ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add APEX into the covered languages for missing rules

Browse Source
This commit is contained in:
Arseniy Zaostrovnykh 2021-02-15 17:20:44 +01:00
parent f543279c4b
commit c4b46ee96c
27 changed files with 90 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/S103/apex/metadata.json Normal file
View File

@ -0,0 +1,3 @@
{
}

1
rules/S103/apex/rule.adoc Normal file
View File

@ -0,0 +1 @@
include::../rule.adoc[]

18
rules/S103/metadata.json
View File

@ -15,33 +15,35 @@
"coveredLanguages": [ "coveredLanguages": [
"C#", "C#",
"T-SQL", "T-SQL",
"Java",
"C++",
"C", "C",
"VB.Net", "VB.Net",
"Scala",
"Go", "Go",
"HTML", "HTML",
"VB6", "VB6",
"ABAP", "ABAP",
"Kotlin",
"TypeScript", "TypeScript",
"PL\/SQL", "PL\/SQL",
"PL\/I", "PL\/I",
"XML",
"JavaScript", "JavaScript",
"Flex",
"Objective-C", "Objective-C",
"PHP", "PHP",
"Swift",
"Ruby", "Ruby",
"Python" "Python",
"Java",
"C++",
"Scala",
"Kotlin",
"XML",
"Flex",
"Swift",
"APEX"
], ],
"defaultSeverity": "Major", "defaultSeverity": "Major",
"ruleSpecification": "RSPEC-103", "ruleSpecification": "RSPEC-103",
"sqKey": "S103", "sqKey": "S103",
"compatibleLanguages": [ "compatibleLanguages": [
"ABAP", "ABAP",
"APEX",
"C", "C",
"COBOL", "COBOL",
"CPP", "CPP",

3
rules/S104/apex/metadata.json Normal file
View File

@ -0,0 +1,3 @@
{
}

1
rules/S104/apex/rule.adoc Normal file
View File

@ -0,0 +1 @@
include::../rule.adoc[]

2
rules/S104/metadata.json
View File

@ -32,6 +32,7 @@
"Objective-C", "Objective-C",
"PHP", "PHP",
"Swift", "Swift",
"APEX",
"Ruby", "Ruby",
"Python" "Python"
], ],
@ -40,6 +41,7 @@
"sqKey": "S104", "sqKey": "S104",
"compatibleLanguages": [ "compatibleLanguages": [
"ABAP", "ABAP",
"APEX",
"C", "C",
"CPP", "CPP",
"CSHARPSQUID", "CSHARPSQUID",

3
rules/S105/apex/metadata.json Normal file
View File

@ -0,0 +1,3 @@
{
}

1
rules/S105/apex/rule.adoc Normal file
View File

@ -0,0 +1 @@
include::../rule.adoc[]

2
rules/S105/metadata.json
View File

@ -31,6 +31,7 @@
"Objective-C", "Objective-C",
"PHP", "PHP",
"Swift", "Swift",
"APEX",
"Ruby" "Ruby"
], ],
"defaultSeverity": "Minor", "defaultSeverity": "Minor",
@ -38,6 +39,7 @@
"sqKey": "S105", "sqKey": "S105",
"compatibleLanguages": [ "compatibleLanguages": [
"ABAP", "ABAP",
"APEX",
"C", "C",
"COBOL", "COBOL",
"CPP", "CPP",

3
rules/S1135/apex/metadata.json Normal file
View File

@ -0,0 +1,3 @@
{
}

1
rules/S1135/apex/rule.adoc Normal file
View File

@ -0,0 +1 @@
include::../rule.adoc[]

2
rules/S1135/metadata.json
View File

@ -27,6 +27,7 @@
"Objective-C", "Objective-C",
"PHP", "PHP",
"Swift", "Swift",
"APEX",
"Ruby" "Ruby"
], ],
"defaultSeverity": "Info", "defaultSeverity": "Info",
@ -34,6 +35,7 @@
"sqKey": "S1135", "sqKey": "S1135",
"compatibleLanguages": [ "compatibleLanguages": [
"ABAP", "ABAP",
"APEX",
"C", "C",
"COBOL", "COBOL",
"CPP", "CPP",

3
rules/S125/apex/metadata.json Normal file
View File

@ -0,0 +1,3 @@
{
}

1
rules/S125/apex/rule.adoc Normal file
View File

@ -0,0 +1 @@
include::../rule.adoc[]

