --- a/rules/S2435/cfamily/rule.adoc +++ b/rules/S2435/cfamily/rule.adoc @@ -4,10 +4,14 @@ include::../rule-except-see.adoc[] == Resources +=== Standards + * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2435/java/metadata.json b/rules/S2435/java/metadata.json index 2eef90b9d7..df191137d9 100644 --- a/rules/S2435/java/metadata.json +++ b/rules/S2435/java/metadata.json @@ -15,6 +15,9 @@ ], "OWASP Top 10 2021": [ "A3" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] } } diff --git a/rules/S2435/java/rule.adoc b/rules/S2435/java/rule.adoc index a45117644e..a85f38398b 100644 --- a/rules/S2435/java/rule.adoc +++ b/rules/S2435/java/rule.adoc @@ -4,11 +4,15 @@ include::../rule-except-see.adoc[] == Resources +=== Standards + * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] * https://wiki.sei.cmu.edu/confluence/x/7jdGBQ[CERT, IDS51-J.] - Properly encode or escape output +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2435/metadata.json b/rules/S2435/metadata.json index fea97bf128..c1e9bb9843 100644 --- a/rules/S2435/metadata.json +++ b/rules/S2435/metadata.json @@ -7,6 +7,7 @@ "constantCost": "15min" }, "tags": [ + ], "extra": { "replacementRules": [ @@ -30,6 +31,9 @@ ], "OWASP Top 10 2021": [ "A3" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2612/cfamily/metadata.json b/rules/S2612/cfamily/metadata.json index 1647fe1911..89bd377d27 100644 --- a/rules/S2612/cfamily/metadata.json +++ b/rules/S2612/cfamily/metadata.json @@ -27,6 +27,9 @@ ], "ASVS 4.0": [ "4.3.3" + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] } } diff --git a/rules/S2612/cfamily/rule.adoc b/rules/S2612/cfamily/rule.adoc index ab62a57536..9e92e8b133 100644 --- a/rules/S2612/cfamily/rule.adoc +++ b/rules/S2612/cfamily/rule.adoc @@ -64,6 +64,8 @@ umask(S_IRWXO); // Compliant: further created files or directories will not have * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] * https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2612/docker/metadata.json b/rules/S2612/docker/metadata.json index 461042dc3e..8ecc9ba470 100644 --- a/rules/S2612/docker/metadata.json +++ b/rules/S2612/docker/metadata.json @@ -5,19 +5,28 @@ ], "securityStandards": { "CERT": [ + ], "CWE": [ 732 ], "OWASP": [ + ], "OWASP Top 10 2021": [ + ], "PCI DSS 3.2": [ + ], "PCI DSS 4.0": [ + ], "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] }, "quickfix": "unknown" diff --git a/rules/S2612/docker/rule.adoc b/rules/S2612/docker/rule.adoc index 094423df3c..fcdc84991d 100644 --- a/rules/S2612/docker/rule.adoc +++ b/rules/S2612/docker/rule.adoc @@ -45,6 +45,8 @@ RUN chmod +t resource * https://docs.docker.com/engine/reference/builder/#copy[COPY] - Docker COPY command * https://man.archlinux.org/man/core/man-pages/chmod.1p.en[chmod reference] - `chmod` command * https://man.archlinux.org/man/chown.1.en[chown reference] - `chown` command +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2612/java/metadata.json b/rules/S2612/java/metadata.json index d19d99bbb7..5b0e3e6b33 100644 --- a/rules/S2612/java/metadata.json +++ b/rules/S2612/java/metadata.json @@ -27,6 +27,9 @@ ], "ASVS 4.0": [ "4.3.3" + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] }, "quickfix": "unknown" diff --git a/rules/S2612/java/rule.adoc b/rules/S2612/java/rule.adoc index f273a72530..0dea0afec3 100644 --- a/rules/S2612/java/rule.adoc +++ b/rules/S2612/java/rule.adoc @@ -72,6 +72,8 @@ On operating systems that implement POSIX standard. This will throw a ``++Unsupp * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] * https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions[CERT, FIO01-J.] - Create files with appropriate access permissions * https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2612/metadata.json b/rules/S2612/metadata.json index 581f40b637..43ad9262f4 100644 --- a/rules/S2612/metadata.json +++ b/rules/S2612/metadata.json @@ -47,6 +47,9 @@ ], "ASVS 4.0": [ "4.3.3" + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2612/see.adoc b/rules/S2612/see.adoc index ac7db81e12..1b512527ba 100644 --- a/rules/S2612/see.adoc +++ b/rules/S2612/see.adoc @@ -6,3 +6,5 @@ * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission[OWASP File Permission] * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. + diff --git a/rules/S2631/common/resources/standards.adoc b/rules/S2631/common/resources/standards.adoc index 7322316fac..4c60f6b3f1 100644 --- a/rules/S2631/common/resources/standards.adoc +++ b/rules/S2631/common/resources/standards.adoc @@ -5,3 +5,7 @@ * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] * CWE - https://cwe.mitre.org/data/definitions/1333[CWE-1333 - Inefficient Regular Expression Complexity] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222594[Application Security and Development: V-222594] - The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. + diff --git a/rules/S2631/metadata.json b/rules/S2631/metadata.json index bebe700f40..8382570181 100644 --- a/rules/S2631/metadata.json +++ b/rules/S2631/metadata.json @@ -50,6 +50,11 @@ "12.1.1", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222594", + "V-222609", + "V-222667" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2647/common/resources/standards.adoc b/rules/S2647/common/resources/standards.adoc index 5dfe721aea..46331f40b5 100644 --- a/rules/S2647/common/resources/standards.adoc +++ b/rules/S2647/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html#user-authentication[OWASP Web Service Security Cheat Sheet] * CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222533[Application Security and Development: V-222533] - The application must authenticate all network connected endpoint devices before establishing any connection. + diff --git a/rules/S2647/metadata.json b/rules/S2647/metadata.json index a1129dfb33..3986933ca9 100644 --- a/rules/S2647/metadata.json +++ b/rules/S2647/metadata.json @@ -12,10 +12,16 @@ "func": "Constant\/Issue", "constantCost": "2h" }, - "tags": [], + "tags": [ + + ], "extra": { - "replacementRules": [], - "legacyKeys": [] + "replacementRules": [ + + ], + "legacyKeys": [ + + ] }, "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-2647", @@ -39,8 +45,13 @@ ], "ASVS 4.0": [ "2.10.3" + ], + "STIG ASD 2023-06-08": [ + "V-222533" ] }, - "defaultQualityProfiles": [], + "defaultQualityProfiles": [ + + ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S2696/common/resources/standards.adoc b/rules/S2696/common/resources/standards.adoc new file mode 100644 index 0000000000..a7d9d7297c --- /dev/null +++ b/rules/S2696/common/resources/standards.adoc @@ -0,0 +1,4 @@ +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + diff --git a/rules/S2696/csharp/rule.adoc b/rules/S2696/csharp/rule.adoc index 97aa75db8d..2b28f0ccf3 100644 --- a/rules/S2696/csharp/rule.adoc +++ b/rules/S2696/csharp/rule.adoc @@ -40,6 +40,9 @@ interface MyInterface * https://www.c-sharpcorner.com/UploadFile/1d42da/race-conditions-in-threading-C-Sharp/[Race Conditions in C#] +include::../common/resources/standards.adoc[] + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2696/java/rule.adoc b/rules/S2696/java/rule.adoc index 98f39bd7ba..3ee004e063 100644 --- a/rules/S2696/java/rule.adoc +++ b/rules/S2696/java/rule.adoc @@ -22,6 +22,11 @@ public class MyClass { ---- +== Resources + +include::../common/resources/standards.adoc[] + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2696/metadata.json b/rules/S2696/metadata.json index 1945fb9ad5..e6b224b511 100644 --- a/rules/S2696/metadata.json +++ b/rules/S2696/metadata.json @@ -27,6 +27,11 @@ "ruleSpecification": "RSPEC-2696", "sqKey": "S2696", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S2755/common/resources/standards.adoc b/rules/S2755/common/resources/standards.adoc index fb7139b7a6..80624efb7b 100644 --- a/rules/S2755/common/resources/standards.adoc +++ b/rules/S2755/common/resources/standards.adoc @@ -4,4 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Information Exposure Through XML External Entity Reference] * CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. diff --git a/rules/S2755/metadata.json b/rules/S2755/metadata.json index 615b0b807d..e75faf0662 100644 --- a/rules/S2755/metadata.json +++ b/rules/S2755/metadata.json @@ -46,6 +46,9 @@ ], "ASVS 4.0": [ "5.5.2" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2885/java/metadata.json b/rules/S2885/java/metadata.json index 5a2d39449a..abe9fbcdb9 100644 --- a/rules/S2885/java/metadata.json +++ b/rules/S2885/java/metadata.json @@ -19,6 +19,11 @@ "ruleSpecification": "RSPEC-2885", "sqKey": "S2885", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S2885/java/rule.adoc b/rules/S2885/java/rule.adoc index a3cff65bb1..974403b094 100644 --- a/rules/S2885/java/rule.adoc +++ b/rules/S2885/java/rule.adoc @@ -48,12 +48,18 @@ public class MyClass { ---- == Resources + === Articles & blog posts * https://web.mit.edu/6.005/www/fa14/classes/18-thread-safety/[MIT - Thread safety] * https://www.baeldung.com/java-thread-safety[Baeldung - Thread safety] * https://www.baeldung.com/java-static[Baeldung - Static] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2886/java/metadata.json b/rules/S2886/java/metadata.json index 668868e5f3..64fe332607 100644 --- a/rules/S2886/java/metadata.json +++ b/rules/S2886/java/metadata.json @@ -23,6 +23,9 @@ "securityStandards": { "CERT": [ "VNA01-J." + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2886/java/rule.adoc b/rules/S2886/java/rule.adoc index a3aa269f6c..6170b83ee7 100644 --- a/rules/S2886/java/rule.adoc +++ b/rules/S2886/java/rule.adoc @@ -82,15 +82,17 @@ public class Person { * https://docs.oracle.com/javase/tutorial/essential/concurrency/syncmeth.html[Oracle Java - Synchronized Methods] * https://docs.oracle.com/javase/specs/jls/se20/html/jls-8.html#jls-8.4.3.6[Oracle SE 20 - Synchronized Methods] -=== Standards - -* https://wiki.sei.cmu.edu/confluence/x/4jdGBQ[CERT, VNA01-J.] - Ensure visibility of shared references to immutable objects - === Articles & blog posts * https://web.mit.edu/6.005/www/fa14/classes/18-thread-safety/[MIT - Thread safety] * https://www.baeldung.com/java-thread-safety[Baeldung - Thread safety] +=== Standards + +* https://wiki.sei.cmu.edu/confluence/x/4jdGBQ[CERT, VNA01-J.] - Ensure visibility of shared references to immutable objects +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S3330/metadata.json b/rules/S3330/metadata.json index 6b84f415a9..e301f9a08b 100644 --- a/rules/S3330/metadata.json +++ b/rules/S3330/metadata.json @@ -46,6 +46,9 @@ ], "ASVS 4.0": [ "3.4.2" + ], + "STIG ASD 2023-06-08": [ + "V-222575" ] }, "defaultQualityProfiles": [ diff --git a/rules/S3330/see.adoc b/rules/S3330/see.adoc index 53adae0386..304a751f41 100644 --- a/rules/S3330/see.adoc +++ b/rules/S3330/see.adoc @@ -4,4 +4,6 @@ * https://owasp.org/www-community/HttpOnly[OWASP HttpOnly] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] * CWE - https://cwe.mitre.org/data/definitions/1004[CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag] -* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE[HTTPONLY_COOKIE] \ No newline at end of file +* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE[HTTPONLY_COOKIE] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222575[Application Security and Development: V-222575] - The application must set the HTTPOnly flag on session cookies. + diff --git a/rules/S3518/cfamily/metadata.json b/rules/S3518/cfamily/metadata.json index ff48e09418..434dead28e 100644 --- a/rules/S3518/cfamily/metadata.json +++ b/rules/S3518/cfamily/metadata.json @@ -16,6 +16,9 @@ ], "CWE": [ 369 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S3518/cfamily/rule.adoc b/rules/S3518/cfamily/rule.adoc index 6e076e5d42..e6b8c39732 100644 --- a/rules/S3518/cfamily/rule.adoc +++ b/rules/S3518/cfamily/rule.adoc @@ -138,6 +138,7 @@ std::optional safe_division(int a, int b) { * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow[INT32-C. Ensure that operations on signed integers do not result in overflow] * CERT - https://wiki.sei.cmu.edu/confluence/x/ftYxBQ[INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors] * CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. === External coding guidelines diff --git a/rules/S3518/java/metadata.json b/rules/S3518/java/metadata.json index 0909f01266..f25f18a967 100644 --- a/rules/S3518/java/metadata.json +++ b/rules/S3518/java/metadata.json @@ -12,6 +12,9 @@ ], "CWE": [ 369 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S3518/java/rule.adoc b/rules/S3518/java/rule.adoc index ef36009df9..ac83eff155 100644 --- a/rules/S3518/java/rule.adoc +++ b/rules/S3518/java/rule.adoc @@ -59,16 +59,15 @@ void test_divide() { === Documentation * https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/ArithmeticException.html[ArithmeticException] - -=== Articles & blog posts - -* CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] -* https://wiki.sei.cmu.edu/confluence/x/CTZGBQ[CERT, NUM02-J.] - Ensure that division and remainder operations do not result in divide-by-zero errors +* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.2[The Division Operator in the JLS] +* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.3[The