diff --git a/rules/S1041/plsql/rule.adoc b/rules/S1041/plsql/rule.adoc index 223a082d54..0e5c7c51b9 100644 --- a/rules/S1041/plsql/rule.adoc +++ b/rules/S1041/plsql/rule.adoc @@ -46,7 +46,7 @@ END; == Resources -* https://cwe.mitre.org/data/definitions/391[MITRE, CWE-391] - Unchecked Error Condition +* CWE - https://cwe.mitre.org/data/definitions/391[CWE-391 - Unchecked Error Condition] ifdef::env-github,rspecator-view[] diff --git a/rules/S1049/cfamily/rule.adoc b/rules/S1049/cfamily/rule.adoc index b533f75cd8..9f0b352fb0 100644 --- a/rules/S1049/cfamily/rule.adoc +++ b/rules/S1049/cfamily/rule.adoc @@ -44,7 +44,7 @@ void goo ( ) throw ( Exception, int ) == Resources * MISRA {cpp}:2008, 15-5-2 -* https://cwe.mitre.org/data/definitions/391[MITRE, CWE-391] - Unchecked Error Condition +* CWE - https://cwe.mitre.org/data/definitions/391[CWE-391 - Unchecked Error Condition] * https://www.securecoding.cert.org/confluence/x/EADTAQ[CERT, ERR55-CPP.] - Honor exception specifications diff --git a/rules/S1053/cfamily/rule.adoc b/rules/S1053/cfamily/rule.adoc index d057c5499a..6335330c63 100644 --- a/rules/S1053/cfamily/rule.adoc +++ b/rules/S1053/cfamily/rule.adoc @@ -38,7 +38,7 @@ void fn ( std::string str ) == Resources * MISRA {cpp}:2008, 18-0-5 -* https://cwe.mitre.org/data/definitions/120[MITRE, CWE-120] - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') +* CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] ifdef::env-github,rspecator-view[] diff --git a/rules/S1057/plsql/rule.adoc b/rules/S1057/plsql/rule.adoc index 594d1a0dbf..a7830fcabd 100644 --- a/rules/S1057/plsql/rule.adoc +++ b/rules/S1057/plsql/rule.adoc @@ -27,9 +27,9 @@ END; == Resources -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://cwe.mitre.org/data/definitions/269[MITRE, CWE-269] - Improper Privilege Management -* https://cwe.mitre.org/data/definitions/270[MITRE, CWE-270] - Privilege Context Switching Error +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* CWE - https://cwe.mitre.org/data/definitions/269[CWE-269 - Improper Privilege Management] +* CWE - https://cwe.mitre.org/data/definitions/270[CWE-270 - Privilege Context Switching Error] ifdef::env-github,rspecator-view[] diff --git a/rules/S106/cfamily/rule.adoc b/rules/S106/cfamily/rule.adoc index 2201acb8fe..e78fa442a2 100644 --- a/rules/S106/cfamily/rule.adoc +++ b/rules/S106/cfamily/rule.adoc @@ -32,8 +32,8 @@ void doSomething() == Resources -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] ifdef::env-github,rspecator-view[] diff --git a/rules/S106/csharp/rule.adoc b/rules/S106/csharp/rule.adoc index f40656a643..fc6644bc67 100644 --- a/rules/S106/csharp/rule.adoc +++ b/rules/S106/csharp/rule.adoc @@ -52,7 +52,7 @@ public class MyClass == Resources -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] ifdef::env-github,rspecator-view[] diff --git a/rules/S106/java/rule.adoc b/rules/S106/java/rule.adoc index 58d8a6e296..051e651e07 100644 --- a/rules/S106/java/rule.adoc +++ b/rules/S106/java/rule.adoc @@ -40,8 +40,8 @@ class MyClass { === Documentation * https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html[Java SE 7 API Specification: java.util.logging.Logger] -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://wiki.sei.cmu.edu/confluence/x/nzdGBQ[CERT, ERR02-J.] - Prevent exceptions while logging data ifdef::env-github,rspecator-view[] diff --git a/rules/S106/javascript/rule.adoc b/rules/S106/javascript/rule.adoc index f98542da72..effdd0772a 100644 --- a/rules/S106/javascript/rule.adoc +++ b/rules/S106/javascript/rule.adoc @@ -39,8 +39,8 @@ function doSomething() { == Resources -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] ifdef::env-github,rspecator-view[] diff --git a/rules/S1079/cfamily/rule.adoc b/rules/S1079/cfamily/rule.adoc index 8fdcd25dea..07b6b758d1 100644 --- a/rules/S1079/cfamily/rule.adoc +++ b/rules/S1079/cfamily/rule.adoc @@ -48,8 +48,8 @@ If this code is given the word ``noncompliant`` as an input, ``noncompli␀`` wi === Standards * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] -* MITRE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input] ('Classic Buffer Overflow') -* MITRE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function] +* CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input] ('Classic Buffer Overflow') +* CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function] ifdef::env-github,rspecator-view[] diff --git a/rules/S1104/see.adoc b/rules/S1104/see.adoc index 075bfd5c1b..092992df5a 100644 --- a/rules/S1104/see.adoc +++ b/rules/S1104/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/493[MITRE, CWE-493] - Critical Public Variable Without Final Modifier \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/493[CWE-493 - Critical Public Variable Without Final Modifier] \ No newline at end of file diff --git a/rules/S1111/java/rule.adoc b/rules/S1111/java/rule.adoc index 82ee87627b..6b6c3fca5c 100644 --- a/rules/S1111/java/rule.adoc +++ b/rules/S1111/java/rule.adoc @@ -26,7 +26,7 @@ public void dispose() throws Throwable { == Resources * https://docs.oracle.com/javase/specs/jls/se17/html/jls-12.html#jls-12.6[docs.oracle.com] - Finalization of Class Instances -* https://cwe.mitre.org/data/definitions/586[MITRE, CWE-586] - Explicit Call to Finalize() +* CWE - https://cwe.mitre.org/data/definitions/586[CWE-586 - Explicit Call to Finalize()] * https://wiki.sei.cmu.edu/confluence/x/4jZGBQ[CERT, MET12-J.] - Do not use finalizers diff --git a/rules/S1114/java/rule.adoc b/rules/S1114/java/rule.adoc index bf1db4e184..e63dbc20ff 100644 --- a/rules/S1114/java/rule.adoc +++ b/rules/S1114/java/rule.adoc @@ -33,7 +33,7 @@ protected void finalize() { == Resources -* https://cwe.mitre.org/data/definitions/568[MITRE, CWE-568] - finalize() Method Without super.finalize() +* CWE - https://cwe.mitre.org/data/definitions/568[CWE-568 - finalize() Method Without super.finalize()] * https://wiki.sei.cmu.edu/confluence/x/4jZGBQ[CERT, MET12-J.] - Do not use finalizers diff --git a/rules/S112/cfamily/rule.adoc b/rules/S112/cfamily/rule.adoc index dedcf9611c..818ba1fd0f 100644 --- a/rules/S112/cfamily/rule.adoc +++ b/rules/S112/cfamily/rule.adoc @@ -99,7 +99,7 @@ void checkState(S state) { === Standards -* CWE - https://cwe.mitre.org/data/definitions/397[397 Declaration of Throws for Generic Exception] +* CWE - https://cwe.mitre.org/data/definitions/397[CWE-397 Declaration of Throws for Generic Exception] === External coding guidelines diff --git a/rules/S112/java/rule.adoc b/rules/S112/java/rule.adoc index 84d832c0e2..cf5e39294c 100644 --- a/rules/S112/java/rule.adoc +++ b/rules/S112/java/rule.adoc @@ -67,7 +67,7 @@ void checkValue(int value) { === Standards -* CWE - https://cwe.mitre.org/data/definitions/397[397 Declaration of Throws for Generic Exception] +* CWE - https://cwe.mitre.org/data/definitions/397[CWE-397 Declaration of Throws for Generic Exception] * CERT - https://wiki.sei.cmu.edu/confluence/x/_DdGBQ[ERR07-J. Do not throw RuntimeException, Exception, or Throwable] === Related rules diff --git a/rules/S112/see.adoc b/rules/S112/see.adoc index 611ea4f80a..ace1c6dcb8 100644 --- a/rules/S112/see.adoc +++ b/rules/S112/see.adoc @@ -2,4 +2,4 @@ === Standards -* CWE - https://cwe.mitre.org/data/definitions/397[397 Declaration of Throws for Generic Exception] +* CWE - https://cwe.mitre.org/data/definitions/397[CWE-397 Declaration of Throws for Generic Exception] diff --git a/rules/S1121/cfamily/rule.adoc b/rules/S1121/cfamily/rule.adoc index 2914061eb0..172384cd54 100644 --- a/rules/S1121/cfamily/rule.adoc +++ b/rules/S1121/cfamily/rule.adoc @@ -35,7 +35,7 @@ while ((run = keepRunning())) { === Documentation -* CWE - https://cwe.mitre.org/data/definitions/481[481: Assigning instead of Comparing] +* CWE - https://cwe.mitre.org/data/definitions/481[CWE-481: Assigning instead of Comparing] === Standards diff --git a/rules/S1121/see.adoc b/rules/S1121/see.adoc index 192f7097a3..9ad3e5edd4 100644 --- a/rules/S1121/see.adoc +++ b/rules/S1121/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/481[MITRE, CWE-481] - Assigning instead of Comparing +* CWE - https://cwe.mitre.org/data/definitions/481[CWE-481 - Assigning instead of Comparing] diff --git a/rules/S1127/rule.adoc b/rules/S1127/rule.adoc index 68a686d58f..91eac6ddf5 100644 --- a/rules/S1127/rule.adoc +++ b/rules/S1127/rule.adoc @@ -25,7 +25,7 @@ if (!"foo".equals(variable)) { /* ... */ } == Resources -* https://cwe.mitre.org/data/definitions/597[MITRE, CWE-597] - Use of Wrong Operator in String Comparison +* CWE - https://cwe.mitre.org/data/definitions/597[CWE-597 - Use of Wrong Operator in String Comparison] ifdef::env-github,rspecator-view[] diff --git a/rules/S1134/resources.adoc b/rules/S1134/resources.adoc index 5d080ad668..1f8e05e352 100644 --- a/rules/S1134/resources.adoc +++ b/rules/S1134/resources.adoc @@ -2,4 +2,4 @@ === Documentation -* https://cwe.mitre.org/data/definitions/546[MITRE, CWE-546 - Suspicious Comment] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/546[CWE-546 - Suspicious Comment] \ No newline at end of file diff --git a/rules/S1135/see.adoc b/rules/S1135/see.adoc index 2ae71e780d..2593a3369e 100644 --- a/rules/S1135/see.adoc +++ b/rules/S1135/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/546[MITRE, CWE-546] - Suspicious Comment +* CWE - https://cwe.mitre.org/data/definitions/546[CWE-546 - Suspicious Comment] diff --git a/rules/S1143/cfamily/rule.adoc b/rules/S1143/cfamily/rule.adoc index d8eb25cc12..018abd7676 100644 --- a/rules/S1143/cfamily/rule.adoc +++ b/rules/S1143/cfamily/rule.adoc @@ -41,7 +41,7 @@ void fun() { == Resources -* https://cwe.mitre.org/data/definitions/584[MITRE, CWE-584] - Return Inside Finally Block +* CWE - https://cwe.mitre.org/data/definitions/584[CWE-584 - Return Inside Finally Block] ifdef::env-github,rspecator-view[] diff --git a/rules/S1143/java/rule.adoc b/rules/S1143/java/rule.adoc index c0baf2198e..dea38d0ea0 100644 --- a/rules/S1143/java/rule.adoc +++ b/rules/S1143/java/rule.adoc @@ -69,7 +69,7 @@ public static void doSomethingWhichThrowsException() { == Resources -* https://cwe.mitre.org/data/definitions/584[MITRE, CWE-584] - Return Inside Finally Block +* CWE - https://cwe.mitre.org/data/definitions/584[CWE-584 - Return Inside Finally