2
rules/S125/metadata.json
View File

@ -32,6 +32,7 @@
"Objective-C", "Objective-C",
"PHP", "PHP",
"Swift", "Swift",
"APEX",
"Python" "Python"
], ],
"defaultSeverity": "Major", "defaultSeverity": "Major",
@ -39,6 +40,7 @@
"sqKey": "S125", "sqKey": "S125",
"compatibleLanguages": [ "compatibleLanguages": [
"ABAP", "ABAP",
"APEX",
"C", "C",
"COBOL", "COBOL",
"CPP", "CPP",

3
rules/S138/apex/metadata.json Normal file
View File

@ -0,0 +1,3 @@
{
}

1
rules/S138/apex/rule.adoc Normal file
View File

@ -0,0 +1 @@
include::../rule.adoc[]

2
rules/S138/metadata.json
View File

@ -30,6 +30,7 @@
"Objective-C", "Objective-C",
"PHP", "PHP",
"Swift", "Swift",
"APEX",
"Ruby" "Ruby"
], ],
"defaultSeverity": "Major", "defaultSeverity": "Major",
@ -37,6 +38,7 @@
"sqKey": "S138", "sqKey": "S138",
"compatibleLanguages": [ "compatibleLanguages": [
"ABAP", "ABAP",
"APEX",
"C", "C",
"CPP", "CPP",
"CSHARPSQUID", "CSHARPSQUID",

3
rules/S1451/apex/metadata.json Normal file
View File

@ -0,0 +1,3 @@
{
}

1
rules/S1451/apex/rule.adoc Normal file
View File

@ -0,0 +1 @@
include::../rule.adoc[]

2
rules/S1451/metadata.json
View File

@ -32,6 +32,7 @@
"Objective-C", "Objective-C",
"PHP", "PHP",
"Swift", "Swift",
"APEX",
"Ruby" "Ruby"
], ],
"defaultSeverity": "Blocker", "defaultSeverity": "Blocker",
@ -39,6 +40,7 @@
"sqKey": "S1451", "sqKey": "S1451",
"compatibleLanguages": [ "compatibleLanguages": [
"ABAP", "ABAP",
"APEX",
"C", "C",
"COBOL", "COBOL",
"CPP", "CPP",

3
rules/S1479/apex/metadata.json Normal file
View File

@ -0,0 +1,3 @@
{
}

1
rules/S1479/apex/rule.adoc Normal file
View File

@ -0,0 +1 @@
include::../rule.adoc[]

2
rules/S1479/metadata.json
View File

@ -29,6 +29,7 @@
"Objective-C", "Objective-C",
"PHP", "PHP",
"Swift", "Swift",
"APEX",
"Ruby" "Ruby"
], ],
"defaultSeverity": "Major", "defaultSeverity": "Major",
@ -36,6 +37,7 @@
"sqKey": "S1479", "sqKey": "S1479",
"compatibleLanguages": [ "compatibleLanguages": [
"ABAP", "ABAP",
"APEX",
"C", "C",
"COBOL", "COBOL",
"CPP", "CPP",

14
rules/S1612/rule.adoc
View File

@ -3,7 +3,7 @@ Method/constructor references are commonly agreed to be, most of the time, more
In some rare cases, when it is not clear from the context what kind of function is being described and reference would not increase the clarity, it might be fine to keep the lambda. In some rare cases, when it is not clear from the context what kind of function is being described and reference would not increase the clarity, it might be fine to keep the lambda.
Similarly, ``++null++`` checks can be replaced with references to the ``++Objects::isNull++`` and ``++Objects::nonNull++`` methods. Similarly, ``++null++`` checks can be replaced with references to the ``++Objects::isNull++`` and ``++Objects::nonNull++`` methods, ``++casts++`` can be replaced with ``++SomeClass.class::cast++`` and ``++instanceof++`` can be replaced with ``++SomeClass.class::isInstance++``.
*Note* that this rule is automatically disabled when the project's ``++sonar.java.source++`` is lower than ``++8++``. *Note* that this rule is automatically disabled when the project's ``++sonar.java.source++`` is lower than ``++8++``.
@ -15,10 +15,14 @@ Similarly, ``++null++`` checks can be replaced with references to the ``++Object
class A { class A {
void process(List<A> list) { void process(List<A> list) {
list.stream() list.stream()
.map(a -> a.<String>getObject()) .filter(a -> a instanceof B)
.forEach(a -> { System.out.println(a); }); .map(a -> (B) a)
.map(b -> b.<String>getObject())
.forEach(b -> { System.out.println(b); });
} }
}
class B extends A {
<T> T getObject() { <T> T getObject() {
return null; return null;
} }
@ -32,10 +36,14 @@ class A {
class A { class A {
void process(List<A> list) { void process(List<A> list) {
list.stream() list.stream()
.filter(B.class::isInstance)
.map(B.class::cast)
.map(A::<String>getObject) .map(A::<String>getObject)
.forEach(System.out::println); .forEach(System.out::println);
} }
}
class B extends A {
<T> T getObject() { <T> T getObject() {
return null; return null;
} }