Remainder Operator in the JLS] === Standards -* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.2[The Division Operator in the JLS] -* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.3[The Remainder Operator in the JLS] +* CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] +* https://wiki.sei.cmu.edu/confluence/x/CTZGBQ[CERT, NUM02-J.] - Ensure that division and remainder operations do not result in divide-by-zero errors +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S3518/metadata.json b/rules/S3518/metadata.json index 559015907b..22adfa10c7 100644 --- a/rules/S3518/metadata.json +++ b/rules/S3518/metadata.json @@ -31,6 +31,9 @@ "securityStandards": { "CWE": [ 369 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S3518/python/metadata.json b/rules/S3518/python/metadata.json index 5ba48ac266..e4e73e9907 100644 --- a/rules/S3518/python/metadata.json +++ b/rules/S3518/python/metadata.json @@ -11,6 +11,9 @@ ], "CWE": [ 369 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S3518/python/rule.adoc b/rules/S3518/python/rule.adoc index 441c4e2327..ee1998773a 100644 --- a/rules/S3518/python/rule.adoc +++ b/rules/S3518/python/rule.adoc @@ -104,10 +104,8 @@ if the denominator is zero. * https://docs.python.org/3/reference/expressions.html#binary-arithmetic-operations[Binary arithmetic operations] * https://docs.python.org/3/library/exceptions.html#ZeroDivisionError[ZeroDivisionError] -=== Articles & blog posts +=== Standards * CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. -//=== Articles & blog posts -//=== Conference presentations -//=== Standards diff --git a/rules/S3519/cfamily/metadata.json b/rules/S3519/cfamily/metadata.json index 3a6f5a53b9..375ed579db 100644 --- a/rules/S3519/cfamily/metadata.json +++ b/rules/S3519/cfamily/metadata.json @@ -47,6 +47,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S3519/cfamily/rule.adoc b/rules/S3519/cfamily/rule.adoc index 7ff911a1a3..716a2e1754 100644 --- a/rules/S3519/cfamily/rule.adoc +++ b/rules/S3519/cfamily/rule.adoc @@ -389,6 +389,7 @@ void tar(std::string const &s) { * CWE - https://cwe.mitre.org/data/definitions/131[CWE-131 Incorrect Calculation of Buffer Size] * CWE - https://cwe.mitre.org/data/definitions/193[CWE-193 Off-by-one Error] * CWE - https://cwe.mitre.org/data/definitions/788[CWE-788 Access of Memory Location After End of Buffer] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. === Related rules diff --git a/rules/S3649/common/resources/standards.adoc b/rules/S3649/common/resources/standards.adoc index 024b19cc62..a382d152ef 100644 --- a/rules/S3649/common/resources/standards.adoc +++ b/rules/S3649/common/resources/standards.adoc @@ -5,3 +5,6 @@ * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] * https://wiki.sei.cmu.edu/confluence/x/ITdGBQ[CERT, IDS00-J.] - Prevent SQL injection +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222607[Application Security and Development: V-222607] - The application must not be vulnerable to SQL Injection. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S3649/metadata.json b/rules/S3649/metadata.json index ed79a6082a..9953d4cf81 100644 --- a/rules/S3649/metadata.json +++ b/rules/S3649/metadata.json @@ -50,6 +50,10 @@ "5.1.4", "5.3.4", "5.3.5" + ], + "STIG ASD 2023-06-08": [ + "V-222607", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S3687/cfamily/metadata.json b/rules/S3687/cfamily/metadata.json index 9040a6a6bd..c015ce4453 100644 --- a/rules/S3687/cfamily/metadata.json +++ b/rules/S3687/cfamily/metadata.json @@ -31,6 +31,11 @@ "ruleSpecification": "RSPEC-3687", "sqKey": "S3687", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S3687/cfamily/rule.adoc b/rules/S3687/cfamily/rule.adoc index 85469009fe..3b28c22d43 100644 --- a/rules/S3687/cfamily/rule.adoc +++ b/rules/S3687/cfamily/rule.adoc @@ -38,8 +38,11 @@ User volatile * pvUser; == Resources +=== Standards + * https://wiki.sei.cmu.edu/confluence/display/c/CON02-C.+Do+not+use+volatile+as+a+synchronization+primitive[CERT CON02-C] - Do not use volatile as a synchronization primitive * {cpp} Core Guidelines - https://github.com/isocpp/CppCoreGuidelines/blob/e49158a/CppCoreGuidelines.md#cp200-use-volatile-only-to-talk-to-non-c-memory[CP.200: Use `volatile` only to talk to non-{cpp} memory] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. ifdef::env-github,rspecator-view[] diff --git a/rules/S3949/cfamily/metadata.json b/rules/S3949/cfamily/metadata.json index 6cb3eaa5df..28d1b2db25 100644 --- a/rules/S3949/cfamily/metadata.json +++ b/rules/S3949/cfamily/metadata.json @@ -13,6 +13,9 @@ "securityStandards": { "CERT": [ "INT30-C." + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S3949/cfamily/rule.adoc b/rules/S3949/cfamily/rule.adoc index 0cef8f7015..dc285d77b6 100644 --- a/rules/S3949/cfamily/rule.adoc +++ b/rules/S3949/cfamily/rule.adoc @@ -20,6 +20,11 @@ void test(char c) { } ---- +== Resources + +include::../common/resources/standards.adoc[] + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S3949/common/resources/standards.adoc b/rules/S3949/common/resources/standards.adoc new file mode 100644 index 0000000000..c80df97e74 --- /dev/null +++ b/rules/S3949/common/resources/standards.adoc @@ -0,0 +1,4 @@ +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + diff --git a/rules/S3949/csharp/rule.adoc b/rules/S3949/csharp/rule.adoc index 6da585919c..f22ebc9cb0 100644 --- a/rules/S3949/csharp/rule.adoc +++ b/rules/S3949/csharp/rule.adoc @@ -33,4 +33,10 @@ public long Transform(int value) } ---- + +== Resources + +include::../common/resources/standards.adoc[] + + include::../rspecator.adoc[] diff --git a/rules/S3949/metadata.json b/rules/S3949/metadata.json index d8d5a6c628..e379f1435c 100644 --- a/rules/S3949/metadata.json +++ b/rules/S3949/metadata.json @@ -27,6 +27,11 @@ "ruleSpecification": "RSPEC-3949", "sqKey": "S3949", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222612" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S3949/vbnet/rule.adoc b/rules/S3949/vbnet/rule.adoc index b51d6c8dc7..b31a4df1ae 100644 --- a/rules/S3949/vbnet/rule.adoc +++ b/rules/S3949/vbnet/rule.adoc @@ -24,4 +24,10 @@ Public Function Transform(Value As Integer) As Long End Function ---- + +== Resources + +include::../common/resources/standards.adoc[] + + include::../rspecator.adoc[] diff --git a/rules/S4502/metadata.json b/rules/S4502/metadata.json index b31f461b7e..78252c54fd 100644 --- a/rules/S4502/metadata.json +++ b/rules/S4502/metadata.json @@ -46,6 +46,9 @@ "ASVS 4.0": [ "13.2.3", "4.2.2" + ], + "STIG ASD 2023-06-08": [ + "V-222603" ] }, "defaultQualityProfiles": [ diff --git a/rules/S4502/see.adoc b/rules/S4502/see.adoc index a8ff3555b2..93793bdc7c 100644 --- a/rules/S4502/see.adoc +++ b/rules/S4502/see.adoc @@ -4,3 +4,5 @@ * CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222603[Application Security and Development: V-222603] - The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. + diff --git a/rules/S4830/cfamily/metadata.json b/rules/S4830/cfamily/metadata.json index 2e2c906e10..570e9f22d0 100644 --- a/rules/S4830/cfamily/metadata.json +++ b/rules/S4830/cfamily/metadata.json @@ -41,6 +41,9 @@ "ASVS 4.0": [ "1.9.2", "9.2.1" + ], + "STIG ASD 2023-06-08": [ + "V-222550" ] } } diff --git a/rules/S4830/common/resources/standards.adoc b/rules/S4830/common/resources/standards.adoc index 37b356eba7..d1a14eae15 100644 --- a/rules/S4830/common/resources/standards.adoc +++ b/rules/S4830/common/resources/standards.adoc @@ -8,3 +8,5 @@ * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] * OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] * CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. + diff --git a/rules/S4830/java/metadata.json b/rules/S4830/java/metadata.json index c432d942d7..17b25528ef 100644 --- a/rules/S4830/java/metadata.json +++ b/rules/S4830/java/metadata.json @@ -39,6 +39,9 @@ "ASVS 4.0": [ "1.9.2", "9.2.1" + ], + "STIG ASD 2023-06-08": [ + "V-222550" ] } } diff --git a/rules/S4830/metadata.json b/rules/S4830/metadata.json index 24703cc8db..c15e3680ac 100644 --- a/rules/S4830/metadata.json +++ b/rules/S4830/metadata.json @@ -60,6 +60,9 @@ "ASVS 4.0": [ "1.9.2", "9.2.1" + ], + "STIG ASD 2023-06-08": [ + "V-222550" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5034/metadata.json b/rules/S5034/metadata.json index 414adf12e9..672f28e1c3 100644 --- a/rules/S5034/metadata.json +++ b/rules/S5034/metadata.json @@ -27,6 +27,11 @@ "ruleSpecification": "RSPEC-5034", "sqKey": "S5034", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S5034/rule.adoc b/rules/S5034/rule.adoc index 67e45ccd3d..5b3e789b77 100644 --- a/rules/S5034/rule.adoc +++ b/rules/S5034/rule.adoc @@ -49,4 +49,9 @@ int value = await ComputeAsync().AsTask(); * https://learn.microsoft.com/en-us/dotnet/api/system.threading.tasks.valuetask[ValueTask] * https://learn.microsoft.com/en-us/dotnet/api/system.threading.tasks.valuetask-1[ValueTask] -* https://blogs.msdn.microsoft.com/dotnet/2018/11/07/understanding-the-whys-whats-and-whens-of-valuetask[Understanding the Whys, Whats, and Whens of ValueTask] \ No newline at end of file +* https://blogs.msdn.microsoft.com/dotnet/2018/11/07/understanding-the-whys-whats-and-whens-of-valuetask[Understanding the Whys, Whats, and Whens of ValueTask] + +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + diff --git a/rules/S5131/common/resources/standards.adoc b/rules/S5131/common/resources/standards.adoc index a0aa59a280..ac12800c34 100644 --- a/rules/S5131/common/resources/standards.adoc +++ b/rules/S5131/common/resources/standards.adoc @@ -3,3 +3,6 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222602[Application Security and Development: V-222602] - The application must protect from Cross-Site Scripting (XSS) vulnerabilities. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5131/metadata.json b/rules/S5131/metadata.json index df793c7d17..3b674d5a38 100644 --- a/rules/S5131/metadata.json +++ b/rules/S5131/metadata.json @@ -45,6 +45,10 @@ ], "ASVS 4.0": [ "5.3.3" + ], + "STIG ASD 2023-06-08": [ + "V-222602", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5135/common/resources/standards.adoc b/rules/S5135/common/resources/standards.adoc index 1d61528094..bc3b43bdd5 100644 --- a/rules/S5135/common/resources/standards.adoc +++ b/rules/S5135/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5135/metadata.json b/rules/S5135/metadata.json index 5a862458ad..698e3ce55e 100644 --- a/rules/S5135/metadata.json +++ b/rules/S5135/metadata.json @@ -50,6 +50,9 @@ "5.1.4", "5.5.1", "5.5.3" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5144/common/resources/standards.adoc b/rules/S5144/common/resources/standards.adoc index d27d2e47c1..76326f5859 100644 --- a/rules/S5144/common/resources/standards.adoc +++ b/rules/S5144/common/resources/standards.adoc @@ -4,3 +4,4 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/918[CWE-918 - Server-Side Request Forgery (SSRF)] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S5144/metadata.json b/rules/S5144/metadata.json index 9f42531ba8..4712bfb195 100644 --- a/rules/S5144/metadata.json +++ b/rules/S5144/metadata.json @@ -49,6 +49,9 @@ "5.1.3", "5.1.4", "5.2.6" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5145/common/resources/standards.adoc b/rules/S5145/common/resources/standards.adoc index bbd930e59e..89dffd6cb9 100644 --- a/rules/S5145/common/resources/standards.adoc +++ b/rules/S5145/common/resources/standards.adoc @@ -5,4 +5,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/117[CWE-117 - Improper Output Neutralization for Logs] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/117[CWE-117 - Improper Output Neutralization for Logs] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5145/metadata.json b/rules/S5145/metadata.json index c63c7ae867..8355bf49f9 100644 --- a/rules/S5145/metadata.json +++ b/rules/S5145/metadata.json @@ -45,6 +45,9 @@ "5.1.4", "7.3.1", "7.3.2" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5147/common/resources/standards.adoc b/rules/S5147/common/resources/standards.adoc index 90ee342659..db880041c7 100644 --- a/rules/S5147/common/resources/standards.adoc +++ b/rules/S5147/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/943[CWE-943 - Improper Neutralization of Special Elements in Data Query Logic] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5147/metadata.json b/rules/S5147/metadata.json index 99ff72cad5..65c9df48e1 100644 --- a/rules/S5147/metadata.json +++ b/rules/S5147/metadata.json @@ -48,6 +48,9 @@ "5.1.3", "5.1.4", "5.3.