Block] * https://wiki.sei.cmu.edu/confluence/x/BTdGBQ[CERT, ERR04-J.] - Do not complete abruptly from a finally block ifdef::env-github,rspecator-view[] diff --git a/rules/S1145/see.adoc b/rules/S1145/see.adoc index 9bdbf250da..ae6d0c8750 100644 --- a/rules/S1145/see.adoc +++ b/rules/S1145/see.adoc @@ -1,5 +1,5 @@ == Resources -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code -* https://cwe.mitre.org/data/definitions/570[MITRE, CWE-570] - Expression is Always False -* https://cwe.mitre.org/data/definitions/571[MITRE, CWE-571] - Expression is Always True \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] +* CWE - https://cwe.mitre.org/data/definitions/570[CWE-570 - Expression is Always False] +* CWE - https://cwe.mitre.org/data/definitions/571[CWE-571 - Expression is Always True] \ No newline at end of file diff --git a/rules/S1147/java/rule.adoc b/rules/S1147/java/rule.adoc index faf26aa72a..b785aca066 100644 --- a/rules/S1147/java/rule.adoc +++ b/rules/S1147/java/rule.adoc @@ -20,7 +20,7 @@ These methods are ignored inside ``++main++``. == Resources -* https://cwe.mitre.org/data/definitions/382[MITRE, CWE-382] - Use of System.exit() +* CWE - https://cwe.mitre.org/data/definitions/382[CWE-382 - Use of System.exit()] * https://wiki.sei.cmu.edu/confluence/x/7zZGBQ[CERT, ERR09-J.] - Do not allow untrusted code to terminate the JVM ifdef::env-github,rspecator-view[] diff --git a/rules/S1148/java/rule.adoc b/rules/S1148/java/rule.adoc index fe97062445..1f3080b81b 100644 --- a/rules/S1148/java/rule.adoc +++ b/rules/S1148/java/rule.adoc @@ -37,8 +37,8 @@ try { == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] ifdef::env-github,rspecator-view[] diff --git a/rules/S1166/java/rule.adoc b/rules/S1166/java/rule.adoc index eb8f1f89b0..11d73e78b4 100644 --- a/rules/S1166/java/rule.adoc +++ b/rules/S1166/java/rule.adoc @@ -10,10 +10,10 @@ include::../exceptions.adoc[] == Resources -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[OWASP Top 10 2017 Category A10] - Insufficient Logging & Monitoring +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] * https://wiki.sei.cmu.edu/confluence/x/xDdGBQ[CERT, ERR00-J.] - Do not suppress or ignore checked exceptions -* https://cwe.mitre.org/data/definitions/778[MITRE, CWE-778] - Insufficient Logging +* CWE - https://cwe.mitre.org/data/definitions/778[CWE-778 - Insufficient Logging] ifdef::env-github,rspecator-view[] diff --git a/rules/S1166/see.adoc b/rules/S1166/see.adoc index ad80faa5c5..9014537c1e 100644 --- a/rules/S1166/see.adoc +++ b/rules/S1166/see.adoc @@ -1,5 +1,5 @@ == Resources -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[OWASP Top 10 2017 Category A10] - Insufficient Logging & Monitoring -* https://cwe.mitre.org/data/definitions/778[MITRE, CWE-778] - Insufficient Logging +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] +* CWE - https://cwe.mitre.org/data/definitions/778[CWE-778 - Insufficient Logging] diff --git a/rules/S1169/plsql/rule.adoc b/rules/S1169/plsql/rule.adoc index 4f3e3b7065..fbb9cf4f0d 100644 --- a/rules/S1169/plsql/rule.adoc +++ b/rules/S1169/plsql/rule.adoc @@ -54,7 +54,7 @@ END; == Resources -* https://cwe.mitre.org/data/definitions/391[MITRE, CWE-391] - Unchecked Error Condition +* CWE - https://cwe.mitre.org/data/definitions/391[CWE-391 - Unchecked Error Condition] ifdef::env-github,rspecator-view[] diff --git a/rules/S1174/java/rule.adoc b/rules/S1174/java/rule.adoc index 4e62d58669..865675b6b8 100644 --- a/rules/S1174/java/rule.adoc +++ b/rules/S1174/java/rule.adoc @@ -21,7 +21,7 @@ public class MyClass { == Resources -* https://cwe.mitre.org/data/definitions/583[MITRE, CWE-583] - finalize() Method Declared Public +* CWE - https://cwe.mitre.org/data/definitions/583[CWE-583 - finalize() Method Declared Public] * https://wiki.sei.cmu.edu/confluence/x/4jZGBQ[CERT, MET12-J.] - Do not use finalizers diff --git a/rules/S1181/cfamily/rule.adoc b/rules/S1181/cfamily/rule.adoc index 9568f34e0f..e5f5124d58 100644 --- a/rules/S1181/cfamily/rule.adoc +++ b/rules/S1181/cfamily/rule.adoc @@ -40,7 +40,7 @@ Additionally, if the ``++catch++`` handler is throwing an exception (either the == Resources -* https://cwe.mitre.org/data/definitions/396[MITRE, CWE-396] - Declaration of Catch for Generic Exception +* CWE - https://cwe.mitre.org/data/definitions/396[CWE-396 - Declaration of Catch for Generic Exception] * {cpp} Core Guidelines - https://github.com/isocpp/CppCoreGuidelines/blob/e49158a/CppCoreGuidelines.md#e14-use-purpose-designed-user-defined-types-as-exceptions-not-built-in-types[E.14: Use purpose-designed user-defined types as exceptions (not built-in types)] diff --git a/rules/S1181/java/rule.adoc b/rules/S1181/java/rule.adoc index b176612880..797a929e8b 100644 --- a/rules/S1181/java/rule.adoc +++ b/rules/S1181/java/rule.adoc @@ -26,7 +26,7 @@ try { /* ... */ } catch (MyException e) { /* ... */ } == Resources -* https://cwe.mitre.org/data/definitions/396[MITRE, CWE-396] - Declaration of Catch for Generic Exception +* CWE - https://cwe.mitre.org/data/definitions/396[CWE-396 - Declaration of Catch for Generic Exception] * https://wiki.sei.cmu.edu/confluence/display/java/ERR08-J.+Do+not+catch+NullPointerException+or+any+of+its+ancestors[CERT, ERR08-J.] - Do not catch NullPointerException or any of its ancestors diff --git a/rules/S1182/java/rule.adoc b/rules/S1182/java/rule.adoc index a354e1d246..2f98c470fa 100644 --- a/rules/S1182/java/rule.adoc +++ b/rules/S1182/java/rule.adoc @@ -80,7 +80,7 @@ class Application { == Resources -* https://cwe.mitre.org/data/definitions/580[MITRE, CWE-580] - clone() Method Without super.clone() +* CWE - https://cwe.mitre.org/data/definitions/580[CWE-580 - clone() Method Without super.clone()] * https://wiki.sei.cmu.edu/confluence/x/FjZGBQ[CERT, MET53-J.] - Ensure that the clone() method calls super.clone() diff --git a/rules/S1206/csharp/rule.adoc b/rules/S1206/csharp/rule.adoc index efba7739cc..edae812c38 100644 --- a/rules/S1206/csharp/rule.adoc +++ b/rules/S1206/csharp/rule.adoc @@ -45,7 +45,7 @@ class MyClass === Documentation -* https://cwe.mitre.org/data/definitions/581[MITRE, CWE-581] - Object Model Violation: Just One of Equals and Hashcode Defined +* CWE - https://cwe.mitre.org/data/definitions/581[CWE-581 - Object Model Violation: Just One of Equals and Hashcode Defined] * https://learn.microsoft.com/en-us/dotnet/api/system.object.equals[Object.Equals Method] * https://learn.microsoft.com/en-us/dotnet/api/system.object.gethashcode[Object.GetHashCode Method] * https://learn.microsoft.com/en-us/dotnet/api/system.collections.hashtable[Hashtable class] diff --git a/rules/S1206/java/rule.adoc b/rules/S1206/java/rule.adoc index 4ffc5b70da..708d4a5a3e 100644 --- a/rules/S1206/java/rule.adoc +++ b/rules/S1206/java/rule.adoc @@ -54,7 +54,7 @@ class MyClass { // Compliant == Resources -* https://cwe.mitre.org/data/definitions/581[MITRE, CWE-581] - Object Model Violation: Just One of Equals and Hashcode Defined +* CWE - https://cwe.mitre.org/data/definitions/581[CWE-581 - Object Model Violation: Just One of Equals and Hashcode Defined] * https://wiki.sei.cmu.edu/confluence/x/7DVGBQ[CERT, MET09-J.] - Classes that define an equals() method must also define a hashCode() method ifdef::env-github,rspecator-view[] diff --git a/rules/S1279/cobol/rule.adoc b/rules/S1279/cobol/rule.adoc index b4d61dfed7..a2f7b17f7b 100644 --- a/rules/S1279/cobol/rule.adoc +++ b/rules/S1279/cobol/rule.adoc @@ -13,8 +13,8 @@ DISPLAY "hello world" *> Noncompliant == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] ifdef::env-github,rspecator-view[] diff --git a/rules/S128/cfamily/rule.adoc b/rules/S128/cfamily/rule.adoc index 72d0d25e9a..ab068ff876 100644 --- a/rules/S128/cfamily/rule.adoc +++ b/rules/S128/cfamily/rule.adoc @@ -54,7 +54,7 @@ switch (myVariable) { * MISRA {cpp}:2008, 6-4-5 - An unconditional throw or break statement shall terminate every non-empty switch-clause * MISRA C:2012, 16.1 - All switch statements shall be well-formed * MISRA C:2012, 16.3 - An unconditional break statement shall terminate every switch-clause -* https://cwe.mitre.org/data/definitions/484[MITRE, CWE-484] - Omitted Break Statement in Switch +* CWE - https://cwe.mitre.org/data/definitions/484[CWE-484 - Omitted Break Statement in Switch] * https://wiki.sei.cmu.edu/confluence/x/ldYxBQ[CERT, MSC17-C.] - Finish every set of statements associated with a case label with a break statement ifdef::env-github,rspecator-view[] diff --git a/rules/S128/java/rule.adoc b/rules/S128/java/rule.adoc index f7cd76258e..9fd04bf736 100644 --- a/rules/S128/java/rule.adoc +++ b/rules/S128/java/rule.adoc @@ -32,7 +32,7 @@ switch (myVariable) { == Resources -* https://cwe.mitre.org/data/definitions/484[MITRE, CWE-484] - Omitted Break Statement in Switch +* CWE - https://cwe.mitre.org/data/definitions/484[CWE-484 - Omitted Break Statement in Switch] * https://wiki.sei.cmu.edu/confluence/x/ldYxBQ[CERT, MSC17-C.] - Finish every set of statements associated with a case label with a break statement * https://wiki.sei.cmu.edu/confluence/x/1DdGBQ[CERT, MSC52-J.] - Finish every set of statements associated with a case label with a break statement diff --git a/rules/S128/see.adoc b/rules/S128/see.adoc index 1e2fc7884f..3c581c3105 100644 --- a/rules/S128/see.adoc +++ b/rules/S128/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/484[MITRE, CWE-484] - Omitted Break Statement in Switch +* CWE - https://cwe.mitre.org/data/definitions/484[CWE-484 - Omitted Break Statement in Switch] diff --git a/rules/S131/cfamily/rule.adoc b/rules/S131/cfamily/rule.adoc index 2087f2fc4a..f4d41b1b12 100644 --- a/rules/S131/cfamily/rule.adoc +++ b/rules/S131/cfamily/rule.adoc @@ -47,7 +47,7 @@ switch (param) { * MISRA C:2012, 16.1 - All switch statements shall be well-formed * MISRA C:2012, 16.4 - Every _switch_ statement shall have a _default_ label * MISRA C:2012, 16.5 - A _default_ label shall appear as either the first or the last _switch label_ of a _switch_ statement -* https://cwe.mitre.org/data/definitions/478[MITRE, CWE-478] - Missing Default Case in Switch Statement +* CWE - https://cwe.mitre.org/data/definitions/478[CWE-478 - Missing Default Case in Switch Statement] * https://wiki.sei.cmu.edu/confluence/x/RtYxBQ[CERT, MSC01-C.] - Strive for logical completeness === Related rules