13
rules/S2612/vbnet/rule.adoc
View File

@ -15,6 +15,12 @@ include::../recommended.adoc[]
.Net Framework: .Net Framework:
---- ----
Dim unsafeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Allow)
Dim fileSecurity = File.GetAccessControl("path")
fileSecurity.AddAccessRule(unsafeAccessRule) ' Sensitive
fileSecurity.SetAccessRule(unsafeAccessRule) ' Sensitive
File.SetAccessControl("fileName", fileSecurity)
---- ----
.Net / .Net Core .Net / .Net Core
@ -39,11 +45,18 @@ fileSystemEntry.FileAccessPermissions = FileAccessPermissions.OtherReadWriteExec
.Net Framework .Net Framework
---- ----
Dim safeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny)
Dim fileSecurity = File.GetAccessControl("path")
fileSecurity.AddAccessRule(safeAccessRule)
File.SetAccessControl("path", fileSecurity)
---- ----
.Net / .Net Core .Net / .Net Core
---- ----
Dim safeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny)
Dim fileInfo = new FileInfo("path") Dim fileInfo = new FileInfo("path")
Dim fileSecurity = fileInfo.GetAccessControl() Dim fileSecurity = fileInfo.GetAccessControl()
fileSecurity.SetAccessRule(safeAccessRule) fileSecurity.SetAccessRule(safeAccessRule)

25
rules/S5659/java/rule.adoc
View File

@ -1,27 +1,22 @@
If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities. include::../description.adoc[]
* Don't use ``++none++`` algorithm to sign or verify the validity of a token. == Noncompliant Code Example
* Don't use a token without verifying its signature before.
In addition, be extra careful when using https://github.com/jwtk/jjwt[jwtk/Java JWT] library \"``++parse++``" method, parsing a signed token (JWT + JWS (signature)) or an unsigned one. To guess how to parse the token the parse method will look at the token headers (which are not signed and thus could be forged by an attacker). This attack is sometimes referred as the "None algorithm attack". Instead, you should consider using \"``++parseClaimsJws++``" parsing signed token. If the signature is not provided together with the JWT, the method will fail as expected. Using https://github.com/jwtk/jjwt[jwtk/Java JWT] library (to verify a signed token (containing a JWS) don't use the ``++parse++`` method as it doesn't throw an exception if an unsigned token is provided):
== Noncompliant Code Examples
Using https://github.com/jwtk/jjwt[jwtk/Java JWT] library:
---- ----
// Signinig: // Signing:
io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed. io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed.
.setSubject(USER_LOGIN) .setSubject(USER_LOGIN)
.compact(); .compact();
// Verifying: // Verifying:
io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant, if the token has no signature, this method will still parse it correctly. io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant
---- ----
Using https://github.com/auth0/java-jwt[auth0/Java JWT] library: Using https://github.com/auth0/java-jwt[auth0/Java JWT] library:
---- ----
// Signinig: // Signing:
com.auth0.jwt.JWT.create() com.auth0.jwt.JWT.create()
.withSubject(SUBJECT) .withSubject(SUBJECT)
.sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT. .sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT.
@ -33,10 +28,10 @@ JWTVerifier nonCompliantVerifier = com.auth0.jwt.JWT.require(Algorithm.none()) /
== Compliant Solution == Compliant Solution
Using https://github.com/jwtk/jjwt[Java JWT] library: Using https://github.com/jwtk/jjwt[Java JWT] library (to verify a signed token (containing a JWS) use the ``++parseClaimsJws++`` method that will throw an exception if an unsigned token is provided):
---- ----
// Signinig: // Signing:
Jwts.builder() // Compliant Jwts.builder() // Compliant
.setSubject(USER_LOGIN) .setSubject(USER_LOGIN)
.signWith(SignatureAlgorithm.HS256, SECRET_KEY) .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
@ -45,10 +40,10 @@ Jwts.builder() // Compliant
Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant
---- ----
Using https://github.com/auth0/java-jwt[auth0/Java JWT] library: Using https://github.com/auth0/java-jwt[auth0/Java JWT] library. I
---- ----
// Signinig: // Signing:
JWT.create() JWT.create()
.withSubject(SUBJECT) .withSubject(SUBJECT)
.sign(Algorithm.HMAC256(SECRET_KEY)); // Noncompliant, use only strong cipher algorithms when signing this JWT. .sign(Algorithm.HMAC256(SECRET_KEY)); // Noncompliant, use only strong cipher algorithms when signing this JWT.