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5273/cfamily/metadata.json b/rules/S5273/cfamily/metadata.json index 0ea948ddfd..e44df73a45 100644 --- a/rules/S5273/cfamily/metadata.json +++ b/rules/S5273/cfamily/metadata.json @@ -17,8 +17,12 @@ "suspicious" ], "extra": { - "replacementRules": [], - "legacyKeys": [] + "replacementRules": [ + + ], + "legacyKeys": [ + + ] }, "defaultSeverity": "Major", "ruleSpecification": "RSPEC-5273", @@ -32,6 +36,9 @@ 121, 122, 676 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5273/cfamily/rule.adoc b/rules/S5273/cfamily/rule.adoc index d5db22fc0e..50876a925d 100644 --- a/rules/S5273/cfamily/rule.adoc +++ b/rules/S5273/cfamily/rule.adoc @@ -141,7 +141,7 @@ void bar(const char *src) { * CWE - https://cwe.mitre.org/data/definitions/121[CWE-121 Stack-based Buffer Overflow] * CWE - https://cwe.mitre.org/data/definitions/122[CWE-122 Heap-based Buffer Overflow] * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 Use of Potentially Dangerous Function] - +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5283/cfamily/metadata.json b/rules/S5283/cfamily/metadata.json index e80436d5bd..1b354d8625 100644 --- a/rules/S5283/cfamily/metadata.json +++ b/rules/S5283/cfamily/metadata.json @@ -31,9 +31,11 @@ "securityStandards": { "CERT": [ "ARR32-C." + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, - "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S5283/cfamily/rule.adoc b/rules/S5283/cfamily/rule.adoc index 0c527edd16..b0156446fa 100644 --- a/rules/S5283/cfamily/rule.adoc +++ b/rules/S5283/cfamily/rule.adoc @@ -208,6 +208,8 @@ and the {cpp} standard never supported it, however, they are commonly accepted a === Standards * CERT - https://wiki.sei.cmu.edu/confluence/display/c/ARR32-C.+Ensure+size+arguments+for+variable+length+arrays+are+in+a+valid+range[ARR32-C. Ensure size arguments for variable length arrays are in a valid range] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S5314/cfamily/metadata.json b/rules/S5314/cfamily/metadata.json index b630715dc7..87c0e165a7 100644 --- a/rules/S5314/cfamily/metadata.json +++ b/rules/S5314/cfamily/metadata.json @@ -32,6 +32,9 @@ "securityStandards": { "CWE": [ 367 + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5314/cfamily/rule.adoc b/rules/S5314/cfamily/rule.adoc index 71a5a0c3db..02ce11d742 100644 --- a/rules/S5314/cfamily/rule.adoc +++ b/rules/S5314/cfamily/rule.adoc @@ -198,6 +198,10 @@ the ABA problem, where `A` and `B` refers to the values of the resource. == Resources +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + === External coding guidelines * {cpp} Core Guidelines - https://github.com/isocpp/CppCoreGuidelines/blob/e49158a/CppCoreGuidelines.md#cp43-minimize-time-spent-in-a-critical-section[CP.43: Minimize time spent in a critical section] diff --git a/rules/S5328/php/metadata.json b/rules/S5328/php/metadata.json index 023887ecee..afb763ce95 100644 --- a/rules/S5328/php/metadata.json +++ b/rules/S5328/php/metadata.json @@ -49,6 +49,10 @@ "2.3.1", "2.6.2", "2.9.2" + ], + "STIG ASD 2023-06-08": [ + "V-222579", + "V-222582" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5328/php/rule.adoc b/rules/S5328/php/rule.adoc index 95dc9743eb..ac348c535b 100644 --- a/rules/S5328/php/rule.adoc +++ b/rules/S5328/php/rule.adoc @@ -43,6 +43,8 @@ session_id(bin2hex(random_bytes(16))); // Compliant * CWE - https://cwe.mitre.org/data/definitions/340[CWE-340 - Generation of Predictable Numbers or Identifiers] * https://www.php.net/random-bytes[PHP: random_bytes()] * https://www.php.net/session-regenerate-id[PHP: session_regenerate_id()] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222579[Application Security and Development: V-222579] - Applications must use system-generated session identifiers that protect against session fixation. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs. ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/apex/rule.adoc b/rules/S5332/apex/rule.adoc index 59a629934d..bb53c790e3 100644 --- a/rules/S5332/apex/rule.adoc +++ b/rules/S5332/apex/rule.adoc @@ -32,11 +32,9 @@ public class MyClient { include::../exceptions.adoc[] -== See +include::../see.adoc[] + -* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Information Exposure] ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/azureresourcemanager/metadata.json b/rules/S5332/azureresourcemanager/metadata.json index 6908a72ec7..2d5d046524 100644 --- a/rules/S5332/azureresourcemanager/metadata.json +++ b/rules/S5332/azureresourcemanager/metadata.json @@ -1,29 +1,45 @@ { - "tags": [ - "cwe" + "tags": [ + "cwe" + ], + "securityStandards": { + "CWE": [ + 200, + 319 ], - "securityStandards": { - "CWE": [ - 200, - 319 - ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], - "PCI DSS 3.2": [ - "4.1", - "6.5.4" - ], - "PCI DSS 4.0": [ - "4.2.1", - "6.2.4" - ], - "ASVS 4.0": [ - ] - } + "OWASP": [ + + ], + "OWASP Mobile": [ + + ], + "MASVS": [ + + ], + "OWASP Top 10 2021": [ + + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + } } diff --git a/rules/S5332/azureresourcemanager/rule.adoc b/rules/S5332/azureresourcemanager/rule.adoc index d18db09538..76faf748d8 100644 --- a/rules/S5332/azureresourcemanager/rule.adoc +++ b/rules/S5332/azureresourcemanager/rule.adoc @@ -421,7 +421,14 @@ resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = { ---- -include::see.adoc[] +== See + +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/azureresourcemanager/see.adoc b/rules/S5332/azureresourcemanager/see.adoc deleted file mode 100644 index a517da6d6d..0000000000 --- a/rules/S5332/azureresourcemanager/see.adoc +++ /dev/null @@ -1,6 +0,0 @@ -== See - -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] diff --git a/rules/S5332/cfamily/rule.adoc b/rules/S5332/cfamily/rule.adoc index da41f3e947..77f3f63803 100644 --- a/rules/S5332/cfamily/rule.adoc +++ b/rules/S5332/cfamily/rule.adoc @@ -50,6 +50,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/cloudformation/metadata.json b/rules/S5332/cloudformation/metadata.json index f44d6ea83f..a063ff0f7b 100644 --- a/rules/S5332/cloudformation/metadata.json +++ b/rules/S5332/cloudformation/metadata.json @@ -1,4 +1,4 @@ -{ +{ "tags": [ "aws", "cwe" @@ -9,12 +9,16 @@ 319 ], "OWASP": [ + ], "OWASP Mobile": [ + ], "MASVS": [ + ], "OWASP Top 10 2021": [ + ], "PCI DSS 3.2": [ "4.1", @@ -25,6 +29,18 @@ "6.2.4" ], "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" ] } } diff --git a/rules/S5332/cloudformation/rule.adoc b/rules/S5332/cloudformation/rule.adoc index cc59567052..19888f4200 100644 --- a/rules/S5332/cloudformation/rule.adoc +++ b/rules/S5332/cloudformation/rule.adoc @@ -193,14 +193,15 @@ Resources: InCluster: true ---- + == See -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] -* https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers -* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[AWS Documentation] - Stream Encryption +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/common/resources/articles.adoc b/rules/S5332/common/resources/articles.adoc new file mode 100644 index 0000000000..b79594625d --- /dev/null +++ b/rules/S5332/common/resources/articles.adoc @@ -0,0 +1,4 @@ +=== Articles & blog posts + +* Google - https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Moving towards more secure web] +* Mozilla - https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Deprecating non secure http] diff --git a/rules/S5332/common/resources/documentation.adoc b/rules/S5332/common/resources/documentation.adoc new file mode 100644 index 0000000000..9868f6083d --- /dev/null +++ b/rules/S5332/common/resources/documentation.adoc @@ -0,0 +1,4 @@ +=== Documentation + +* AWS Documentation - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[Listeners for your Application Load Balancers] +* AWS Documentation - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[Stream Encryption] diff --git a/rules/S5332/common/resources/standards-iac.adoc b/rules/S5332/common/resources/standards-iac.adoc new file mode 100644 index 0000000000..6515aaea44 --- /dev/null +++ b/rules/S5332/common/resources/standards-iac.adoc @@ -0,0 +1,13 @@ +=== Standards + +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397[Application Security and Development: V-222397] - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222534[Application Security and Development: V-222534] - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562[Application Security and Development: V-222562] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563[Application Security and Development: V-222563] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222577[Application Security and Development: V-222577] - The application must not expose session IDs. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222596[Application Security and Development: V-222596] - The application must protect the confidentiality and integrity of transmitted information. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222597[Application Security and Development: V-222597] - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598[Application Security and Development: V-222598] - The application must maintain the confidentiality and integrity of information during preparation for transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599[Application Security and Development: V-222599] - The application must maintain the confidentiality and integrity of information during reception. diff --git a/rules/S5332/common/resources/standards.adoc b/rules/S5332/common/resources/standards.adoc new file mode 100644 index 0000000000..0375902247 --- /dev/null +++ b/rules/S5332/common/resources/standards.adoc @@ -0,0 +1,17 @@ +=== Standards + +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397[Application Security and Development: V-222397] - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222534[Application Security and Development: V-222534] - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562[Application Security and Development: V-222562] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563[Application Security and Development: V-222563] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222577[Application Security and Development: V-222577] - The application must not expose session IDs. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222596[Application Security and Development: V-222596] - The application must protect the confidentiality and integrity of transmitted information. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222597[Application Security and Development: V-222597] - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598[Application Security and Development: V-222598] - The application must maintain the confidentiality and integrity of information during preparation for transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599[Application Security and Development: V-222599] - The application must maintain the confidentiality and integrity of information during reception. diff --git a/rules/S5332/docker/metadata.json b/rules/S5332/docker/metadata.json index adb9b0cae3..7ddff439a8 100644 --- a/rules/S5332/docker/metadata.json +++ b/rules/S5332/docker/metadata.json @@ -1,31 +1,46 @@ { - "tags": [ - "dockerfile", - "cwe" + "tags": [ + "dockerfile", + "cwe" + ], + "securityStandards": { + "CWE": [ + 200, + 319 ], - "securityStandards": { - "CWE": [ - 200, - 319 - ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], - "PCI DSS 3.2": [ - "4.1", - "6.5.4" - ], - "PCI DSS 4.0": [ - "4.2.1", - "6.2.4" - ], - "ASVS 4.0": [ - ] - } + "OWASP": [ + + ], + "OWASP Mobile": [ + + ], + "MASVS": [ + + ], + "OWASP Top 10 2021": [ + + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + } } - \ No newline at end of file diff --git a/rules/S5332/docker/rule.adoc b/rules/S5332/docker/rule.adoc index 12a70aa029..c53149edfd 100644 --- a/rules/S5332/docker/rule.adoc +++ b/rules/S5332/docker/rule.adoc @@ -34,12 +34,15 @@ RUN curl http://www.example.com/ RUN curl https://www.example.com/ ---- + == See -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/go/rule.adoc b/rules/S5332/go/rule.adoc index 06c1702040..c3e69d0d25 100644 --- a/rules/S5332/go/rule.adoc +++ b/rules/S5332/go/rule.adoc @@ -54,6 +54,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/java/rule.adoc b/rules/S5332/java/rule.adoc index 6ddd1d2fcf..70e14c40c0 100644 --- a/rules/S5332/java/rule.adoc +++ b/rules/S5332/java/rule.adoc @@ -85,6 +85,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/javascript/rule.adoc b/rules/S5332/javascript/rule.adoc index cb44dd7e9a..9c73957b8c 100644 --- a/rules/S5332/javascript/rule.adoc +++ b/rules/S5332/javascript/rule.adoc @@ -471,6 +471,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/kotlin/rule.adoc b/rules/S5332/kotlin/rule.adoc index ce0d68895d..b799c26804 100644 --- a/rules/S5332/kotlin/rule.adoc +++ b/rules/S5332/kotlin/rule.adoc @@ -85,6 +85,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/kubernetes/metadata.json b/rules/S5332/kubernetes/metadata.json index 6908a72ec7..2d5d046524 100644 --- a/rules/S5332/kubernetes/metadata.json +++ b/rules/S5332/kubernetes/metadata.json @@ -1,29 +1,45 @@ { - "tags": [ - "cwe" + "tags": [ + "cwe" + ], + "securityStandards": { + "CWE": [ + 200, + 319 ], - "securityStandards": { - "CWE": [ - 200, - 319 - ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], - "PCI DSS 3.2": [ - "4.1", - "6.5.4" - ], - "PCI DSS 4.0": [ - "4.2.1", - "6.2.4" - ], - "ASVS 4.0": [ - ] - } + "OWASP": [ + + ], + "OWASP Mobile": [ + + ], + "MASVS": [ + + ], + "OWASP Top 10 2021": [ + + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + } } diff --git a/rules/S5332/kubernetes/rule.adoc b/rules/S5332/kubernetes/rule.adoc index 91d2f1aa32..314f8d540c 100644 --- a/rules/S5332/kubernetes/rule.adoc +++ b/rules/S5332/kubernetes/rule.adoc @@ -53,12 +53,15 @@ spec: args: ["https://example.com/"] ---- + == See -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor -* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/metadata.json b/rules/S5332/metadata.json index 8713039f0c..c72b7c8fa5 100644 --- a/rules/S5332/metadata.json +++ b/rules/S5332/metadata.json @@ -52,6 +52,17 @@ "1.9.1", "9.1.1", "9.2.2" + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5332/php/rule.adoc b/rules/S5332/php/rule.adoc index e10f9fb7ce..11c909e49d 100644 --- a/rules/S5332/php/rule.adoc +++ b/rules/S5332/php/rule.adoc @@ -47,6 +47,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/python/rule.adoc b/rules/S5332/python/rule.adoc index 6c346b32a7..ef62497939 100644 --- a/rules/S5332/python/rule.adoc +++ b/rules/S5332/python/rule.adoc @@ -636,6 +636,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/see.adoc b/rules/S5332/see.adoc index fe90c2dc7b..43075beb20 100644 --- a/rules/S5332/see.adoc +++ b/rules/S5332/see.adoc @@ -1,12 +1,7 @@ == See -* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure ] -* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] -* https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers -* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[AWS Documentation] - Stream Encryption +include::common/resources/documentation.adoc[] + +include::common/resources/articles.adoc[] + +include::common/resources/standards.adoc[] diff --git a/rules/S5332/terraform/metadata.json b/rules/S5332/terraform/metadata.json index d53d8bf22d..db9a4e06e0 100644 --- a/rules/S5332/terraform/metadata.json +++ b/rules/S5332/terraform/metadata.json @@ -1,22 +1,26 @@ { - "tags": [ - "aws", - "azure", - "gcp", - "cwe" - ], + "tags": [ + "aws", + "azure", + "gcp", + "cwe" + ], "securityStandards": { "CWE": [ 200, 319 ], "OWASP": [ + ], "OWASP Mobile": [ + ], "MASVS": [ + ], "OWASP Top 10 2021": [ + ], "PCI DSS 3.2": [ "4.1", @@ -27,6 +31,18 @@ "6.2.4" ], "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" ] } } diff --git a/rules/S5332/terraform/rule.adoc b/rules/S5332/terraform/rule.adoc index 5276b6734d..2c7063b211 100644 --- a/rules/S5332/terraform/rule.adoc +++ b/rules/S5332/terraform/rule.adoc @@ -210,14 +210,15 @@ resource "google_compute_region_backend_service" "example" { include::../exceptions.adoc[] + == See -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] -* https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers -* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[AWS Documentation] - Stream Encryption +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/vbnet/rule.adoc b/rules/S5332/vbnet/rule.adoc index 15d5366a6c..6926bef17c 100644 --- a/rules/S5332/vbnet/rule.adoc +++ b/rules/S5332/vbnet/rule.adoc @@ -42,6 +42,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/xml/rule.adoc b/rules/S5332/xml/rule.adoc index ec09b84468..c828a96be9 100644 --- a/rules/S5332/xml/rule.adoc +++ b/rules/S5332/xml/rule.adoc @@ -33,6 +33,7 @@ is implicitely set to ``++true++``. include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5334/common/resources/standards.adoc b/rules/S5334/common/resources/standards.adoc index 19d4ffcbe6..b9c1a912ce 100644 --- a/rules/S5334/common/resources/standards.adoc +++ b/rules/S5334/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5334/metadata.json b/rules/S5334/metadata.json index 09ecfc4503..0ca7bc491b 100644 --- a/rules/S5334/metadata.json +++ b/rules/S5334/metadata.json @@ -49,6 +49,9 @@ "5.1.4", "5.2.4", "5.5.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5335/php/metadata.json b/rules/S5335/php/metadata.json index 03f84d2602..dfb13627d3 100644 --- a/rules/S5335/php/metadata.json +++ b/rules/S5335/php/metadata.json @@ -52,6 +52,9 @@ "12.3.6", "5.1.3", "5.3.9" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5335/php/rule.adoc b/rules/S5335/php/rule.adoc index 60c46fb758..877e948207 100644 --- a/rules/S5335/php/rule.adoc +++ b/rules/S5335/php/rule.adoc @@ -96,6 +96,8 @@ client-side front-ends. == Resources +=== Standards + * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] @@ -103,6 +105,7 @@ client-side front-ends. * CWE - https://cwe.mitre.org/data/definitions/97[CWE-97 - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page] * CWE - https://cwe.mitre.org/data/definitions/98[CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')] * CWE - https://cwe.mitre.org/data/definitions/829[CWE-829 - Inclusion of Functionality from Untrusted Control Sphere] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. ifdef::env-github,rspecator-view[] diff --git a/rules/S5344/common/resources/standards.adoc b/rules/S5344/common/resources/standards.adoc index cd23c7d9f7..ee360d15d9 100644 --- a/rules/S5344/common/resources/standards.adoc +++ b/rules/S5344/common/resources/standards.adoc @@ -5,4 +5,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/256[CWE-256 - Plaintext Storage of a Password] * CWE - https://cwe.mitre.org/data/definitions/916[CWE-916 - Use of Password Hash With Insufficient Computational Effort] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords. diff --git a/rules/S5344/metadata.json b/rules/S5344/metadata.json index dc7b98eaa2..c51506f2a9 100644 --- a/rules/S5344/metadata.json +++ b/rules/S5344/metadata.json @@ -53,6 +53,9 @@ "2.4.3", "2.4.4", "2.4.5" + ], + "STIG ASD 2023-06-08": [ + "V-222542" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5421/cfamily/metadata.json b/rules/S5421/cfamily/metadata.json index b756f25f13..8e9e337da7 100644 --- a/rules/S5421/cfamily/metadata.json +++ b/rules/S5421/cfamily/metadata.json @@ -29,6 +29,11 @@ "ruleSpecification": "RSPEC-5421", "sqKey": "S5421", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S5421/cfamily/rule.adoc b/rules/S5421/cfamily/rule.adoc index 252336c685..be6993aa29 100644 --- a/rules/S5421/cfamily/rule.adoc +++ b/rules/S5421/cfamily/rule.adoc @@ -46,7 +46,10 @@ int main() { == Resources +=== Standards + * {cpp} Core Guidelines - https://github.com/isocpp/CppCoreGuidelines/blob/e49158a/CppCoreGuidelines.md#i2-avoid-non-const-global-variables[I.2: Avoid non-`const` global variables] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. ifdef::env-github,rspecator-view[] diff --git a/rules/S5443/metadata.json b/rules/S5443/metadata.json index 33d4492cb3..532a5ee58c 100644 --- a/rules/S5443/metadata.json +++ b/rules/S5443/metadata.json @@ -40,6 +40,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5443/python/rule.adoc b/rules/S5443/python/rule.adoc index fda36cb1b7..bdd80bd2f1 100644 --- a/rules/S5443/python/rule.adoc +++ b/rules/S5443/python/rule.adoc @@ -33,6 +33,8 @@ file = tempfile.TemporaryFile(dir="/tmp/my_subdirectory", mode='"w+") # Complian * CWE - https://cwe.mitre.org/data/definitions/379[CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions] * https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File[OWASP, Insecure Temporary File] * https://docs.python.org/3/library/tempfile.html[Python tempfile module] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S5443/see.adoc b/rules/S5443/see.adoc index af5a0ffc22..5db191a61d 100644 --- a/rules/S5443/see.adoc +++ b/rules/S5443/see.adoc @@ -5,4 +5,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] * CWE - https://cwe.mitre.org/data/definitions/379[CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions] -* https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File[OWASP, Insecure Temporary File] \ No newline at end of file +* https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File[OWASP, Insecure Temporary File] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + diff --git a/rules/S5445/common/resources/standards.adoc b/rules/S5445/common/resources/standards.adoc index 037e90b8e6..36de23d385 100644 --- a/rules/S5445/common/resources/standards.adoc +++ b/rules/S5445/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] * CWE - https://cwe.mitre.org/data/definitions/379[CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + diff --git a/rules/S5445/metadata.json b/rules/S5445/metadata.json index ff1315c89b..18c11c9707 100644 --- a/rules/S5445/metadata.json +++ b/rules/S5445/metadata.json @@ -43,6 +43,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5486/cfamily/metadata.json b/rules/S5486/cfamily/metadata.json index 64db0b317c..8f2cfbbe91 100644 --- a/rules/S5486/cfamily/metadata.json +++ b/rules/S5486/cfamily/metadata.json @@ -32,6 +32,9 @@ "securityStandards": { "CWE": [ 764 + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5486/cfamily/rule.adoc b/rules/S5486/cfamily/rule.adoc index 04dae45dc9..c09be4ca2b 100644 --- a/rules/S5486/cfamily/rule.adoc +++ b/rules/S5486/cfamily/rule.adoc @@ -169,6 +169,7 @@ void locks(bool calcFib, int n) { * CWE - https://cwe.mitre.org/data/definitions/764[CWE-764 Multiple Locks of a Critical Resource] * CWE - https://cwe.mitre.org/data/definitions/362[CWE-362 Multiple Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. === Related rules diff --git a/rules/S5487/cfamily/metadata.json b/rules/S5487/cfamily/metadata.json index 3cc799da76..97a8a437ee 100644 --- a/rules/S5487/cfamily/metadata.json +++ b/rules/S5487/cfamily/metadata.json @@ -28,6 +28,11 @@ "ruleSpecification": "RSPEC-5487", "sqKey": "S5487", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S5487/cfamily/rule.adoc b/rules/S5487/cfamily/rule.adoc index 45b212ef80..ee44574be3 100644 --- a/rules/S5487/cfamily/rule.adoc +++ b/rules/S5487/cfamily/rule.adoc @@ -213,6 +213,10 @@ void use_and_destroy_initialized() * CppCon 2020 - https://youtu.be/A7sVFJLJM-A?si=v76jhmv3XnHExZYU[An Introduction to Multithreading in {cpp}20] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + === Related rules * S5486 enforces the proper locking and unlocking of `pthread` mutexes. diff --git a/rules/S5496/java/rule.adoc b/rules/S5496/java/rule.adoc index de3eb44cbd..5bd3608afd 100644 --- a/rules/S5496/java/rule.adoc +++ b/rules/S5496/java/rule.adoc @@ -17,10 +17,9 @@ include::how-to-fix-it/groovy.adoc[] * https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/[Exploiting SSTI in Thymeleaf] -=== Standards - include::../standards.adoc[] + ifdef::env-github,rspecator-view[] ''' @@ -32,4 +31,4 @@ ifdef::env-github,rspecator-view[] include::../message.adoc[] ''' -endif::env-github,rspecator-view[] \ No newline at end of file +endif::env-github,rspecator-view[] diff --git a/rules/S5496/metadata.json b/rules/S5496/metadata.json index 0393965dde..fda9d998c9 100644 --- a/rules/S5496/metadata.json +++ b/rules/S5496/metadata.json @@ -48,6 +48,9 @@ "ASVS 4.0": [ "5.2.5", "5.2.8" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5496/python/rule.adoc b/rules/S5496/python/rule.adoc index 3609ff0134..6c75cbd379 100644 --- a/rules/S5496/python/rule.adoc +++ b/rules/S5496/python/rule.adoc @@ -59,10 +59,9 @@ of the initially intended template logic. * https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2] -=== Standards - include::../standards.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5496/standards.adoc b/rules/S5496/standards.adoc index c9fa05d325..861a87a7f9 100644 --- a/rules/S5496/standards.adoc +++ b/rules/S5496/standards.adoc @@ -1,3 +1,7 @@ +=== Standards + * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] -* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5527/common/resources/standards.adoc b/rules/S5527/common/resources/standards.adoc index f94cf27d19..bb305579ce 100644 --- a/rules/S5527/common/resources/standards.adoc +++ b/rules/S5527/common/resources/standards.adoc @@ -8,3 +8,5 @@ * OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] * CWE - https://cwe.mitre.org/data/definitions/297[CWE-297 - Improper Validation of Certificate with Host Mismatch] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. + diff --git a/rules/S5527/metadata.json b/rules/S5527/metadata.json index a6cb1e0853..17c4566fab 100644 --- a/rules/S5527/metadata.json +++ b/rules/S5527/metadata.json @@ -56,6 +56,9 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222550" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5547/cfamily/metadata.json b/rules/S5547/cfamily/metadata.json index 7f87e8b9d4..cfc0990719 100644 --- a/rules/S5547/cfamily/metadata.json +++ b/rules/S5547/cfamily/metadata.json @@ -39,6 +39,9 @@ "6.2.3", "6.2.5", "8.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222396" ] } } diff --git a/rules/S5547/common/resources/standards.adoc b/rules/S5547/common/resources/standards.adoc index 938a3f6b34..2823320464 100644 --- a/rules/S5547/common/resources/standards.adoc +++ b/rules/S5547/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222396[Application Security and Development: V-222396] - The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. + diff --git a/rules/S5547/java/metadata.json b/rules/S5547/java/metadata.json index 29fd7c9813..299134becc 100644 --- a/rules/S5547/java/metadata.json +++ b/rules/S5547/java/metadata.json @@ -34,6 +34,9 @@ "6.2.3", "6.2.5", "8.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222396" ] } } diff --git a/rules/S5547/metadata.json b/rules/S5547/metadata.json index 2dfbef097a..9222c87f2a 100644 --- a/rules/S5547/metadata.json +++ b/rules/S5547/metadata.json @@ -60,6 +60,9 @@ "6.2.3", "6.2.5", "8.