diff --git a/rules/S131/java/rule.adoc b/rules/S131/java/rule.adoc index b73ed733ea..9f9edec1ae 100644 --- a/rules/S131/java/rule.adoc +++ b/rules/S131/java/rule.adoc @@ -70,7 +70,7 @@ switch(day) { == Resources -* https://cwe.mitre.org/data/definitions/478[MITRE, CWE-478] - Missing Default Case in Switch Statement +* CWE - https://cwe.mitre.org/data/definitions/478[CWE-478 - Missing Default Case in Switch Statement] * https://wiki.sei.cmu.edu/confluence/x/RtYxBQ[CERT, MSC01-C.] - Strive for logical completeness ifdef::env-github,rspecator-view[] diff --git a/rules/S131/see.adoc b/rules/S131/see.adoc index 584cca65ac..4f1db9725e 100644 --- a/rules/S131/see.adoc +++ b/rules/S131/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/478[MITRE, CWE-478] - Missing Default Case in Switch Statement +* CWE - https://cwe.mitre.org/data/definitions/478[CWE-478 - Missing Default Case in Switch Statement] diff --git a/rules/S1313/cfamily/rule.adoc b/rules/S1313/cfamily/rule.adoc index 5c659794fb..35630b0060 100644 --- a/rules/S1313/cfamily/rule.adoc +++ b/rules/S1313/cfamily/rule.adoc @@ -35,8 +35,8 @@ No issue is reported for the following cases because they are not considered sen == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] ifdef::env-github,rspecator-view[] diff --git a/rules/S1313/java/rule.adoc b/rules/S1313/java/rule.adoc index e974236ef8..5249cc6535 100644 --- a/rules/S1313/java/rule.adoc +++ b/rules/S1313/java/rule.adoc @@ -32,8 +32,8 @@ No issue is reported for the following cases because they are not considered sen == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information ifdef::env-github,rspecator-view[] diff --git a/rules/S1313/see.adoc b/rules/S1313/see.adoc index 752babd743..b11fd3dfbe 100644 --- a/rules/S1313/see.adoc +++ b/rules/S1313/see.adoc @@ -1,4 +1,4 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] diff --git a/rules/S1442/see.adoc b/rules/S1442/see.adoc index c9d8d60cc9..b9d37e2e88 100644 --- a/rules/S1442/see.adoc +++ b/rules/S1442/see.adoc @@ -1,4 +1,4 @@ == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] \ No newline at end of file diff --git a/rules/S1444/flex/rule.adoc b/rules/S1444/flex/rule.adoc index 26a4374772..5879b0dd67 100644 --- a/rules/S1444/flex/rule.adoc +++ b/rules/S1444/flex/rule.adoc @@ -25,7 +25,7 @@ public class Greeter { == Resources -* https://cwe.mitre.org/data/definitions/500[MITRE, CWE-500] - Public Static Field Not Marked Final +* CWE - https://cwe.mitre.org/data/definitions/500[CWE-500 - Public Static Field Not Marked Final] ifdef::env-github,rspecator-view[] diff --git a/rules/S1444/java/rule.adoc b/rules/S1444/java/rule.adoc index 4fb7318e83..893a2e066f 100644 --- a/rules/S1444/java/rule.adoc +++ b/rules/S1444/java/rule.adoc @@ -24,7 +24,7 @@ public class Greeter { == Resources -* https://cwe.mitre.org/data/definitions/500[MITRE, CWE-500] - Public Static Field Not Marked Final +* CWE - https://cwe.mitre.org/data/definitions/500[CWE-500 - Public Static Field Not Marked Final] * https://wiki.sei.cmu.edu/confluence/x/WjdGBQ[CERT OBJ10-J.] - Do not use public static nonfinal fields ifdef::env-github,rspecator-view[] diff --git a/rules/S1480/plsql/rule.adoc b/rules/S1480/plsql/rule.adoc index d293d5281a..f8530d753b 100644 --- a/rules/S1480/plsql/rule.adoc +++ b/rules/S1480/plsql/rule.adoc @@ -5,4 +5,4 @@ TODO == Resources -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459] - Incomplete Cleanup +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] diff --git a/rules/S1486/abap/rule.adoc b/rules/S1486/abap/rule.adoc index 2976aa8d3f..232ca6ef19 100644 --- a/rules/S1486/abap/rule.adoc +++ b/rules/S1486/abap/rule.adoc @@ -26,8 +26,8 @@ ENDIF. == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] ifdef::env-github,rspecator-view[] diff --git a/rules/S1493/see.adoc b/rules/S1493/see.adoc index 815f337daa..37995976a8 100644 --- a/rules/S1493/see.adoc +++ b/rules/S1493/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - SQL Injection +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - SQL Injection] diff --git a/rules/S1523/see.adoc b/rules/S1523/see.adoc index b63f294524..1ff693ef48 100644 --- a/rules/S1523/see.adoc +++ b/rules/S1523/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/95[MITRE, CWE-95] - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')] diff --git a/rules/S1525/javascript/rule.adoc b/rules/S1525/javascript/rule.adoc index 3c1a70500a..158916ab59 100644 --- a/rules/S1525/javascript/rule.adoc +++ b/rules/S1525/javascript/rule.adoc @@ -29,8 +29,8 @@ for (i = 1; i<5; i++) { == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] ifdef::env-github,rspecator-view[] diff --git a/rules/S1573/rule.adoc b/rules/S1573/rule.adoc index 47fc1443da..abbbde325d 100644 --- a/rules/S1573/rule.adoc +++ b/rules/S1573/rule.adoc @@ -5,5 +5,5 @@ If you do not explicitly close a cursor, it will be closed at the end of the tas == Resources -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459] - Incomplete Cleanup +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] diff --git a/rules/S1628/rpg/rule.adoc b/rules/S1628/rpg/rule.adoc index e537905402..83637a094c 100644 --- a/rules/S1628/rpg/rule.adoc +++ b/rules/S1628/rpg/rule.adoc @@ -32,8 +32,8 @@ The ``++DEBUG(*YES)++`` and ``++DUMP++`` statements are useful during developmen == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] ifdef::env-github,rspecator-view[] diff --git a/rules/S1630/rpg/rule.adoc b/rules/S1630/rpg/rule.adoc index 727d8154d5..9a16a16b8c 100644 --- a/rules/S1630/rpg/rule.adoc +++ b/rules/S1630/rpg/rule.adoc @@ -57,7 +57,7 @@ F INFSR(*PSSR) == Resources -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459] - Incomplete Cleanup +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] diff --git a/rules/S1674/abap/rule.adoc b/rules/S1674/abap/rule.adoc index 93fcbfabaf..e0090bfcef 100644 --- a/rules/S1674/abap/rule.adoc +++ b/rules/S1674/abap/rule.adoc @@ -37,8 +37,8 @@ When a block contains a comment, it is not considered to be empty. == Resources -* https://cwe.mitre.org/data/definitions/391[MITRE, CWE-391] - Unchecked Error Condition -* OWASP Top 10 2017 Category A10 - Insufficient Logging & Monitoring +* CWE - https://cwe.mitre.org/data/definitions/391[CWE-391 - Unchecked Error Condition] +* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] ifdef::env-github,rspecator-view[] diff --git a/rules/S1685/cobol/rule.adoc b/rules/S1685/cobol/rule.adoc index 3dbb7bb8d8..c8c7f6e9cb 100644 --- a/rules/S1685/cobol/rule.adoc +++ b/rules/S1685/cobol/rule.adoc @@ -21,8 +21,8 @@ SOURCE-COMPUTER. IBM-370. == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] ifdef::env-github,rspecator-view[] diff --git a/rules/S1696/csharp/rule.adoc b/rules/S1696/csharp/rule.adoc index 30707ec582..ea09fe1bfb 100644 --- a/rules/S1696/csharp/rule.adoc +++ b/rules/S1696/csharp/rule.adoc @@ -43,7 +43,7 @@ public int GetLengthPlusTwo(string str) == Resources -* https://cwe.mitre.org/data/definitions/395[MITRE, CWE-395] - Use of NullPointerException Catch to Detect NULL Pointer Dereference +* CWE - https://cwe.mitre.org/data/definitions/395[CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference] ifdef::env-github,rspecator-view[] diff --git a/rules/S1696/java/rule.adoc b/rules/S1696/java/rule.adoc index 689f4ffae5..c1c1af886c 100644 --- a/rules/S1696/java/rule.adoc +++ b/rules/S1696/java/rule.adoc @@ -40,7 +40,7 @@ public int lengthPlus(String str) { == Resources -* https://cwe.mitre.org/data/definitions/395[MITRE, CWE-395] - Use of NullPointerException Catch to Detect NULL Pointer Dereference +* CWE - https://cwe.mitre.org/data/definitions/395[CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference] * https://tinyurl.com/y6r4amg3[CERT, ERR08-J.] - Do not catch NullPointerException or any of its ancestors ifdef::env-github,rspecator-view[] diff --git a/rules/S1698/java/rule.adoc b/rules/S1698/java/rule.adoc index 3e23d9ddbf..1ed4c50e28 100644 --- a/rules/S1698/java/rule.adoc +++ b/rules/S1698/java/rule.adoc @@ -78,8 +78,8 @@ Comparing with ``++java.lang.String++`` and boxed types ``++java.lang.Integer++` == Resources * S4973 - Strings and Boxed types should be compared using "equals()" -* https://cwe.mitre.org/data/definitions/595[MITRE, CWE-595] - Comparison of Object References Instead of Object Contents -* https://cwe.mitre.org/data/definitions/597[MITRE, CWE-597] - Use of Wrong Operator in String Comparison +* CWE - https://cwe.mitre.org/data/definitions/595[CWE-595 - Comparison of Object References Instead of Object Contents] +* CWE - https://cwe.mitre.org/data/definitions/597[CWE-597 - Use of Wrong Operator in String Comparison] * https://wiki.sei.cmu.edu/confluence/x/UjdGBQ[CERT, EXP03-J.] - Do not use the equality operators when comparing values of boxed primitives * https://wiki.sei.cmu.edu/confluence/x/yDdGBQ[CERT, EXP50-J.] - Do not confuse abstract object equality with reference equality diff --git a/rules/S1698/see.adoc b/rules/S1698/see.adoc index 10448ec2b7..3d4597a3b8 100644 --- a/rules/S1698/see.adoc +++ b/rules/S1698/see.adoc @@ -1,4 +1,4 @@ == Resources -* https://cwe.mitre.org/data/definitions/595[MITRE, CWE-595] - Comparison of Object References Instead of Object Contents -* https://cwe.mitre.org/data/definitions/597[MITRE, CWE-597] - Use of Wrong Operator in String Comparison +* CWE - https://cwe.mitre.org/data/definitions/595[CWE-595 - Comparison of Object References Instead of Object Contents] +* CWE - https://cwe.mitre.org/data/definitions/597[CWE-597 - Use of Wrong Operator in String Comparison] diff --git a/rules/S1724/rule.adoc b/rules/S1724/rule.adoc index 6075fc5a9d..1ff3f4de2c 100644 --- a/rules/S1724/rule.adoc +++ b/rules/S1724/rule.adoc @@ -37,7 +37,7 @@ class Bar extends Foo { ... } // compliant Bar is deprecated. == Resources -* https://cwe.mitre.org/data/definitions/477[MITRE, CWE-477] - Use of Obsolete Functions +* CWE - https://cwe.mitre.org/data/definitions/477[CWE-477 - Use of Obsolete Functions] ifdef::env-github,rspecator-view[] diff --git a/rules/S1725/cobol/rule.adoc b/rules/S1725/cobol/rule.adoc index 3af7860aa5..6fe16d1dd3 100644 --- a/rules/S1725/cobol/rule.adoc +++ b/rules/S1725/cobol/rule.adoc @@ -23,7 +23,7 @@ CLOSE my-file == Resources -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459] - Incomplete