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222396" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5696/common/resources/standards.adoc b/rules/S5696/common/resources/standards.adoc index a0aa59a280..6e42c2c04a 100644 --- a/rules/S5696/common/resources/standards.adoc +++ b/rules/S5696/common/resources/standards.adoc @@ -3,3 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5696/metadata.json b/rules/S5696/metadata.json index fe2a89cb0b..7bd1b1995c 100644 --- a/rules/S5696/metadata.json +++ b/rules/S5696/metadata.json @@ -1,50 +1,57 @@ { - "title": "DOM updates should not lead to cross-site scripting (XSS) attacks", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "COMPLETE" + "title": "DOM updates should not lead to cross-site scripting (XSS) attacks", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "30min" - }, - "tags": [ - "cwe" + "attribute": "COMPLETE" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe" + ], + "extra": { + "replacementRules": [ + ], - "extra": { - "replacementRules": [], - "legacyKeys": [] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-5696", - "sqKey": "S5696", - "scope": "Tests", - "securityStandards": { - "CWE": [ - 79 - ], - "OWASP": [ - "A7" - ], - "OWASP Top 10 2021": [ - "A3" - ], - "PCI DSS 3.2": [ - "6.5.7" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.3.3" - ] - }, - "defaultQualityProfiles": [ - "Sonar way" + "legacyKeys": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-5696", + "sqKey": "S5696", + "scope": "Tests", + "securityStandards": { + "CWE": [ + 79 ], - "quickfix": "unknown" -} \ No newline at end of file + "OWASP": [ + "A7" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "PCI DSS 3.2": [ + "6.5.7" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.3.3" + ], + "STIG ASD 2023-06-08": [ + "V-222609" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S5782/cfamily/metadata.json b/rules/S5782/cfamily/metadata.json index 8c235ce644..39ad3f4f79 100644 --- a/rules/S5782/cfamily/metadata.json +++ b/rules/S5782/cfamily/metadata.json @@ -51,6 +51,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5782/common/resources/standards.adoc b/rules/S5782/common/resources/standards.adoc index 8c418f8af0..fe2f1d6d31 100644 --- a/rules/S5782/common/resources/standards.adoc +++ b/rules/S5782/common/resources/standards.adoc @@ -5,4 +5,5 @@ * CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer] * CWE - https://cwe.mitre.org/data/definitions/131[CWE-131 - Incorrect Calculation of Buffer Size] * CWE - https://cwe.mitre.org/data/definitions/788[CWE-788 - Access of Memory Location After End of Buffer] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. diff --git a/rules/S5801/cfamily/metadata.json b/rules/S5801/cfamily/metadata.json index a6f73dc76c..acefea6ea4 100644 --- a/rules/S5801/cfamily/metadata.json +++ b/rules/S5801/cfamily/metadata.json @@ -50,6 +50,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5801/cfamily/rule.adoc b/rules/S5801/cfamily/rule.adoc index f9f030eec1..2aab61b073 100644 --- a/rules/S5801/cfamily/rule.adoc +++ b/rules/S5801/cfamily/rule.adoc @@ -54,6 +54,7 @@ int f(char *src) { * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5813/cfamily/metadata.json b/rules/S5813/cfamily/metadata.json index 355de6bb19..b8bedaabf7 100644 --- a/rules/S5813/cfamily/metadata.json +++ b/rules/S5813/cfamily/metadata.json @@ -44,6 +44,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5813/cfamily/rule.adoc b/rules/S5813/cfamily/rule.adoc index f8b4aa5a2a..ee7aafdbca 100644 --- a/rules/S5813/cfamily/rule.adoc +++ b/rules/S5813/cfamily/rule.adoc @@ -56,6 +56,7 @@ size_t f(char *src) { * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5814/cfamily/metadata.json b/rules/S5814/cfamily/metadata.json index 53d461beb7..b28b1836a2 100644 --- a/rules/S5814/cfamily/metadata.json +++ b/rules/S5814/cfamily/metadata.json @@ -50,6 +50,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5814/cfamily/rule.adoc b/rules/S5814/cfamily/rule.adoc index 9287864578..0cef868260 100644 --- a/rules/S5814/cfamily/rule.adoc +++ b/rules/S5814/cfamily/rule.adoc @@ -57,6 +57,7 @@ int f(char *src) { * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5815/cfamily/metadata.json b/rules/S5815/cfamily/metadata.json index 467d12be3f..948d5aa219 100644 --- a/rules/S5815/cfamily/metadata.json +++ b/rules/S5815/cfamily/metadata.json @@ -50,6 +50,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5815/cfamily/rule.adoc b/rules/S5815/cfamily/rule.adoc index 11e4899933..3b7f7d54ea 100644 --- a/rules/S5815/cfamily/rule.adoc +++ b/rules/S5815/cfamily/rule.adoc @@ -55,6 +55,7 @@ int f(char *src) { * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5816/cfamily/metadata.json b/rules/S5816/cfamily/metadata.json index 81c72e6e62..7e57370641 100644 --- a/rules/S5816/cfamily/metadata.json +++ b/rules/S5816/cfamily/metadata.json @@ -50,6 +50,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5816/cfamily/rule.adoc b/rules/S5816/cfamily/rule.adoc index 5ad6aef967..4cc2d8a075 100644 --- a/rules/S5816/cfamily/rule.adoc +++ b/rules/S5816/cfamily/rule.adoc @@ -67,6 +67,7 @@ int f(char *src) { * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5824/cfamily/metadata.json b/rules/S5824/cfamily/metadata.json index b71d214ecf..736ab637d1 100644 --- a/rules/S5824/cfamily/metadata.json +++ b/rules/S5824/cfamily/metadata.json @@ -49,6 +49,10 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222567", + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5824/cfamily/rule.adoc b/rules/S5824/cfamily/rule.adoc index 733ba2c30b..53d6a84b6b 100644 --- a/rules/S5824/cfamily/rule.adoc +++ b/rules/S5824/cfamily/rule.adoc @@ -58,7 +58,8 @@ int f(char *tempData) { * CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] * https://wiki.sei.cmu.edu/confluence/display/c/CON33-C.+Avoid+race+conditions+when+using+library+functions[CERT, CON33-C.] - Avoid race conditions when using library functions * https://wiki.sei.cmu.edu/confluence/display/c/FIO21-C.+Do+not+create+temporary+files+in+shared+directories[CERT, FIO21-C.] - Do not create temporary files in shared directories - +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5847/cfamily/metadata.json b/rules/S5847/cfamily/metadata.json index 6258dcc411..2499ae82a1 100644 --- a/rules/S5847/cfamily/metadata.json +++ b/rules/S5847/cfamily/metadata.json @@ -24,6 +24,9 @@ ], "ASVS 4.0": [ "11.1.6" + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] } } diff --git a/rules/S5847/cfamily/rule.adoc b/rules/S5847/cfamily/rule.adoc index 3d0f990e63..03f82b4268 100644 --- a/rules/S5847/cfamily/rule.adoc +++ b/rules/S5847/cfamily/rule.adoc @@ -64,6 +64,8 @@ check for its existence beforehand. * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/367[CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S5847/metadata.json b/rules/S5847/metadata.json index ee58b6dc20..59ec93d61c 100644 --- a/rules/S5847/metadata.json +++ b/rules/S5847/metadata.json @@ -45,6 +45,9 @@ ], "ASVS 4.0": [ "11.1.6" + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5876/common/resources/standards.adoc b/rules/S5876/common/resources/standards.adoc index 4160d48988..c7309aaacc 100644 --- a/rules/S5876/common/resources/standards.adoc +++ b/rules/S5876/common/resources/standards.adoc @@ -4,3 +4,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] * https://owasp.org/www-community/attacks/Session_fixation[OWASP Sesssion Fixation] * CWE - https://cwe.mitre.org/data/definitions/384[CWE-384 - Session Fixation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222579[Application Security and Development: V-222579] - Applications must use system-generated session identifiers that protect against session fixation. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs. + diff --git a/rules/S5876/metadata.json b/rules/S5876/metadata.json index c97cbd85d8..81f081fd57 100644 --- a/rules/S5876/metadata.json +++ b/rules/S5876/metadata.json @@ -45,6 +45,10 @@ ], "ASVS 4.0": [ "3.2.1" + ], + "STIG ASD 2023-06-08": [ + "V-222579", + "V-222582" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5883/common/resources/standards.adoc b/rules/S5883/common/resources/standards.adoc index cc226e06ac..187f8e7ab4 100644 --- a/rules/S5883/common/resources/standards.adoc +++ b/rules/S5883/common/resources/standards.adoc @@ -4,4 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/88[CWE-88 - Argument Injection or Modification] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S5883/metadata.json b/rules/S5883/metadata.json index 643c76019b..b2bda79d6c 100644 --- a/rules/S5883/metadata.json +++ b/rules/S5883/metadata.json @@ -47,6 +47,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6069/cfamily/metadata.json b/rules/S6069/cfamily/metadata.json index 7575d756e1..571280ccbb 100644 --- a/rules/S6069/cfamily/metadata.json +++ b/rules/S6069/cfamily/metadata.json @@ -47,6 +47,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6069/cfamily/rule.adoc b/rules/S6069/cfamily/rule.adoc index f1c1734549..d0bb7061d0 100644 --- a/rules/S6069/cfamily/rule.adoc +++ b/rules/S6069/cfamily/rule.adoc @@ -53,6 +53,7 @@ sprintf(buf, "%s", message);{code} * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function] * CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S6096/common/resources/standards.adoc b/rules/S6096/common/resources/standards.adoc index 2ae72b4f8d..97a216c107 100644 --- a/rules/S6096/common/resources/standards.adoc +++ b/rules/S6096/common/resources/standards.adoc @@ -6,3 +6,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6096/metadata.json b/rules/S6096/metadata.json index 31c45688d1..7708d22a39 100644 --- a/rules/S6096/metadata.json +++ b/rules/S6096/metadata.json @@ -51,6 +51,9 @@ "12.3.4", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6105/common/resources/standards.adoc b/rules/S6105/common/resources/standards.adoc index 0e28ee0f96..4f27cf9e31 100644 --- a/rules/S6105/common/resources/standards.adoc +++ b/rules/S6105/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/601[CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6105/metadata.json b/rules/S6105/metadata.json index 6b3d12be7c..ed5956e8ce 100644 --- a/rules/S6105/metadata.json +++ b/rules/S6105/metadata.json @@ -1,53 +1,60 @@ { - "title": "DOM updates should not lead to open redirect vulnerabilities", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "COMPLETE" + "title": "DOM updates should not lead to open redirect vulnerabilities", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "30min" - }, - "tags": [ - "cwe" + "attribute": "COMPLETE" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe" + ], + "extra": { + "replacementRules": [ + ], - "extra": { - "replacementRules": [], - "legacyKeys": [] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-6105", - "sqKey": "S6105", - "scope": "Main", - "securityStandards": { - "CWE": [ - 20, - 601 - ], - "OWASP": [ - "A5" - ], - "OWASP Top 10 2021": [ - "A1" - ], - "PCI DSS 3.2": [ - "6.5.8" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.1.3", - "5.1.4", - "5.1.5" - ] - }, - "defaultQualityProfiles": [ - "Sonar way" + "legacyKeys": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6105", + "sqKey": "S6105", + "scope": "Main", + "securityStandards": { + "CWE": [ + 20, + 601 ], - "quickfix": "unknown" -} \ No newline at end of file + "OWASP": [ + "A5" + ], + "OWASP Top 10 2021": [ + "A1" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.1.3", + "5.1.4", + "5.1.5" + ], + "STIG ASD 2023-06-08": [ + "V-222609" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6173/common/resources/standards.adoc b/rules/S6173/common/resources/standards.adoc index cdaedc45fb..2089575978 100644 --- a/rules/S6173/common/resources/standards.adoc +++ b/rules/S6173/common/resources/standards.adoc @@ -3,3 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/470[CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6173/metadata.json b/rules/S6173/metadata.json index 1d1e40ebe7..dc6a2ea0d0 100644 --- a/rules/S6173/metadata.json +++ b/rules/S6173/metadata.json @@ -42,6 +42,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6179/cfamily/metadata.json b/rules/S6179/cfamily/metadata.json index 538bfa5665..521cc57a65 100644 --- a/rules/S6179/cfamily/metadata.json +++ b/rules/S6179/cfamily/metadata.json @@ -29,6 +29,11 @@ "ruleSpecification": "RSPEC-6179", "sqKey": "S6179", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222612" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S6179/cfamily/rule.adoc b/rules/S6179/cfamily/rule.adoc index f6ff5b32ac..f4cee388fa 100644 --- a/rules/S6179/cfamily/rule.adoc +++ b/rules/S6179/cfamily/rule.adoc @@ -33,9 +33,16 @@ auto third = std::lerp(a, b, 0.3f); == Resources +=== Documentation + * {cpp} reference - https://en.cppreference.com/w/cpp/numeric/midpoint[std::midpoint] * {cpp} reference - https://en.cppreference.com/w/cpp/numeric/lerp[std::lerp] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S6183/cfamily/metadata.json b/rules/S6183/cfamily/metadata.json index bb2b08f286..d5256e546a 100644 --- a/rules/S6183/cfamily/metadata.json +++ b/rules/S6183/cfamily/metadata.json @@ -37,6 +37,9 @@ ], "CWE": [ 195 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6183/cfamily/rule.adoc b/rules/S6183/cfamily/rule.adoc index 1f341b2b3a..75d132bacd 100644 --- a/rules/S6183/cfamily/rule.adoc +++ b/rules/S6183/cfamily/rule.adoc @@ -176,6 +176,7 @@ void foo() { * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules[INT02-C. Understand integer conversion rules] * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT31-C.+Ensure+that+integer+conversions+do+not+result+in+lost+or+misinterpreted+data[INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data] * CWE - https://cwe.mitre.org/data/definitions/195[CWE-195 Signed to Unsigned Conversion Error] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. === Related rules diff --git a/rules/S6270/metadata.json b/rules/S6270/metadata.json index fdae780b9f..1f1d6f93ce 100644 --- a/rules/S6270/metadata.json +++ b/rules/S6270/metadata.json @@ -38,6 +38,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6270/see.adoc b/rules/S6270/see.adoc index 0d9741b7da..d2aed85fbf 100644 --- a/rules/S6270/see.adoc +++ b/rules/S6270/see.adoc @@ -3,3 +3,5 @@ * https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege[AWS Documentation] - Grant least privilege * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. + diff --git a/rules/S6281/metadata.json b/rules/S6281/metadata.json index b369a8e553..4ed18e2f86 100644 --- a/rules/S6281/metadata.json +++ b/rules/S6281/metadata.json @@ -37,6 +37,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6281/see.adoc b/rules/S6281/see.adoc index e1ffb8f5cf..e4e36b22c4 100644 --- a/rules/S6281/see.adoc +++ b/rules/S6281/see.adoc @@ -2,3 +2,5 @@ * https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html[AWS Documentation] - Blocking public access to your Amazon S3 storage * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. + diff --git a/rules/S6287/common/resources/standards.adoc b/rules/S6287/common/resources/standards.adoc index a819004c9b..c64ed9e868 100644 --- a/rules/S6287/common/resources/standards.adoc +++ b/rules/S6287/common/resources/standards.adoc @@ -4,3 +4,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/384[CWE-384 - Session Fixation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6287/metadata.json b/rules/S6287/metadata.json index b07a270100..a8c9441c4c 100644 --- a/rules/S6287/metadata.json +++ b/rules/S6287/metadata.json @@ -47,6 +47,10 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222582", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6290/secrets/metadata.json b/rules/S6290/secrets/metadata.json index 178bb00f0f..2f20b266ae 100644 --- a/rules/S6290/secrets/metadata.json +++ b/rules/S6290/secrets/metadata.json @@ -52,6 +52,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6292/secrets/metadata.json b/rules/S6292/secrets/metadata.json index 8039ca052d..824adf58a8 100644 --- a/rules/S6292/secrets/metadata.json +++ b/rules/S6292/secrets/metadata.json @@ -52,6 +52,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6303/metadata.json b/rules/S6303/metadata.json index 33404758f1..f3908938a5 100644 --- a/rules/S6303/metadata.json +++ b/rules/S6303/metadata.json @@ -39,6 +39,9 @@ "PCI DSS 4.0": [ "2.2", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6303/see.adoc b/rules/S6303/see.adoc index 1256a7452c..035465c64f 100644 --- a/rules/S6303/see.adoc +++ b/rules/S6303/see.adoc @@ -2,3 +2,5 @@ * https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html[AWS Documentation] - Encrypting Amazon RDS resources * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. + diff --git a/rules/S6308/elasticsearch_see.adoc b/rules/S6308/elasticsearch_see.adoc index 7734481e72..f66398dead 100644 --- a/rules/S6308/elasticsearch_see.adoc +++ b/rules/S6308/elasticsearch_see.adoc @@ -2,3 +2,5 @@ * https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html[AWS Documentation] - Encryption of data at rest for Amazon Elasticsearch Service * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. + diff --git a/rules/S6308/metadata.json b/rules/S6308/metadata.json index 6a31d27fae..434c43a44a 100644 --- a/rules/S6308/metadata.json +++ b/rules/S6308/metadata.json @@ -39,6 +39,9 @@ "PCI DSS 4.0": [ "2.2", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6308/opensearch_see.adoc b/rules/S6308/opensearch_see.adoc index 1dc1403dfa..062b89830e 100644 --- a/rules/S6308/opensearch_see.adoc +++ b/rules/S6308/opensearch_see.adoc @@ -2,3 +2,5 @@ * https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html[AWS Documentation] - Encryption of data at rest for Amazon OpenSearch Service * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. + diff --git a/rules/S6319/metadata.json b/rules/S6319/metadata.json index 9bbe2be405..d10be0ebc4 100644 --- a/rules/S6319/metadata.json +++ b/rules/S6319/metadata.json @@ -39,6 +39,9 @@ "PCI DSS 4.0": [ "2.2", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6319/see.adoc b/rules/S6319/see.adoc index dcf8b80914..0d37d1c494 100644 --- a/rules/S6319/see.adoc +++ b/rules/S6319/see.adoc @@ -2,3 +2,4 @@ * https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html[Protect Data at Rest Using Encryption] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. diff --git a/rules/S6327/metadata.json b/rules/S6327/metadata.json index 7fadad9bb5..a9e3bd44f1 100644 --- a/rules/S6327/metadata.json +++ b/rules/S6327/metadata.json @@ -41,6 +41,9 @@ "2.2", "4.2.1", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6327/see.adoc b/rules/S6327/see.adoc index f0838c4c71..d43a57148f 100644 --- a/rules/S6327/see.adoc +++ b/rules/S6327/see.adoc @@ -3,3 +3,4 @@ * https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html[AWS Documentation] - Encryption at rest * https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/[Encrypting messages published to Amazon SNS with AWS KMS] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. diff --git a/rules/S6329/metadata.json b/rules/S6329/metadata.json index 3aa2e9e789..a265bd5ad2 100644 --- a/rules/S6329/metadata.json +++ b/rules/S6329/metadata.json @@ -38,6 +38,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6329/see.adoc b/rules/S6329/see.adoc index 37db6d8d8d..a96400fb9e 100644 --- a/rules/S6329/see.adoc +++ b/rules/S6329/see.adoc @@ -5,3 +5,4 @@ * https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html[AWS Documentation] - VPC Peering * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] * CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. diff --git a/rules/S6330/metadata.json b/rules/S6330/metadata.json index 3010a0458e..cea2e88d0f 100644 --- a/rules/S6330/metadata.json +++ b/rules/S6330/metadata.json @@ -39,6 +39,9 @@ "PCI DSS 4.0": [ "2.2", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6330/see.adoc b/rules/S6330/see.adoc index deaeec859b..f9f1b36044 100644 --- a/rules/S6330/see.adoc +++ b/rules/S6330/see.adoc @@ -2,3 +2,4 @@ * https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html[AWS Documentation] - Encryption at rest * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. diff --git a/rules/S6333/metadata.json b/rules/S6333/metadata.json index 79491b684f..32a6de0728 100644 --- a/rules/S6333/metadata.json +++ b/rules/S6333/metadata.json @@ -37,6 +37,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6333/see.adoc b/rules/S6333/see.adoc index 3378ed4156..9ebc9b06bf 100644 --- a/rules/S6333/see.adoc +++ b/rules/S6333/see.adoc @@ -2,3 +2,4 @@ * https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html[AWS Documentation] - Controlling and managing access to a REST API in API Gateway * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. diff --git a/rules/S6334/secrets/metadata.json b/rules/S6334/secrets/metadata.json index 158b1dfa56..f9af772d7b 100644 --- a/rules/S6334/secrets/metadata.json +++ b/rules/S6334/secrets/metadata.json @@ -44,6 +44,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6335/secrets/metadata.json b/rules/S6335/secrets/metadata.json index f46c6ad252..d94a22f1d7 100644 --- a/rules/S6335/secrets/metadata.json +++ b/rules/S6335/secrets/metadata.json @@ -44,6 +44,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6336/secrets/metadata.json b/rules/S6336/secrets/metadata.json index 198028bd79..39968f3163 100644 --- a/rules/S6336/secrets/metadata.json +++ b/rules/S6336/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6337/secrets/metadata.json b/rules/S6337/secrets/metadata.json index 3758e338d2..46883548f8 100644 --- a/rules/S6337/secrets/metadata.json +++ b/rules/S6337/secrets/metadata.json @@ -44,6 +44,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6338/secrets/metadata.json b/rules/S6338/secrets/metadata.json index 7f036648c4..7fc4f67011 100644 --- a/rules/S6338/secrets/metadata.json +++ b/rules/S6338/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6350/metadata.json b/rules/S6350/metadata.json index a03f79e7fd..d6104d198f 100644 --- a/rules/S6350/metadata.json +++ b/rules/S6350/metadata.json @@ -30,6 +30,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "extra": { diff --git a/rules/S6350/see.adoc b/rules/S6350/see.adoc index 00a3434a09..aa9dcc2e3f 100644 --- a/rules/S6350/see.adoc +++ b/rules/S6350/see.adoc @@ -4,3 +4,4 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/88[CWE-88 - Argument Injection or Modification] * https://blog.sonarsource.com/php-supply-chain-attack-on-composer[CVE-2021-29472] - PHP Supply Chain Attack on Composer +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6373/java/rule.adoc b/rules/S6373/java/rule.adoc index 02c9d0c9f0..a7bf04128f 100644 --- a/rules/S6373/java/rule.adoc +++ b/rules/S6373/java/rule.adoc @@ -75,6 +75,7 @@ property to `false`. * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 - Category A5 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Improper Restriction of XML External Entity Reference] * CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S6373/metadata.json b/rules/S6373/metadata.json index e9671a4f1f..af13ed42db 100644 --- a/rules/S6373/metadata.json +++ b/rules/S6373/metadata.json @@ -46,6 +46,9 @@ ], "ASVS 4.0": [ "5.5.2" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6376/java/rule.adoc b/rules/S6376/java/rule.adoc index 6ace43e673..d596252e36 100644 --- a/rules/S6376/java/rule.adoc +++ b/rules/S6376/java/rule.adoc @@ -40,6 +40,10 @@ include::how-to-fix-it/jdom2.adoc[] * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * CWE - https://cwe.mitre.org/data/definitions/776[CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222593[Application Security and Development: V-222593] - XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S6376/metadata.json b/rules/S6376/metadata.json index caac9fed78..d7f8b4903a 100644 --- a/rules/S6376/metadata.json +++ b/rules/S6376/metadata.json @@ -13,6 +13,7 @@ "constantCost": "15min" }, "tags": [ + ], "extra": { "replacementRules": [ @@ -35,6 +36,11 @@ ], "OWASP Top 10 2021": [ "A5" + ], + "STIG ASD 2023-06-08": [ + "V-222593", + "V-222608", + "V-222667" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6377/common/resources/standards.adoc b/rules/S6377/common/resources/standards.adoc index 5bd590f1e0..65e0a7babd 100644 --- a/rules/S6377/common/resources/standards.adoc +++ b/rules/S6377/common/resources/standards.adoc @@ -3,3 +3,4 @@ * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10:2021 A02:2021 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/347[CWE-347 - Improper Verification of Cryptographic Signature] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. diff --git a/rules/S6377/metadata.json b/rules/S6377/metadata.json index 47f76c253a..5c6103d140 100644 --- a/rules/S6377/metadata.json +++ b/rules/S6377/metadata.json @@ -35,6 +35,9 @@ ], "OWASP Top 10 2021": [ "A2" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6384/common/resources/standards.adoc b/rules/S6384/common/resources/standards.adoc index 1089a1dcfc..98742adc31 100644 --- a/rules/S6384/common/resources/standards.adoc +++ b/rules/S6384/common/resources/standards.adoc @@ -2,4 +2,5 @@ * OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] -* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6384/metadata.json b/rules/S6384/metadata.json index 92f9a48014..90cb487c18 100644 --- a/rules/S6384/metadata.json +++ b/rules/S6384/metadata.json @@ -40,6 +40,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6390/common/resources/standards.adoc b/rules/S6390/common/resources/standards.adoc index 355aa7a6c9..45b75363f8 100644 --- a/rules/S6390/common/resources/standards.adoc +++ b/rules/S6390/common/resources/standards.adoc @@ -3,3 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6390/metadata.json b/rules/S6390/metadata.json index d988a51552..ad0308a764 100644 --- a/rules/S6390/metadata.json +++ b/rules/S6390/metadata.json @@ -37,6 +37,10 @@ "12.1.1", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609", + "V-222667" ] }, "defaultSeverity": "Critical", diff --git a/rules/S6398/common/resources/standards.adoc b/rules/S6398/common/resources/standards.adoc index 17c9ee19d5..7c79751300 100644 --- a/rules/S6398/common/resources/standards.adoc +++ b/rules/S6398/common/resources/standards.adoc @@ -3,4 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/76[CWE-76 - Improper Neutralization of Equivalent Special