Cleanup +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] ifdef::env-github,rspecator-view[] diff --git a/rules/S1763/cfamily/rule.adoc b/rules/S1763/cfamily/rule.adoc index a426a903d8..25c7436d19 100644 --- a/rules/S1763/cfamily/rule.adoc +++ b/rules/S1763/cfamily/rule.adoc @@ -80,7 +80,7 @@ int divide(int a, int b) { * MISRA C:2004, 14.1 - There shall be no unreachable code * MISRA {cpp}:2008, 0-1-1 - A project shall not contain unreachable code * MISRA C:2012, 2.1 - A project shall not contain unreachable code -* https://cwe.mitre.org/data/definitions/561[MITRE, CWE-561] - Dead Code +* CWE - https://cwe.mitre.org/data/definitions/561[CWE-561 - Dead Code] * https://wiki.sei.cmu.edu/confluence/x/5dUxBQ[CERT, MSC12-C.] - Detect and remove code that has no effect or is never executed ifdef::env-github,rspecator-view[] diff --git a/rules/S1763/see.adoc b/rules/S1763/see.adoc index abf749f4b8..af11a3ff52 100644 --- a/rules/S1763/see.adoc +++ b/rules/S1763/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/561[MITRE, CWE-561] - Dead Code +* CWE - https://cwe.mitre.org/data/definitions/561[CWE-561 - Dead Code] diff --git a/rules/S1854/cfamily/rule.adoc b/rules/S1854/cfamily/rule.adoc index 511c381dd7..c45cef7b2e 100644 --- a/rules/S1854/cfamily/rule.adoc +++ b/rules/S1854/cfamily/rule.adoc @@ -176,7 +176,7 @@ void caller() { === Standards * CERT - https://wiki.sei.cmu.edu/confluence/x/39UxBQ[MSC13-C. Detect and remove unused values] -* CWE - https://cwe.mitre.org/data/definitions/563[563 - Assignment to Variable without Use ('Unused Variable')] +* CWE - https://cwe.mitre.org/data/definitions/563[CWE-563 - Assignment to Variable without Use ('Unused Variable')] === Related rules diff --git a/rules/S1854/see.adoc b/rules/S1854/see.adoc index a57fe8a745..1e689581ea 100644 --- a/rules/S1854/see.adoc +++ b/rules/S1854/see.adoc @@ -2,4 +2,4 @@ === Standards -* CWE - https://cwe.mitre.org/data/definitions/563[563 - Assignment to Variable without Use ('Unused Variable')] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/563[CWE-563 - Assignment to Variable without Use ('Unused Variable')] \ No newline at end of file diff --git a/rules/S1872/java/rule.adoc b/rules/S1872/java/rule.adoc index bfadafe4a1..6e05226189 100644 --- a/rules/S1872/java/rule.adoc +++ b/rules/S1872/java/rule.adoc @@ -56,7 +56,7 @@ class Store { == Resources -* https://cwe.mitre.org/data/definitions/486[MITRE, CWE-486] - Comparison of Classes by Name +* CWE - https://cwe.mitre.org/data/definitions/486[CWE-486 - Comparison of Classes by Name] * https://wiki.sei.cmu.edu/confluence/x/eDdGBQ[CERT, OBJ09-J.] - Compare classes and not class names ifdef::env-github,rspecator-view[] diff --git a/rules/S1873/rule.adoc b/rules/S1873/rule.adoc index cec30d09d0..d4503dcaa2 100644 --- a/rules/S1873/rule.adoc +++ b/rules/S1873/rule.adoc @@ -46,8 +46,8 @@ public class Estate { == Resources -* https://cwe.mitre.org/data/definitions/582[MITRE, CWE-582] - Array Declared Public, Final, and Static -* https://cwe.mitre.org/data/definitions/607[MITRE, CWE-607] - Public Static Final Field References Mutable Object +* CWE - https://cwe.mitre.org/data/definitions/582[CWE-582 - Array Declared Public, Final, and Static] +* CWE - https://cwe.mitre.org/data/definitions/607[CWE-607 - Public Static Final Field References Mutable Object] * https://wiki.sei.cmu.edu/confluence/x/LjdGBQ[CERT, OBJ01-J.] - Limit accessibility of fields * https://wiki.sei.cmu.edu/confluence/x/VzZGBQ[CERT, OBJ13-J.] - Ensure that references to mutable objects are not exposed diff --git a/rules/S1874/see.adoc b/rules/S1874/see.adoc index 94078077a9..043102872c 100644 --- a/rules/S1874/see.adoc +++ b/rules/S1874/see.adoc @@ -1,3 +1,3 @@ == Resources === Documentation -* https://cwe.mitre.org/data/definitions/477[MITRE, CWE-477] - Use of Obsolete Functions +* CWE - https://cwe.mitre.org/data/definitions/477[CWE-477 - Use of Obsolete Functions] diff --git a/rules/S1875/see.adoc b/rules/S1875/see.adoc index b762d888aa..f25a1b93b7 100644 --- a/rules/S1875/see.adoc +++ b/rules/S1875/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/482[MITRE, CWE-482] - Comparing instead of Assigning \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/482[CWE-482 - Comparing instead of Assigning] \ No newline at end of file diff --git a/rules/S1876/html/rule.adoc b/rules/S1876/html/rule.adoc index 3afea68d1b..7bfe5bd01c 100644 --- a/rules/S1876/html/rule.adoc +++ b/rules/S1876/html/rule.adoc @@ -45,8 +45,8 @@ It is recommended to remove the comment or change its style so that it is not ou == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/615[MITRE, CWE-615] - Information Exposure Through Comments +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/615[CWE-615 - Information Exposure Through Comments] diff --git a/rules/S1944/csharp/rule.adoc b/rules/S1944/csharp/rule.adoc index a764bb64ea..a19f0e41dc 100644 --- a/rules/S1944/csharp/rule.adoc +++ b/rules/S1944/csharp/rule.adoc @@ -86,7 +86,7 @@ public static class Program ** https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/type-testing-and-cast#as-operator[`as` operator] * https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/conversions#103-explicit-conversions[Conversions - Explicit conversions in C#] ** https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/conversions#1035-explicit-reference-conversions[Conversions - Explicit reference conversions in C#] -* https://cwe.mitre.org/data/definitions/588[MITRE, CWE-588 - Attempt to Access Child of a Non-structure Pointer] -* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704 - Incorrect Type Conversion or Cast] +* CWE - https://cwe.mitre.org/data/definitions/588[CWE-588 - Attempt to Access Child of a Non-structure Pointer] +* CWE - https://cwe.mitre.org/data/definitions/704[CWE-704 - Incorrect Type Conversion or Cast] include::../rspecator-dotnet.adoc[] diff --git a/rules/S1944/java/rule.adoc b/rules/S1944/java/rule.adoc index e8ae1b8e48..7a38c9912f 100644 --- a/rules/S1944/java/rule.adoc +++ b/rules/S1944/java/rule.adoc @@ -45,8 +45,8 @@ public class S1944 { == Resources * https://wiki.sei.cmu.edu/confluence/x/u9UxBQ[CERT, EXP36-C.] - Do not cast pointers into more strictly aligned pointer types -* https://cwe.mitre.org/data/definitions/588[MITRE, CWE-588] - Attempt to Access Child of a Non-structure Pointer -* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704] - Incorrect Type Conversion or Cast +* CWE - https://cwe.mitre.org/data/definitions/588[CWE-588 - Attempt to Access Child of a Non-structure Pointer] +* CWE - https://cwe.mitre.org/data/definitions/704[CWE-704 - Incorrect Type Conversion or Cast] ifdef::env-github,rspecator-view[] diff --git a/rules/S1944/vbnet/rule.adoc b/rules/S1944/vbnet/rule.adoc index 6fa317c9b3..562d052ba6 100644 --- a/rules/S1944/vbnet/rule.adoc +++ b/rules/S1944/vbnet/rule.adoc @@ -85,7 +85,7 @@ End Module * https://learn.microsoft.com/en-us/dotnet/visual-basic/language-reference/operators/directcast-operator[`DirectCast` operator] * https://learn.microsoft.com/en-us/dotnet/visual-basic/language-reference/functions/ctype-function[`CType` function] * https://learn.microsoft.com/en-us/dotnet/visual-basic/language-reference/operators/trycast-operator[`TryCast` operator] -* https://cwe.mitre.org/data/definitions/588[MITRE, CWE-588 - Attempt to Access Child of a Non-structure Pointer] -* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704 - Incorrect Type Conversion or Cast] +* CWE - https://cwe.mitre.org/data/definitions/588[CWE-588 - Attempt to Access Child of a Non-structure Pointer] +* CWE - https://cwe.mitre.org/data/definitions/704[CWE-704 - Incorrect Type Conversion or Cast] include::../rspecator-dotnet.adoc[] diff --git a/rules/S1948/java/rule.adoc b/rules/S1948/java/rule.adoc index c5fcb36bff..f183443561 100644 --- a/rules/S1948/java/rule.adoc +++ b/rules/S1948/java/rule.adoc @@ -94,7 +94,7 @@ public class Person implements Serializable { == Resources -* https://cwe.mitre.org/data/definitions/594[Saving Unserializable Objects to Disk - MITRE, CWE-594] +* CWE - https://cwe.mitre.org/data/definitions/594[CWE-594 - Saving Unserializable Objects to Disk] * https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/Serializable.html[Interface Serializable - Java SE 11 API Documentation] * https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/Serializable.html[Interface Serializable - Java SE 17 API Documentation] diff --git a/rules/S1951/flex/rule.adoc b/rules/S1951/flex/rule.adoc index fbf4c289dc..cd7667c88d 100644 --- a/rules/S1951/flex/rule.adoc +++ b/rules/S1951/flex/rule.adoc @@ -22,8 +22,8 @@ The ``++trace()++`` function outputs debug statements, which can be read by anyo == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] ifdef::env-github,rspecator-view[] diff --git a/rules/S1966/cobol/rule.adoc b/rules/S1966/cobol/rule.adoc index 480e5f6417..68777e5191 100644 --- a/rules/S1966/cobol/rule.adoc +++ b/rules/S1966/cobol/rule.adoc @@ -46,7 +46,7 @@ END-IF == Resources -* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704] - Incorrect Type Conversion or Cast +* CWE - https://cwe.mitre.org/data/definitions/704[CWE-704 - Incorrect Type Conversion or Cast] ifdef::env-github,rspecator-view[] diff --git a/rules/S1967/cobol/rule.adoc b/rules/S1967/cobol/rule.adoc index 58b7319f69..10818dd6c0 100644 --- a/rules/S1967/cobol/rule.adoc +++ b/rules/S1967/cobol/rule.adoc @@ -34,7 +34,7 @@ In any case, data loss is always the result when too-large values are moved to t == Resources -* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704] - Incorrect Type Conversion or Cast +* CWE - https://cwe.mitre.org/data/definitions/704[CWE-704 - Incorrect Type Conversion or Cast] === Related rules diff --git a/rules/S1989/java/rule.adoc b/rules/S1989/java/rule.adoc index aae44956b8..fafae9d3fb 100644 --- a/rules/S1989/java/rule.adoc +++ b/rules/S1989/java/rule.adoc @@ -64,8 +64,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro === Articles & blog posts -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/600[MITRE, CWE-600] - Uncaught Exception in Servlet +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/600[CWE-600 - Uncaught Exception in Servlet] * https://wiki.sei.cmu.edu/confluence/x/-zZGBQ[CERT, ERR01-J.] - Do