Elements] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/76[CWE-76 - Improper Neutralization of Equivalent Special Elements] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6398/java/metadata.json b/rules/S6398/java/metadata.json index fda4c996d4..233dd54a42 100644 --- a/rules/S6398/java/metadata.json +++ b/rules/S6398/java/metadata.json @@ -35,6 +35,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultSeverity": "Major", diff --git a/rules/S6399/common/resources/standards.adoc b/rules/S6399/common/resources/standards.adoc index e3be73f57c..2fe8e55746 100644 --- a/rules/S6399/common/resources/standards.adoc +++ b/rules/S6399/common/resources/standards.adoc @@ -3,4 +3,6 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6399/metadata.json b/rules/S6399/metadata.json index 178860d97c..321beeaebd 100644 --- a/rules/S6399/metadata.json +++ b/rules/S6399/metadata.json @@ -36,6 +36,10 @@ "5.1.3", "5.1.4", "5.3.10" + ], + "STIG ASD 2023-06-08": [ + "V-222608", + "V-222609" ] }, "defaultSeverity": "Major", @@ -51,4 +55,4 @@ ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6404/terraform/metadata.json b/rules/S6404/terraform/metadata.json index 89ead763b6..4f9e34b22e 100644 --- a/rules/S6404/terraform/metadata.json +++ b/rules/S6404/terraform/metadata.json @@ -37,6 +37,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6404/terraform/rule.adoc b/rules/S6404/terraform/rule.adoc index 21a0afc47d..a6be4946a5 100644 --- a/rules/S6404/terraform/rule.adoc +++ b/rules/S6404/terraform/rule.adoc @@ -120,6 +120,7 @@ resource "google_container_cluster" "example" { == See * CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. ifdef::env-github,rspecator-view[] diff --git a/rules/S6423/csharp/metadata.json b/rules/S6423/csharp/metadata.json index 826abee559..0e3539321c 100644 --- a/rules/S6423/csharp/metadata.json +++ b/rules/S6423/csharp/metadata.json @@ -20,6 +20,11 @@ "ruleSpecification": "RSPEC-6423", "sqKey": "S6423", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222610" + ] + }, "defaultQualityProfiles": [ ], "quickfix": "unknown" } diff --git a/rules/S6423/csharp/rule.adoc b/rules/S6423/csharp/rule.adoc index 66960e8d3f..b5cad79cd0 100644 --- a/rules/S6423/csharp/rule.adoc +++ b/rules/S6423/csharp/rule.adoc @@ -54,3 +54,5 @@ public static async Task Run( * https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-error-pages?tabs=csharp[Azure Functions error handling and retries] * https://docs.microsoft.com/en-us/azure/azure-functions/functions-monitoring[Monitor Azure Functions] * https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-functions-supported-features[Application Insights for Azure Functions supported features] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222610[Application Security and Development: V-222610] - The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + diff --git a/rules/S6469/docker/rule.adoc b/rules/S6469/docker/rule.adoc index 71cdad86c8..2f75ac40df 100644 --- a/rules/S6469/docker/rule.adoc +++ b/rules/S6469/docker/rule.adoc @@ -79,6 +79,7 @@ expose them to unintended parties. === Standards * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. ifdef::env-github,rspecator-view[] diff --git a/rules/S6469/metadata.json b/rules/S6469/metadata.json index 19f1a9c7f2..c0cf01f1fa 100644 --- a/rules/S6469/metadata.json +++ b/rules/S6469/metadata.json @@ -19,6 +19,9 @@ "securityStandards": { "CWE": [ 732 + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] }, "defaultSeverity": "Critical", diff --git a/rules/S6474/docker/rule.adoc b/rules/S6474/docker/rule.adoc index 6da3a58316..479a04a812 100644 --- a/rules/S6474/docker/rule.adoc +++ b/rules/S6474/docker/rule.adoc @@ -213,6 +213,9 @@ RUN make install * CWE - https://cwe.mitre.org/data/definitions/384[CWE-345 - Insufficient Verification of Data Authenticity] * https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode[Microsoft, Authenticode Digital Signatures] * https://www.linux.com/training-tutorials/pgp-web-trust-core-concepts-behind-trusted-communication/[Linux.com, PGP Web of Trust: Core Concepts Behind Trusted Communication] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222618[Application Security and Development: V-222618] - Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S6474/metadata.json b/rules/S6474/metadata.json index 8ca3503515..1e1e9308bd 100644 --- a/rules/S6474/metadata.json +++ b/rules/S6474/metadata.json @@ -21,6 +21,9 @@ "sqKey": "S6474", "scope": "Main", "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222618" + ], "CWE": [ 345 ] diff --git a/rules/S6547/common/resources/standards.adoc b/rules/S6547/common/resources/standards.adoc index 13b319ecd2..b9bc1c30c7 100644 --- a/rules/S6547/common/resources/standards.adoc +++ b/rules/S6547/common/resources/standards.adoc @@ -3,4 +3,6 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/454[CWE-454 - External Initialization of Trusted Variables or Data Stores] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/454[CWE-454 - External Initialization of Trusted Variables or Data Stores] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6547/metadata.json b/rules/S6547/metadata.json index 2960ffd13e..ad27f8ca7b 100644 --- a/rules/S6547/metadata.json +++ b/rules/S6547/metadata.json @@ -42,6 +42,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6549/common/resources/standards.adoc b/rules/S6549/common/resources/standards.adoc index 2ae72b4f8d..97a216c107 100644 --- a/rules/S6549/common/resources/standards.adoc +++ b/rules/S6549/common/resources/standards.adoc @@ -6,3 +6,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6549/metadata.json b/rules/S6549/metadata.json index cbe47024ba..4d50ef21cf 100644 --- a/rules/S6549/metadata.json +++ b/rules/S6549/metadata.json @@ -42,9 +42,14 @@ "12.3.1", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, - "defaultQualityProfiles": ["Sonar way"], + "defaultQualityProfiles": [ + "Sonar way" + ], "educationPrinciples": [ "defense_in_depth", "never_trust_user_input" diff --git a/rules/S6639/common/resources/standards.adoc b/rules/S6639/common/resources/standards.adoc index b7cd3f2bfe..367a10c0e8 100644 --- a/rules/S6639/common/resources/standards.adoc +++ b/rules/S6639/common/resources/standards.adoc @@ -1,3 +1,6 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/789[CWE-789 - Memory Allocation with Excessive Size Value] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222594[Application Security and Development: V-222594] - The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6639/metadata.json b/rules/S6639/metadata.json index 146012ff05..b3d1d896dc 100644 --- a/rules/S6639/metadata.json +++ b/rules/S6639/metadata.json @@ -1,52 +1,56 @@ { - "title": "Memory allocations should not be vulnerable to Denial of Service attacks", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "MEDIUM" - }, - "attribute": "COMPLETE" + "title": "Memory allocations should not be vulnerable to Denial of Service attacks", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "MEDIUM" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "5min" - }, - "tags": [ - "cwe" + "attribute": "COMPLETE" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "cwe" + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6639", + "sqKey": "S6639", + "scope": "All", + "securityStandards": { + "CWE": [ + 789 ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-6639", - "sqKey": "S6639", - "scope": "All", - "securityStandards": { - "CWE": [ - 789 - ], - "OWASP": [ - "A1" - ], - "OWASP Top 10 2021": [ - "A3" - ], - "PCI DSS 3.2": [ - "6.5.1" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.1.3", - "5.1.4" - ] - }, - "defaultQualityProfiles": [ - "Sonar way" + "OWASP": [ + "A1" ], - "educationPrinciples": [ - "defense_in_depth", - "never_trust_user_input" - ], - "quickfix": "unknown" - } - \ No newline at end of file + "OWASP Top 10 2021": [ + "A3" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.1.3", + "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222594", + "V-222609", + "V-222667" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "educationPrinciples": [ + "defense_in_depth", + "never_trust_user_input" + ], + "quickfix": "unknown" +} diff --git a/rules/S6641/common/resources/standards.adoc b/rules/S6641/common/resources/standards.adoc index 74feb18d29..eb761e2560 100644 --- a/rules/S6641/common/resources/standards.adoc +++ b/rules/S6641/common/resources/standards.adoc @@ -1,3 +1,4 @@ * CWE - https://cwe.mitre.org/data/definitions/15[CWE-15 - External Control of System or Configuration Setting] * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6641/csharp/metadata.json b/rules/S6641/csharp/metadata.json index ac316074c9..6933dc6690 100644 --- a/rules/S6641/csharp/metadata.json +++ b/rules/S6641/csharp/metadata.json @@ -13,38 +13,41 @@ "constantCost": "5min" }, "tags": [ - "cwe" + "cwe" ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-6641", "sqKey": "S6641", "scope": "All", "securityStandards": { - "CWE": [ - 15 - ], - "OWASP": [ - "A1" - ], - "OWASP Top 10 2021": [ - "A3" - ], - "PCI DSS 3.2": [ - "6.5.1" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.1.3" - ] - }, + "CWE": [ + 15 + ], + "OWASP": [ + "A1" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.1.3" + ], + "STIG ASD 2023-06-08": [ + "V-222609" + ] + }, "defaultQualityProfiles": [ - "Sonar way" + "Sonar way" ], "educationPrinciples": [ - "defense_in_depth", - "never_trust_user_input" - ], + "defense_in_depth", + "never_trust_user_input" + ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6652/secrets/metadata.json b/rules/S6652/secrets/metadata.json index fc30f1339f..1f6831fea7 100644 --- a/rules/S6652/secrets/metadata.json +++ b/rules/S6652/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6680/common/resources/standards.adoc b/rules/S6680/common/resources/standards.adoc index 52c0993384..8ce26598f8 100644 --- a/rules/S6680/common/resources/standards.adoc +++ b/rules/S6680/common/resources/standards.adoc @@ -3,3 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/606[CWE-606 - Unchecked Input for Loop Condition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6680/metadata.json b/rules/S6680/metadata.json index 3f36c80e54..213fe4aa07 100644 --- a/rules/S6680/metadata.json +++ b/rules/S6680/metadata.json @@ -23,7 +23,7 @@ "scope": "Main", "securityStandards": { "CWE": [ - 606 + 606 ], "OWASP": [ "A1" @@ -32,10 +32,16 @@ "A3" ], "PCI DSS 3.2": [ + ], "PCI DSS 4.0": [ + ], "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6684/secrets/metadata.json b/rules/S6684/secrets/metadata.json index 717ca5e61c..4dbbc584d1 100644 --- a/rules/S6684/secrets/metadata.json +++ b/rules/S6684/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6686/secrets/metadata.json b/rules/S6686/secrets/metadata.json index 87c877ee0e..50673ac937 100644 --- a/rules/S6686/secrets/metadata.json +++ b/rules/S6686/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6687/secrets/metadata.json b/rules/S6687/secrets/metadata.json index 090f9660e9..27febc194e 100644 --- a/rules/S6687/secrets/metadata.json +++ b/rules/S6687/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6688/secrets/metadata.json b/rules/S6688/secrets/metadata.json index 62056eb854..7cb4aaf039 100644 --- a/rules/S6688/secrets/metadata.json +++ b/rules/S6688/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6689/secrets/metadata.json b/rules/S6689/secrets/metadata.json index 5d6f403eba..bf9c77589d 100644 --- a/rules/S6689/secrets/metadata.json +++ b/rules/S6689/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6690/secrets/metadata.json b/rules/S6690/secrets/metadata.json index fcb2171288..01d273b896 100644 --- a/rules/S6690/secrets/metadata.json +++ b/rules/S6690/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6691/secrets/metadata.json b/rules/S6691/secrets/metadata.json index 4096c304b4..daf74ff8d1 100644 --- a/rules/S6691/secrets/metadata.json +++ b/rules/S6691/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6692/secrets/metadata.json b/rules/S6692/secrets/metadata.json index de13e23548..c7b88ba381 100644 --- a/rules/S6692/secrets/metadata.json +++ b/rules/S6692/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6693/secrets/metadata.json b/rules/S6693/secrets/metadata.json index de963d701b..55a5edc217 100644 --- a/rules/S6693/secrets/metadata.json +++ b/rules/S6693/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6694/secrets/metadata.json b/rules/S6694/secrets/metadata.json index cd771bcd3c..f56b18ecf2 100644 --- a/rules/S6694/secrets/metadata.json +++ b/rules/S6694/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6695/secrets/metadata.json b/rules/S6695/secrets/metadata.json index 8234141864..8185e94313 100644 --- a/rules/S6695/secrets/metadata.json +++ b/rules/S6695/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6696/secrets/metadata.json b/rules/S6696/secrets/metadata.json index fbab291dd2..0d5cca9376 100644 --- a/rules/S6696/secrets/metadata.json +++ b/rules/S6696/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6697/secrets/metadata.json b/rules/S6697/secrets/metadata.json index af5b172850..6dd78c3110 100644 --- a/rules/S6697/secrets/metadata.json +++ b/rules/S6697/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6698/secrets/metadata.json b/rules/S6698/secrets/metadata.json index c3f4977931..5d1c871c0d 100644 --- a/rules/S6698/secrets/metadata.json +++ b/rules/S6698/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6699/secrets/metadata.json b/rules/S6699/secrets/metadata.json index 6830dcf0b3..33f54239a1 100644 --- a/rules/S6699/secrets/metadata.json +++ b/rules/S6699/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6700/secrets/metadata.json b/rules/S6700/secrets/metadata.json index 1d28a86c97..f90e65b2a8 100644 --- a/rules/S6700/secrets/metadata.json +++ b/rules/S6700/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6701/secrets/metadata.json b/rules/S6701/secrets/metadata.json index bdd168d12b..c8baf6f25f 100644 --- a/rules/S6701/secrets/metadata.json +++ b/rules/S6701/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6702/secrets/metadata.json b/rules/S6702/secrets/metadata.json index 4116f41386..3e1664aaa8 100644 --- a/rules/S6702/secrets/metadata.json +++ b/rules/S6702/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6703/secrets/metadata.json b/rules/S6703/secrets/metadata.json index f934fc5540..6fb484a5d0 100644 --- a/rules/S6703/secrets/metadata.json +++ b/rules/S6703/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6704/secrets/metadata.json b/rules/S6704/secrets/metadata.json index 6eeca51bb1..05ec287c59 100644 --- a/rules/S6704/secrets/metadata.json +++ b/rules/S6704/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6705/secrets/metadata.json b/rules/S6705/secrets/metadata.json index 5b6002c0bf..ec81574eea 100644 --- a/rules/S6705/secrets/metadata.json +++ b/rules/S6705/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6706/secrets/metadata.json b/rules/S6706/secrets/metadata.json index 6f2e842db6..8acae4653c 100644 --- a/rules/S6706/secrets/metadata.json +++ b/rules/S6706/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6708/secrets/metadata.json b/rules/S6708/secrets/metadata.json index 5fbc41171f..58d9442f66 100644 --- a/rules/S6708/secrets/metadata.json +++ b/rules/S6708/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6709/python/metadata.json b/rules/S6709/python/metadata.json index dfb35a9b9a..f7386f4603 100644 --- a/rules/S6709/python/metadata.json +++ b/rules/S6709/python/metadata.json @@ -14,7 +14,14 @@ "ruleSpecification": "RSPEC-6709", "sqKey": "S6709", "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], "quickfix": "unknown", "code": { "impacts": { diff --git a/rules/S6709/python/rule.adoc b/rules/S6709/python/rule.adoc index 0be25e2920..f21ffa2702 100644 --- a/rules/S6709/python/rule.adoc +++ b/rules/S6709/python/rule.adoc @@ -59,6 +59,10 @@ def foo(): * NumPy documentation - https://numpy.org/neps/nep-0019-rng-policy.html[NEP 19 RNG Policy] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222642[Application Security and Development: V-222642] - The application must not contain embedded authentication data. + === Related rules * S6711 - `numpy.random.Generator` should be preferred to `numpy.random.RandomState` diff --git a/rules/S6710/secrets/metadata.json b/rules/S6710/secrets/metadata.json index c5387cf885..0caa44d038 100644 --- a/rules/S6710/secrets/metadata.json +++ b/rules/S6710/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6713/secrets/metadata.json b/rules/S6713/secrets/metadata.json index ea919c6608..b8037e6b44 100644 --- a/rules/S6713/secrets/metadata.json +++ b/rules/S6713/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6717/secrets/metadata.json b/rules/S6717/secrets/metadata.json index 1b143eab24..f9fa94863b 100644 --- a/rules/S6717/secrets/metadata.json +++ b/rules/S6717/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6718/secrets/metadata.json b/rules/S6718/secrets/metadata.json index bea682afb4..9671e223ab 100644 --- a/rules/S6718/secrets/metadata.json +++ b/rules/S6718/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6719/secrets/metadata.json b/rules/S6719/secrets/metadata.json index fdca8b23f5..1587fa6d21 100644 --- a/rules/S6719/secrets/metadata.json +++ b/rules/S6719/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6720/secrets/metadata.json b/rules/S6720/secrets/metadata.json index 957f15fc53..637cd2ce91 100644 --- a/rules/S6720/secrets/metadata.json +++ b/rules/S6720/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6721/secrets/metadata.json b/rules/S6721/secrets/metadata.json index d1a0ca3a9f..76ed81f6a5 100644 --- a/rules/S6721/secrets/metadata.json +++ b/rules/S6721/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6722/secrets/metadata.json b/rules/S6722/secrets/metadata.json index 2b6c0b6050..3e4d8c4f51 100644 --- a/rules/S6722/secrets/metadata.json +++ b/rules/S6722/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6723/secrets/metadata.json b/rules/S6723/secrets/metadata.json index 8d27d7bb7c..4af44804c7 100644 --- a/rules/S6723/secrets/metadata.json +++ b/rules/S6723/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6731/secrets/metadata.json b/rules/S6731/secrets/metadata.json index 71eddcda1e..a9ed55a30d 100644 --- a/rules/S6731/secrets/metadata.json +++ b/rules/S6731/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6732/secrets/metadata.json b/rules/S6732/secrets/metadata.json index 7aa425465b..6d911096eb 100644 --- a/rules/S6732/secrets/metadata.json +++ b/rules/S6732/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6733/secrets/metadata.json b/rules/S6733/secrets/metadata.json index bc340acf37..111d3db662 100644 --- a/rules/S6733/secrets/metadata.json +++ b/rules/S6733/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6736/secrets/metadata.json b/rules/S6736/secrets/metadata.json index 940f6f5f21..bed1027fd5 100644 --- a/rules/S6736/secrets/metadata.json +++ b/rules/S6736/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6739/secrets/metadata.json b/rules/S6739/secrets/metadata.json index 2c8f47d8c2..382265bb2f 100644 --- a/rules/S6739/secrets/metadata.json +++ b/rules/S6739/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6751/secrets/metadata.json b/rules/S6751/secrets/metadata.json index 709a0dfc79..9d8aefc94c 100644 --- a/rules/S6751/secrets/metadata.json +++ b/rules/S6751/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6752/secrets/metadata.json b/rules/S6752/secrets/metadata.json index b51f01910a..a499a3a934 100644 --- a/rules/S6752/secrets/metadata.json +++ b/rules/S6752/secrets/metadata.json @@ -49,11 +49,14 @@ "2.10.4", "3.5.2", "6.4.1" - ] + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6753/secrets/metadata.json b/rules/S6753/secrets/metadata.json index b45c5250ee..a226103ec2 100644 --- a/rules/S6753/secrets/metadata.json +++ b/rules/S6753/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6755/secrets/metadata.json b/rules/S6755/secrets/metadata.json index fad0db405d..fe9e2397aa 100644 --- a/rules/S6755/secrets/metadata.json +++ b/rules/S6755/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6758/secrets/metadata.json b/rules/S6758/secrets/metadata.json index dfbc734e8e..d2458cc6fc 100644 --- a/rules/S6758/secrets/metadata.json +++ b/rules/S6758/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6760/secrets/metadata.json b/rules/S6760/secrets/metadata.json index f4696aec2e..4e5e7ac877 100644 --- a/rules/S6760/secrets/metadata.json +++ b/rules/S6760/secrets/metadata.json @@ -47,6 +47,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6762/secrets/metadata.json b/rules/S6762/secrets/metadata.json index 5cb766b599..b2a388b7cd 100644 --- a/rules/S6762/secrets/metadata.json +++ b/rules/S6762/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6764/secrets/metadata.json b/rules/S6764/secrets/metadata.json index 3c14aaa369..3b8b38daa9 100644 --- a/rules/S6764/secrets/metadata.json +++ b/rules/S6764/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6765/secrets/metadata.json b/rules/S6765/secrets/metadata.json index b62bec841e..41aa90721a 100644 --- a/rules/S6765/secrets/metadata.json +++ b/rules/S6765/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6768/secrets/metadata.json b/rules/S6768/secrets/metadata.json index 6c9dbf9e19..bf1d754b98 100644 --- a/rules/S6768/secrets/metadata.json +++ b/rules/S6768/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6769/secrets/metadata.json b/rules/S6769/secrets/metadata.json index 59cf0e7895..1b3482dcf3 100644 --- a/rules/S6769/secrets/metadata.json +++ b/rules/S6769/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6771/secrets/metadata.json b/rules/S6771/secrets/metadata.json index 531ff3c7fb..548e811781 100644 --- a/rules/S6771/secrets/metadata.json +++ b/rules/S6771/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ @@ -56,4 +59,4 @@ ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6773/secrets/metadata.json b/rules/S6773/secrets/metadata.json index 0602a0324b..92b4f4be9a 100644 --- a/rules/S6773/secrets/metadata.json +++ b/rules/S6773/secrets/metadata.json @@ -49,11 +49,14 @@ "2.10.4", "3.5.2", "6.4.1" - ] + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6776/python/metadata.json b/rules/S6776/python/metadata.json index 65235e2293..918f9088d4 100644 --- a/rules/S6776/python/metadata.json +++ b/rules/S6776/python/metadata.json @@ -32,6 +32,9 @@ "ASVS 4.0": [ "14.3.1", "14.3.2" + ], + "STIG ASD 2023-06-08": [ + "V-222610" ] }, "defaultQualityProfiles": ["Sonar way"], diff --git a/rules/S6776/python/rule.adoc b/rules/S6776/python/rule.adoc index 95eeedea62..2fcf712454 100644 --- a/rules/S6776/python/rule.adoc +++ b/rules/S6776/python/rule.adoc @@ -21,6 +21,8 @@ Python Documentation - https://docs.python.org/3/library/traceback.html[tracebac * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/209[CWE-209 - Generation of Error Message Containing Sensitive Information] * CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222610[Application Security and Development: V-222610] - The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + ifdef::env-github,rspecator-view[] diff --git a/rules/S6777/secrets/metadata.json b/rules/S6777/secrets/metadata.json index 15ec071519..da167de56b 100644 --- a/rules/S6777/secrets/metadata.json +++ b/rules/S6777/secrets/metadata.json @@ -49,11 +49,15 @@ "2.10.4", "3.5.2", "6.4.1" - ] + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6782/secrets/metadata.json b/rules/S6782/secrets/metadata.json index a1b7123597..c0f28cb265 100644 --- a/rules/S6782/secrets/metadata.json +++ b/rules/S6782/secrets/metadata.json @@ -49,11 +49,15 @@ "2.10.4", "3.5.2", "6.4.1" - ] + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6783/secrets/metadata.json b/rules/S6783/secrets/metadata.json index 0ef2bd86ec..f4e203c2d9 100644 --- a/rules/S6783/secrets/metadata.json +++ b/rules/S6783/secrets/metadata.json @@ -49,7 +49,11 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] + }, "defaultQualityProfiles": [ "Sonar way" diff --git a/rules/S6784/secrets/metadata.json b/rules/S6784/secrets/metadata.json index 3632573c02..acca2390e9 100644 --- a/rules/S6784/secrets/metadata.json +++ b/rules/S6784/secrets/metadata.json @@ -51,6 +51,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] } } diff --git a/rules/S6785/python/metadata.json b/rules/S6785/python/metadata.json index 7f8ae17ab6..f1c590e0e4 100644 --- a/rules/S6785/python/metadata.json +++ b/rules/S6785/python/metadata.json @@ -27,6 +27,9 @@ ], "ASVS 4.0": [ "13.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222667" ] }, "defaultSeverity": "Critical", diff --git a/rules/S6785/python/rule.adoc b/rules/S6785/python/rule.adoc index f57b852057..99bcb7bd9f 100644 --- a/rules/S6785/python/rule.adoc +++ b/rules/S6785/python/rule.adoc @@ -95,6 +95,7 @@ The easiest way to set such a limit is to use the query validation API available * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/770[CWE-707 - Allocation of Resources Without Limits or Throttling] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. ifdef::env-github,rspecator-view[] diff --git a/rules/S6839/metadata.json b/rules/S6839/metadata.json index d0e2192f5d..112b2fd39f 100644 --- a/rules/S6839/metadata.json +++ b/rules/S6839/metadata.json @@ -41,6 +41,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6839/see.adoc b/rules/S6839/see.adoc index 22c4e31f91..80238451b7 100644 --- a/rules/S6839/see.adoc +++ b/rules/S6839/see.adoc @@ -9,4 +9,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/113[CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/113[CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6910/secrets/metadata.json b/rules/S6910/secrets/metadata.json index db472469aa..c08743d7c3 100644 --- a/rules/S6910/secrets/metadata.json +++ b/rules/S6910/secrets/metadata.json @@ -47,6 +47,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/shared_content/secrets/resources/standards.adoc b/shared_content/secrets/resources/standards.adoc index e6eb6888a4..4fc97bea51 100644 --- a/shared_content/secrets/resources/standards.adoc +++ b/shared_content/secrets/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] * CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222642[Application Security and Development: V-222642] - The application must not contain embedded authentication data. +