not allow exceptions to expose sensitive information ifdef::env-github,rspecator-view[] diff --git a/rules/S1998/php/rule.adoc b/rules/S1998/php/rule.adoc index b1687653b3..f5ba0b5704 100644 --- a/rules/S1998/php/rule.adoc +++ b/rules/S1998/php/rule.adoc @@ -39,7 +39,7 @@ myfun($name); === Standards -* https://cwe.mitre.org/data/definitions/374[MITRE, CWE-374] - Weakness Base Passing Mutable Objects to an Untrusted Method +* CWE - https://cwe.mitre.org/data/definitions/374[CWE-374 - Weakness Base Passing Mutable Objects to an Untrusted Method] ifdef::env-github,rspecator-view[] diff --git a/rules/S2015/php/rule.adoc b/rules/S2015/php/rule.adoc index 9391bf379c..208c027809 100644 --- a/rules/S2015/php/rule.adoc +++ b/rules/S2015/php/rule.adoc @@ -31,7 +31,7 @@ if (authenticated($user)) { == Resources -* https://cwe.mitre.org/data/definitions/457[MITRE, CWE-457] - Use of Uninitialized Variable +* CWE - https://cwe.mitre.org/data/definitions/457[CWE-457 - Use of Uninitialized Variable] ifdef::env-github,rspecator-view[] diff --git a/rules/S2053/common/resources/standards.adoc b/rules/S2053/common/resources/standards.adoc index 4b43cbf467..ebc61597dd 100644 --- a/rules/S2053/common/resources/standards.adoc +++ b/rules/S2053/common/resources/standards.adoc @@ -1,7 +1,7 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP] Top 10:2021 A02:2021 - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP] - Top 10 2017 - A03:2017 - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/759[CWE] - CWE-759: Use of a One-Way Hash without a Salt -* https://cwe.mitre.org/data/definitions/760[CWE] - CWE-760: Use of a One-Way Hash with a Predictable Salt +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/759[CWE-759 - Use of a One-Way Hash without a Salt] +* CWE - https://cwe.mitre.org/data/definitions/760[CWE-760 - Use of a One-Way Hash with a Predictable Salt] diff --git a/rules/S2068/cfamily/rule.adoc b/rules/S2068/cfamily/rule.adoc index bc6091e320..c612a90c28 100644 --- a/rules/S2068/cfamily/rule.adoc +++ b/rules/S2068/cfamily/rule.adoc @@ -34,10 +34,10 @@ dbi_conn_set_option(conn, "password", password.c_str()); // Compliant == See -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/798[MITRE, CWE-798] - Use of Hard-coded Credentials -* https://cwe.mitre.org/data/definitions/259[MITRE, CWE-259] - Use of Hard-coded Password +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] +* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password] * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password] ifdef::env-github,rspecator-view[] diff --git a/rules/S2068/java/rule.adoc b/rules/S2068/java/rule.adoc index d4a61f6fa4..1965c9558c 100644 --- a/rules/S2068/java/rule.adoc +++ b/rules/S2068/java/rule.adoc @@ -45,10 +45,10 @@ Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + == See -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/798[MITRE, CWE-798] - Use of Hard-coded Credentials -* https://cwe.mitre.org/data/definitions/259[MITRE, CWE-259] - Use of Hard-coded Password +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] +* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password] * https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password] diff --git a/rules/S2068/see.adoc b/rules/S2068/see.adoc index 03e0ce73c0..ede5332133 100644 --- a/rules/S2068/see.adoc +++ b/rules/S2068/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/798[MITRE, CWE-798] - Use of Hard-coded Credentials -* https://cwe.mitre.org/data/definitions/259[MITRE, CWE-259] - Use of Hard-coded Password +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] +* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password] * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password] diff --git a/rules/S2070/see.adoc b/rules/S2070/see.adoc index a6e6a6aa34..1322dded6e 100644 --- a/rules/S2070/see.adoc +++ b/rules/S2070/see.adoc @@ -1,6 +1,6 @@ == Resources -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/328[MITRE, CWE-328] - Reversible One-Way Hash -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/328[CWE-328 - Reversible One-Way Hash] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://shattered.io/[SHAttered] - The first concrete collision attack against SHA-1. \ No newline at end of file diff --git a/rules/S2073/rule.adoc b/rules/S2073/rule.adoc index dd2790a03e..80b3677a81 100644 --- a/rules/S2073/rule.adoc +++ b/rules/S2073/rule.adoc @@ -21,7 +21,7 @@ Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING"); == Resources -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://cwe.mitre.org/data/definitions/780[MITRE, CWE-780] - Use of RSA Algorithm without OAEP -* https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration[OWASP Top Ten 2013 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* CWE - https://cwe.mitre.org/data/definitions/780[CWE-780 - Use of RSA Algorithm without OAEP] +* OWASP - https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf[Top 10 2013 Category A5 - Security Misconfiguration] diff --git a/rules/S2076/common/resources/standards.adoc b/rules/S2076/common/resources/standards.adoc index 8d19ee61fa..d216c2b89d 100644 --- a/rules/S2076/common/resources/standards.adoc +++ b/rules/S2076/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/78[MITRE, CWE-78] - Improper Neutralization of Special Elements used in an OS Command +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/78[CWE-78 - Improper Neutralization of Special Elements used in an OS Command] diff --git a/rules/S2077/java/rule.adoc b/rules/S2077/java/rule.adoc index 24a5b9d28f..78fa8c3ecd 100644 --- a/rules/S2077/java/rule.adoc +++ b/rules/S2077/java/rule.adoc @@ -68,12 +68,12 @@ public User getUserHibernate(org.hibernate.Session session, String data) { == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command -* https://cwe.mitre.org/data/definitions/564[MITRE, CWE-564] - SQL Injection: Hibernate -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/943[MITRE, CWE-943] - Improper Neutralization of Special Elements in Data Query Logic +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] +* CWE - https://cwe.mitre.org/data/definitions/564[CWE-564 - SQL Injection: Hibernate] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/943[CWE-943 - Improper Neutralization of Special Elements in Data Query Logic] * https://wiki.sei.cmu.edu/confluence/x/ITdGBQ[CERT, IDS00-J.] - Prevent SQL injection * Derived from FindSecBugs rules https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA[Potential SQL/JPQL Injection (JPA)], https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO[Potential SQL/JDOQL Injection (JDO)], https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_HIBERNATE[Potential SQL/HQL Injection (Hibernate)] diff --git a/rules/S2077/see.adoc b/rules/S2077/see.adoc index d3111f798a..4d8636b469 100644 --- a/rules/S2077/see.adoc +++ b/rules/S2077/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] * Derived from FindSecBugs rules https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA[Potential SQL/JPQL Injection (JPA)], https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO[Potential SQL/JDOQL Injection (JDO)], https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_HIBERNATE[Potential SQL/HQL Injection (Hibernate)] diff --git a/rules/S2078/common/resources/standards.adoc b/rules/S2078/common/resources/standards.adoc index ed337c6224..7642868def 100644 --- a/rules/S2078/common/resources/standards.adoc +++ b/rules/S2078/common/resources/standards.adoc @@ -1,8 +1,8 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * https://www.ietf.org/rfc/rfc4514.txt[RFC 4514] - LDAP: String Representation of Distinguished Names * https://www.ietf.org/rfc/rfc4515.txt[RFC 4515] - LDAP: String Representation of Search Filters -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/90[MITRE, CWE-90] - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/90[CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')] diff --git a/rules/S2083/common/resources/standards.adoc b/rules/S2083/common/resources/standards.adoc index a36bf93077..fd25a09f46 100644 --- a/rules/S2083/common/resources/standards.adoc +++ b/rules/S2083/common/resources/standards.adoc @@ -1,8 +1,8 @@ === Standards -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/22[MITRE, CWE-22] - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') \ No newline at end of file +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] \ No newline at end of file diff --git a/rules/S2084/java/rule.adoc b/rules/S2084/java/rule.adoc index c51ca8026e..eceb331c85 100644 --- a/rules/S2084/java/rule.adoc +++ b/rules/S2084/java/rule.adoc @@ -57,8 +57,8 @@ public class MyServlet extends HttpServlet { == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/537[MITRE, CWE-537] - Information Exposure Through Java Runtime Error Message +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/537[CWE-537 - Information Exposure Through Java Runtime Error Message] diff --git a/rules/S2087/see.adoc b/rules/S2087/see.adoc index 821089665c..af1522f5bf 100644 --- a/rules/S2087/see.adoc +++ b/rules/S2087/see.adoc @@ -1,5 +1,5 @@ == Resources -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/261[MITRE, CWE-261] - Weak Cryptography for Passwords +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/261[CWE-261 - Weak Cryptography for Passwords] diff --git a/rules/S2089/java/rule.adoc b/rules/S2089/java/rule.adoc index 363832a5c0..7fdec324ef 100644 --- a/rules/S2089/java/rule.adoc +++ b/rules/S2089/java/rule.adoc @@ -24,9 +24,9 @@ public class MyServlet extends HttpServlet { == Resources -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/807[MITRE, CWE-807] - Reliance on Untrusted Inputs in a Security Decision -* https://cwe.mitre.org/data/definitions/293[MITRE, CWE-293] - Using Referer Field for Authentication +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/807[CWE-807 - Reliance on Untrusted Inputs in a Security Decision] +* CWE - https://cwe.mitre.org/data/definitions/293[CWE-293 - Using Referer Field for Authentication] ifdef::env-github,rspecator-view[] diff --git a/rules/S2091/common/resources/standards.adoc b/rules/S2091/common/resources/standards.adoc index 2d705e8a64..33a488a32f 100644 --- a/rules/S2091/common/resources/standards.adoc +++ b/rules/S2091/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/643[MITRE, CWE-643] - Improper Neutralization of Data within XPath Expressions +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/643[CWE-643 - Improper Neutralization of Data within XPath Expressions] diff --git a/rules/S2092/see.adoc b/rules/S2092/see.adoc index 0967678927..63cea73634 100644 --- a/rules/S2092/see.adoc +++ b/rules/S2092/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data -* https://cwe.mitre.org/data/definitions/315[MITRE, CWE-315] - Cleartext Storage of Sensitive Information in a Cookie -* https://cwe.mitre.org/data/definitions/614[MITRE, CWE-614] - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* CWE - https://cwe.mitre.org/data/definitions/315[CWE-315 - Cleartext Storage of Sensitive Information in a Cookie] +* CWE - https://cwe.mitre.org/data/definitions/614[CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute] diff --git a/rules/S2095/cfamily/rule.adoc b/rules/S2095/cfamily/rule.adoc index ace78b2e73..f71a580c91 100644 --- a/rules/S2095/cfamily/rule.adoc +++ b/rules/S2095/cfamily/rule.adoc @@ -98,8 +98,8 @@ If falling back to low-level file operations is not necessary, one should prefer === Standards * CERT - https://wiki.sei.cmu.edu/confluence/x/QtUxBQ[FIO42-C. Close files when they are no longer needed] -* CWE - https://cwe.mitre.org/data/definitions/459[459 Incomplete Cleanup] -* CWE - https://cwe.mitre.org/data/definitions/772[772 Missing Release of Resource after Effective Lifetime] +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 Incomplete Cleanup] +* CWE - https://cwe.mitre.org/data/definitions/772[CWE-772 Missing Release of Resource after Effective Lifetime] === Related rules diff --git a/rules/S2095/java/rule.adoc b/rules/S2095/java/rule.adoc index 40e99a0217..e21edc348d 100644 --- a/rules/S2095/java/rule.adoc +++ b/rules/S2095/java/rule.adoc @@ -92,8 +92,8 @@ catch ( ... ) { == Resources -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459] - Incomplete Cleanup -* https://cwe.mitre.org/data/definitions/772[MITRE, CWE-772] - Missing Release of Resource after Effective Lifetime +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] +* CWE - https://cwe.mitre.org/data/definitions/772[CWE-772 - Missing Release of Resource after Effective Lifetime] * https://wiki.sei.cmu.edu/confluence/x/vjdGBQ[CERT, FIO04-J.] - Release resources when they are no longer needed * https://wiki.sei.cmu.edu/confluence/x/QtUxBQ[CERT, FIO42-C.] - Close files when they are no longer needed * https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html[Try With Resources] diff --git a/rules/S2115/common/resources/standards.adoc b/rules/S2115/common/resources/standards.adoc index a319a627c6..3e577366bf 100644 --- a/rules/S2115/common/resources/standards.adoc +++ b/rules/S2115/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication.html[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/521[MITRE, CWE-521] - Weak Password Requirements +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/521[CWE-521 - Weak Password Requirements] diff --git a/rules/S2119/java/rule.adoc b/rules/S2119/java/rule.adoc index d927d23a35..7b8a279911 100644 --- a/rules/S2119/java/rule.adoc +++ b/rules/S2119/java/rule.adoc @@ -53,7 +53,7 @@ class MyClass { === Articles & blog posts -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://www.baeldung.com/java-generating-random-numbers[Baeldung - generating random number] diff --git a/rules/S2142/java/rule.adoc b/rules/S2142/java/rule.adoc index 4c5ae206a0..03580f26a6 100644 --- a/rules/S2142/java/rule.adoc +++ b/rules/S2142/java/rule.adoc @@ -52,7 +52,7 @@ public void run () { == Resources -* https://cwe.mitre.org/data/definitions/391[MITRE, CWE-391] - Unchecked Error Condition +* CWE - https://cwe.mitre.org/data/definitions/391[CWE-391 - Unchecked Error Condition] ifdef::env-github,rspecator-view[] diff --git a/rules/S2168/java/rule.adoc b/rules/S2168/java/rule.adoc index 7d026f8bd7..f7644f0e35 100644 --- a/rules/S2168/java/rule.adoc +++ b/rules/S2168/java/rule.adoc @@ -75,7 +75,7 @@ public class ResourceFactory { * https://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html[The "Double-Checked Locking is Broken" Declaration] * https://wiki.sei.cmu.edu/confluence/x/6zdGBQ[CERT, LCK10-J.] - Use a correct form of the double-checked locking idiom -* https://cwe.mitre.org/data/definitions/609[MITRE, CWE-609] - Double-checked locking +* CWE - https://cwe.mitre.org/data/definitions/609[CWE-609 - Double-checked locking] * https://docs.oracle.com/javase/specs/jls/se7/html/jls-12.html#jls-12.4[JLS 12.4] - Initialization of Classes and Interfaces * Wikipedia: https://en.wikipedia.org/wiki/Double-checked_locking#Usage_in_Java[Double-checked locking] diff --git a/rules/S2184/cfamily/rule.adoc b/rules/S2184/cfamily/rule.adoc index eeb2d935de..354c37a603 100644 --- a/rules/S2184/cfamily/rule.adoc +++ b/rules/S2184/cfamily/rule.adoc @@ -34,7 +34,7 @@ void compliant2() { == Resources * MISRA {cpp}:2008, 5-0-8 - An explicit integral or floating-point conversion shall not increase the size of the underlying type of a cvalue expression. -* https://cwe.mitre.org/data/definitions/190[MITRE, CWE-190] - Integer Overflow or Wraparound +* CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound] * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size ifdef::env-github,rspecator-view[] diff --git a/rules/S2184/csharp/rule.adoc b/rules/S2184/csharp/rule.adoc index a5c501470a..373567fdba 100644 --- a/rules/S2184/csharp/rule.adoc +++ b/rules/S2184/csharp/rule.adoc @@ -30,7 +30,7 @@ static void Method(float f) { } == Resources -* https://cwe.mitre.org/data/definitions/190[MITRE, CWE-190] - Integer Overflow or Wraparound +* CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound] ifdef::env-github,rspecator-view[] diff --git a/rules/S2184/java/rule.adoc b/rules/S2184/java/rule.adoc index d7778f8c15..c375c9e65b 100644 --- a/rules/S2184/java/rule.adoc +++ b/rules/S2184/java/rule.adoc @@ -62,7 +62,7 @@ public float compute2(float factor){ == Resources -* https://cwe.mitre.org/data/definitions/190[MITRE, CWE-190] - Integer Overflow or Wraparound +* CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound] * https://wiki.sei.cmu.edu/confluence/x/AjdGBQ[CERT, NUM50-J.] - Convert integers to floating point for floating-point operations * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size diff --git a/rules/S2210/see.adoc b/rules/S2210/see.adoc index 6099cb688b..d74dc7456f 100644 --- a/rules/S2210/see.adoc +++ b/rules/S2210/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure[OWASP Top Ten 2013 Category A6] - Sensitive Data Exposure \ No newline at end of file +* OWASP - https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf[Top 10 2013 Category A6 - Sensitive Data Exposure] \ No newline at end of file diff --git a/rules/S2215/rule.adoc b/rules/S2215/rule.adoc index 5b727e072b..498a30a3d9 100644 --- a/rules/S2215/rule.adoc +++ b/rules/S2215/rule.adoc @@ -29,7 +29,7 @@ void clear2(short *array, int count) { * https://www.securecoding.cert.org/confluence/x/6wE[CERT, ARR01-C] - Do not apply the sizeof operator to a pointer when taking the size of an array * https://www.securecoding.cert.org/confluence/x/9YAyAQ[CERT, CTR01-CPP] - Do not apply the sizeof operator to a pointer when taking the size of an array -* https://cwe.mitre.org/data/definitions/467[MITRE, CWE-467] - Use of sizeof() on a Pointer Type +* CWE - https://cwe.mitre.org/data/definitions/467[CWE-467 - Use of sizeof() on a Pointer Type] ifdef::env-github,rspecator-view[] diff --git a/rules/S2220/rule.adoc b/rules/S2220/rule.adoc index 53ce62e8b8..5937dc89bc 100644 --- a/rules/S2220/rule.adoc +++ b/rules/S2220/rule.adoc @@ -28,5 +28,5 @@ public bool Equals (object obj) { == Resources -* https://cwe.mitre.org/data/definitions/476[MITRE, CWE-476] - NULL Pointer Dereference +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] diff --git a/rules/S2221/see.adoc b/rules/S2221/see.adoc index 250052a594..038d5482b0 100644 --- a/rules/S2221/see.adoc +++ b/rules/S2221/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/396[MITRE, CWE-396] - Declaration of Catch for Generic Exception \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/396[CWE-396 - Declaration of Catch for Generic Exception] \ No newline at end of file diff --git a/rules/S2222/resources-dotnet.adoc b/rules/S2222/resources-dotnet.adoc index 2861597b3b..74f7e6cb9f 100644 --- a/rules/S2222/resources-dotnet.adoc +++ b/rules/S2222/resources-dotnet.adoc @@ -1,4 +1,4 @@ == Resources * https://docs.microsoft.com/en-us/dotnet/standard/threading/overview-of-synchronization-primitives#synchronization-of-access-to-a-shared-resource[Synchronization of access to a shared resource] -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459 - Incomplete Cleanup] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] \ No newline at end of file diff --git a/rules/S2222/see.adoc b/rules/S2222/see.adoc index a4cae39851..c6d3caa64f 100644 --- a/rules/S2222/see.adoc +++ b/rules/S2222/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459] - Incomplete Cleanup \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] \ No newline at end of file diff --git a/rules/S2225/java/rule.adoc b/rules/S2225/java/rule.adoc index 6b5067ca69..cb631cb3be 100644 --- a/rules/S2225/java/rule.adoc +++ b/rules/S2225/java/rule.adoc @@ -27,7 +27,7 @@ public String toString () { == Resources -* https://cwe.mitre.org/data/definitions/476[MITRE, CWE-476] - NULL Pointer Dereference +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] * https://wiki.sei.cmu.edu/confluence/x/aDdGBQ[CERT, EXP01-J.] - Do not use a null in a case where an object is required ifdef::env-github,rspecator-view[] diff --git a/rules/S2225/resources-dotnet.adoc b/rules/S2225/resources-dotnet.adoc index d8c365b9cc..aa3cd0c365 100644 --- a/rules/S2225/resources-dotnet.adoc +++ b/rules/S2225/resources-dotnet.adoc @@ -2,5 +2,5 @@ === Documentation -* https://cwe.mitre.org/data/definitions/476[MITRE, CWE-476] - NULL Pointer Dereference +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] * https://learn.microsoft.com/en-us/dotnet/api/system.object.tostring[Object.ToString Method] \ No newline at end of file diff --git a/rules/S2228/see.adoc b/rules/S2228/see.adoc index 1609e6e340..e7372b52c9 100644 --- a/rules/S2228/see.adoc +++ b/rules/S2228/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] \ No newline at end of file diff --git a/rules/S2245/cfamily/rule.adoc b/rules/S2245/cfamily/rule.adoc index 89948808ff..4805747336 100644 --- a/rules/S2245/cfamily/rule.adoc +++ b/rules/S2245/cfamily/rule.adoc @@ -48,14 +48,14 @@ void f() { == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/338[MITRE, CWE-338] - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) -* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values -* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength -* https://cwe.mitre.org/data/definitions/1241[MITRE, CWE-1241] - Use of Predictable Algorithm in Random Number Generator +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] +* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] * https://wiki.sei.cmu.edu/confluence/x/UNcxBQ[CERT, MSC30-C.] - Do not use the rand() function for generating pseudorandom numbers * https://wiki.sei.cmu.edu/confluence/x/2ns-BQ[CERT, MSC50-CPP.] - Do not use std::rand() for generating pseudorandom numbers * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator] diff --git a/rules/S2245/java/rule.adoc b/rules/S2245/java/rule.adoc index fe798290cb..a564299957 100644 --- a/rules/S2245/java/rule.adoc +++ b/rules/S2245/java/rule.adoc @@ -36,14 +36,14 @@ random.nextBytes(bytes); == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/338[MITRE, CWE-338] - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) -* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values -* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength -* https://cwe.mitre.org/data/definitions/1241[MITRE, CWE-1241] - Use of Predictable Algorithm in Random Number Generator +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] +* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] * https://wiki.sei.cmu.edu/confluence/x/oTdGBQ[CERT, MSC02-J.] - Generate strong random numbers * https://wiki.sei.cmu.edu/confluence/x/UNcxBQ[CERT, MSC30-C.] - Do not use the rand() function for generating pseudorandom numbers * https://wiki.sei.cmu.edu/confluence/x/2ns-BQ[CERT, MSC50-CPP.] - Do not use std::rand() for generating pseudorandom numbers diff --git a/rules/S2245/see.adoc b/rules/S2245/see.adoc index f97dc9ed15..d13e131d9f 100644 --- a/rules/S2245/see.adoc +++ b/rules/S2245/see.adoc @@ -1,11 +1,11 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/338[MITRE, CWE-338] - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) -* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values -* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength -* https://cwe.mitre.org/data/definitions/1241[MITRE, CWE-1241] - Use of Predictable Algorithm in Random Number Generator +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] +* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator] diff --git a/rules/S2254/java/rule.adoc b/rules/S2254/java/rule.adoc index e502b24141..d56127cebf 100644 --- a/rules/S2254/java/rule.adoc +++ b/rules/S2254/java/rule.adoc @@ -61,9 +61,9 @@ The compliant example instead uses the server's session ID to verify if the sess === Standards -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/807[MITRE, CWE-807] - Reliance on Untrusted Inputs in a Security Decision +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/807[CWE-807 - Reliance on Untrusted Inputs in a Security Decision] ifdef::env-github,rspecator-view[] diff --git a/rules/S2255/java/rule.adoc b/rules/S2255/java/rule.adoc index b61d0f81e9..5cfec78017 100644 --- a/rules/S2255/java/rule.adoc +++ b/rules/S2255/java/rule.adoc @@ -87,9 +87,9 @@ class Play { == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/312[MITRE, CWE-312] - Cleartext Storage of Sensitive Information -* https://cwe.mitre.org/data/definitions/315[MITRE, CWE-315] - Cleartext Storage of Sensitive Information in a Cookie +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/312[CWE-312 - Cleartext Storage of Sensitive Information] +* CWE - https://cwe.mitre.org/data/definitions/315[CWE-315 - Cleartext Storage of Sensitive Information in a Cookie] * https://wiki.sei.cmu.edu/confluence/display/java/FIO52-J.+Do+not+store+unencrypted+sensitive+information+on+the+client+side[CERT, FIO52-J.] - Do not store unencrypted sensitive information on the client side * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[COOKIE_USAGE] diff --git a/rules/S2255/see.adoc b/rules/S2255/see.adoc index 5c927d1e57..4a5cbb66a4 100644 --- a/rules/S2255/see.adoc +++ b/rules/S2255/see.adoc @@ -1,6 +1,6 @@ == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/312[MITRE, CWE-312] - Cleartext Storage of Sensitive Information -* https://cwe.mitre.org/data/definitions/315[MITRE, CWE-315] - Cleartext Storage of Sensitive Information in a Cookie +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/312[CWE-312 - Cleartext Storage of Sensitive Information] +* CWE - https://cwe.mitre.org/data/definitions/315[CWE-315 - Cleartext Storage of Sensitive Information in a Cookie] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[COOKIE_USAGE] diff --git a/rules/S2257/python/rule.adoc b/rules/S2257/python/rule.adoc index d57159f97a..a1bd1e83c6 100644 --- a/rules/S2257/python/rule.adoc +++ b/rules/S2257/python/rule.adoc @@ -14,9 +14,9 @@ class CustomPasswordHasher(BasePasswordHasher): # Sensitive == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2257/see.adoc b/rules/S2257/see.adoc index 027f2f6ab8..11fdb49df6 100644 --- a/rules/S2257/see.adoc +++ b/rules/S2257/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#CUSTOM_MESSAGE_DIGEST[MessageDigest is Custom] \ No newline at end of file diff --git a/rules/S2258/java/rule.adoc b/rules/S2258/java/rule.adoc index dc015a2a6f..3d310fb8d4 100644 --- a/rules/S2258/java/rule.adoc +++ b/rules/S2258/java/rule.adoc @@ -13,8 +13,8 @@ NullCipher nc = new NullCipher(); == Resources -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] ifdef::env-github,rspecator-view[] diff --git a/rules/S2259/cfamily/rule.adoc b/rules/S2259/cfamily/rule.adoc index b64549ce15..36621ea8ec 100644 --- a/rules/S2259/cfamily/rule.adoc +++ b/rules/S2259/cfamily/rule.adoc @@ -115,7 +115,7 @@ include::../../../shared_content/cfamily/reference_over_nonnull_pointer.adoc[] === Standards * CERT - https://wiki.sei.cmu.edu/confluence/x/QdcxBQ[EXP34-C.Do not dereference null pointers] -* CWE - https://cwe.mitre.org/data/definitions/476[476 NULL Pointer Dereference] +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 NULL Pointer Dereference] === External coding guidelines diff --git a/rules/S2259/java/rule.adoc b/rules/S2259/java/rule.adoc index c229e7c4eb..4fa848da10 100644 --- a/rules/S2259/java/rule.adoc +++ b/rules/S2259/java/rule.adoc @@ -25,7 +25,7 @@ include::compliant-code.adoc[] == Resources -* MITRE, CWE-476 - https://cwe.mitre.org/data/definitions/476[NULL Pointer Dereference] +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] * CERT, EXP34-C. - https://wiki.sei.cmu.edu/confluence/x/QdcxBQ[Do not dereference null pointers] * CERT, EXP01-J. - https://wiki.sei.cmu.edu/confluence/x/aDdGBQ[Do not use a null in a case where an object is required] diff --git a/rules/S2259/python/rule.adoc b/rules/S2259/python/rule.adoc index fb91c8449c..2694c6707a 100644 --- a/rules/S2259/python/rule.adoc +++ b/rules/S2259/python/rule.adoc @@ -97,7 +97,7 @@ performing the call. === Articles & blog posts -* CVE - https://cwe.mitre.org/data/definitions/476[CWE-476: - NULL Pointer Dereference] +* CVE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] ifdef::env-github,rspecator-view[] diff --git a/rules/S2259/see.adoc b/rules/S2259/see.adoc index 13ddbbe2ee..d18d1a738b 100644 --- a/rules/S2259/see.adoc +++ b/rules/S2259/see.adoc @@ -2,4 +2,4 @@ === Documentation -* CVE - https://cwe.mitre.org/data/definitions/476[CWE-476: - NULL Pointer Dereference] +* CVE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] diff --git a/rules/S2277/see.adoc b/rules/S2277/see.adoc index ea8feb9ac9..681da119f2 100644 --- a/rules/S2277/see.adoc +++ b/rules/S2277/see.adoc @@ -1,8 +1,8 @@ == Resources -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/780[MITRE, CWE-780] - Use of RSA Algorithm without OAEP -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/780[CWE-780 - Use of RSA Algorithm without OAEP] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#RSA_NO_PADDING[RSA NoPadding Unsafe] \ No newline at end of file diff --git a/rules/S2278/cfamily/rule.adoc b/rules/S2278/cfamily/rule.adoc index 7d4e26b331..db7cb8507c 100644 --- a/rules/S2278/cfamily/rule.adoc +++ b/rules/S2278/cfamily/rule.adoc @@ -23,10 +23,10 @@ include::../compliant.adoc[] == Resources -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#DES_USAGE[DES / DESede Unsafe] ifdef::env-github,rspecator-view[] diff --git a/rules/S2278/java/rule.adoc b/rules/S2278/java/rule.adoc index b510a902a1..e2b361316d 100644 --- a/rules/S2278/java/rule.adoc +++ b/rules/S2278/java/rule.adoc @@ -8,10 +8,10 @@ include::../compliant.adoc[] == Resources -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#DES_USAGE[DES / DESede Unsafe] diff --git a/rules/S2278/see.adoc b/rules/S2278/see.adoc index ae4fe745a4..219fd862db 100644 --- a/rules/S2278/see.adoc +++ b/rules/S2278/see.adoc @@ -1,7 +1,7 @@ == Resources -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#DES_USAGE[DES / DESede Unsafe] diff --git a/rules/S2384/csharp/rule.adoc b/rules/S2384/csharp/rule.adoc index 077b3c6233..067dc84794 100644 --- a/rules/S2384/csharp/rule.adoc +++ b/rules/S2384/csharp/rule.adoc @@ -59,8 +59,8 @@ class A == Resources -* https://cwe.mitre.org/data/definitions/374[MITRE, CWE-374] - Passing Mutable Objects to an Untrusted Method -* https://cwe.mitre.org/data/definitions/375[MITRE, CWE-375] - Returning a Mutable Object to an Untrusted Caller +* CWE - https://cwe.mitre.org/data/definitions/374[CWE-374 - Passing Mutable Objects to an Untrusted Method] +* CWE - https://cwe.mitre.org/data/definitions/375[CWE-375 - Returning a Mutable Object to an Untrusted Caller] ifdef::env-github,rspecator-view[] diff --git a/rules/S2384/java/rule.adoc b/rules/S2384/java/rule.adoc index 20296f1669..43d8b70730 100644 --- a/rules/S2384/java/rule.adoc +++ b/rules/S2384/java/rule.adoc @@ -72,8 +72,8 @@ public class B { == Resources -* https://cwe.mitre.org/data/definitions/374[MITRE, CWE-374] - Passing Mutable Objects to an Untrusted Method -* https://cwe.mitre.org/data/definitions/375[MITRE, CWE-375] - Returning a Mutable Object to an Untrusted Caller +* CWE - https://cwe.mitre.org/data/definitions/374[CWE-374 - Passing Mutable Objects to an Untrusted Method] +* CWE - https://cwe.mitre.org/data/definitions/375[CWE-375 - Returning a Mutable Object to an Untrusted Caller] * https://wiki.sei.cmu.edu/confluence/x/OTdGBQ[CERT, OBJ05-J.] - Do not return references to private mutable class members * https://wiki.sei.cmu.edu/confluence/x/HTdGBQ[CERT, OBJ06-J.] - Defensively copy mutable inputs and mutable internal components * https://wiki.sei.cmu.edu/confluence/x/VzZGBQ[CERT, OBJ13-J.] - Ensure that references to mutable objects are not exposed diff --git a/rules/S2385/rule.adoc b/rules/S2385/rule.adoc index 373c9306b8..645fe4dfef 100644 --- a/rules/S2385/rule.adoc +++ b/rules/S2385/rule.adoc @@ -43,8 +43,8 @@ public class A { == Resources -* https://cwe.mitre.org/data/definitions/582[MITRE, CWE-582] - Array Declared Public, Final, and Static -* https://cwe.mitre.org/data/definitions/607[MITRE, CWE-607] - Public Static Final Field References Mutable Object +* CWE - https://cwe.mitre.org/data/definitions/582[CWE-582 - Array Declared Public, Final, and Static] +* CWE - https://cwe.mitre.org/data/definitions/607[CWE-607 - Public Static Final Field References Mutable Object] ifdef::env-github,rspecator-view[] diff --git a/rules/S2386/csharp/rule.adoc b/rules/S2386/csharp/rule.adoc index 8a8c06883f..d2fabcea8d 100644 --- a/rules/S2386/csharp/rule.adoc +++ b/rules/S2386/csharp/rule.adoc @@ -46,8 +46,8 @@ No issue is reported: == Resources -* https://cwe.mitre.org/data/definitions/582[MITRE, CWE-582] - Array Declared Public, Final, and Static -* https://cwe.mitre.org/data/definitions/607[MITRE, CWE-607] - Public Static Final Field References Mutable Object +* CWE - https://cwe.mitre.org/data/definitions/582[CWE-582 - Array Declared Public, Final, and Static] +* CWE - https://cwe.mitre.org/data/definitions/607[CWE-607 - Public Static Final Field References Mutable Object] ifdef::env-github,rspecator-view[] diff --git a/rules/S2386/java/rule.adoc b/rules/S2386/java/rule.adoc index a140c35f14..cfa7d73366 100644 --- a/rules/S2386/java/rule.adoc +++ b/rules/S2386/java/rule.adoc @@ -31,8 +31,8 @@ public class A { == Resources -* https://cwe.mitre.org/data/definitions/582[MITRE, CWE-582] - Array Declared Public, Final, and Static -* https://cwe.mitre.org/data/definitions/607[MITRE, CWE-607] - Public Static Final Field References Mutable Object +* CWE - https://cwe.mitre.org/data/definitions/582[CWE-582 - Array Declared Public, Final, and Static] +* CWE - https://cwe.mitre.org/data/definitions/607[CWE-607 - Public Static Final Field References Mutable Object] * https://wiki.sei.cmu.edu/confluence/x/LjdGBQ[CERT, OBJ01-J.] - Limit accessibility of fields * https://wiki.sei.cmu.edu/confluence/x/VzZGBQ[CERT, OBJ13-J.] - Ensure that references to mutable objects are not exposed diff --git a/rules/S2435/cfamily/rule.adoc b/rules/S2435/cfamily/rule.adoc index 44d777f47a..ec3c537453 100644 --- a/rules/S2435/cfamily/rule.adoc +++ b/rules/S2435/cfamily/rule.adoc @@ -4,10 +4,10 @@ include::../rule-except-see.adoc[] == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE) -* https://cwe.mitre.org/data/definitions/91[MITRE, CWE-91] - XML Injection (aka Blind XPath Injection) +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] +* CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] ifdef::env-github,rspecator-view[] diff --git a/rules/S2435/java/rule.adoc b/rules/S2435/java/rule.adoc index ee07338862..a45117644e 100644 --- a/rules/S2435/java/rule.adoc +++ b/rules/S2435/java/rule.adoc @@ -4,10 +4,10 @@ include::../rule-except-see.adoc[] == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE) -* https://cwe.mitre.org/data/definitions/91[MITRE, CWE-91] - XML Injection (aka Blind XPath Injection) +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] +* CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] * https://wiki.sei.cmu.edu/confluence/x/7jdGBQ[CERT, IDS51-J.] - Properly encode or escape output ifdef::env-github,rspecator-view[] diff --git a/rules/S2441/java/rule.adoc b/rules/S2441/java/rule.adoc index 5c996b26fe..2559c18498 100644 --- a/rules/S2441/java/rule.adoc +++ b/rules/S2441/java/rule.adoc @@ -31,8 +31,8 @@ session.setAttribute("address", new Address()); == Resources -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://cwe.mitre.org/data/definitions/579[MITRE, CWE-579] - J2EE Bad Practices: Non-serializable Object Stored in Session +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* CWE - https://cwe.mitre.org/data/definitions/579[CWE-579 - J2EE Bad Practices: Non-serializable Object Stored in Session] ifdef::env-github,rspecator-view[] diff --git a/rules/S2445/csharp/rule.adoc b/rules/S2445/csharp/rule.adoc index 4a1d9ed7fa..b79663c018 100644 --- a/rules/S2445/csharp/rule.adoc +++ b/rules/S2445/csharp/rule.adoc @@ -92,8 +92,8 @@ private void DoSomething() * https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/statements/lock[Lock Statement] - lock statement - ensure exclusive access to a shared resource * https://learn.microsoft.com/en-us/dotnet/api/system.string.intern[String.Intern] - `String.Intern(String)` Method -* https://cwe.mitre.org/data/definitions/412[MITRE, CWE-412] - Unrestricted Externally Accessible Lock -* https://cwe.mitre.org/data/definitions/413[MITRE, CWE-413] - Improper Resource Locking +* CWE - https://cwe.mitre.org/data/definitions/412[CWE-412 - Unrestricted Externally Accessible Lock] +* CWE - https://cwe.mitre.org/data/definitions/413[CWE-413 - Improper Resource Locking] * https://learn.microsoft.com/en-us/dotnet/standard/threading/threads-and-threading[Threads and threading] ifdef::env-github,rspecator-view[] diff --git a/rules/S2445/java/rule.adoc b/rules/S2445/java/rule.adoc index 8015b0c2c6..c67f00f382 100644 --- a/rules/S2445/java/rule.adoc +++ b/rules/S2445/java/rule.adoc @@ -40,8 +40,8 @@ private void doSomething(){ == Resources -* https://cwe.mitre.org/data/definitions/412[MITRE, CWE-412] - Unrestricted Externally Accessible Lock -* https://cwe.mitre.org/data/definitions/413[MITRE, CWE-413] - Improper Resource Locking +* CWE - https://cwe.mitre.org/data/definitions/412[CWE-412 - Unrestricted Externally Accessible Lock] +* CWE - https://cwe.mitre.org/data/definitions/413[CWE-413 - Improper Resource Locking] * https://wiki.sei.cmu.edu/confluence/x/djdGBQ[CERT, LCK00-J.] - Use private final lock objects to synchronize classes that may interact with untrusted code ifdef::env-github,rspecator-view[] diff --git a/rules/S2447/java/rule.adoc b/rules/S2447/java/rule.adoc index f7118bf717..34d4ee0915 100644 --- a/rules/S2447/java/rule.adoc +++ b/rules/S2447/java/rule.adoc @@ -48,7 +48,7 @@ public void caller() { == Resources -* https://cwe.mitre.org/data/definitions/476[MITRE, CWE-476] - NULL Pointer Dereference +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] * https://wiki.sei.cmu.edu/confluence/x/aDdGBQ[CERT, EXP01-J.] - Do not use a null in a case where an object is required ifdef::env-github,rspecator-view[] diff --git a/rules/S2486/see.adoc b/rules/S2486/see.adoc index 409e9dca75..aad254e268 100644 --- a/rules/S2486/see.adoc +++ b/rules/S2486/see.adoc @@ -1,5 +1,5 @@ == Resources -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[OWASP Top 10 2017 Category A10] - Insufficient Logging & Monitoring -* https://cwe.mitre.org/data/definitions/390[MITRE, CWE-390] - Detection of Error Condition Without Action \ No newline at end of file +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] +* CWE - https://cwe.mitre.org/data/definitions/390[CWE-390 - Detection of Error Condition Without Action] \ No newline at end of file diff --git a/rules/S2574/java/rule.adoc b/rules/S2574/java/rule.adoc index a854f868a6..49f5dc74bd 100644 --- a/rules/S2574/java/rule.adoc +++ b/rules/S2574/java/rule.adoc @@ -4,7 +4,7 @@ include::../rule-except-see.adoc[] == Resources -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * https://wiki.sei.cmu.edu/confluence/x/7jdGBQ[CERT, IDS51-J.] - Properly encode or escape output * https://wiki.sei.cmu.edu/confluence/x/FDZGBQ[CERT, IDS52-J.] - Prevent code injection diff --git a/rules/S2575/see.adoc b/rules/S2575/see.adoc index b454b32abe..4281c7301b 100644 --- a/rules/S2575/see.adoc +++ b/rules/S2575/see.adoc @@ -1,7 +1,7 @@ == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -* https://cwe.mitre.org/data/definitions/80[MITRE, CWE-80] - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) -* https://cwe.mitre.org/data/definitions/352[MITRE, CWE-352] - Cross-Site Request Forgery (CSRF) +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* CWE - https://cwe.mitre.org/data/definitions/80[CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)] +* CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)] diff --git a/rules/S2577/java/rule.adoc b/rules/S2577/java/rule.adoc index db8b9a2cec..216602c443 100644 --- a/rules/S2577/java/rule.adoc +++ b/rules/S2577/java/rule.adoc @@ -41,8 +41,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) { == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] * {link-with-uscores1}[OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet] - Rule #3.1 ifdef::env-github,rspecator-view[] diff --git a/rules/S2578/html/rule.adoc b/rules/S2578/html/rule.adoc index 3226c3baac..5f7fb5a1ae 100644 --- a/rules/S2578/html/rule.adoc +++ b/rules/S2578/html/rule.adoc @@ -36,11 +36,11 @@ This rule checks that values are not written directly into ``++application/json+ == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet] -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -* https://cwe.mitre.org/data/definitions/352[MITRE, CWE-352] - Cross-Site Request Forgery (CSRF) +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)] diff --git a/rules/S2583/cfamily/rule.adoc b/rules/S2583/cfamily/rule.adoc index dc12e6fa31..2bf77dca7c 100644 --- a/rules/S2583/cfamily/rule.adoc +++ b/rules/S2583/cfamily/rule.adoc @@ -8,8 +8,8 @@ include::../noncompliant.adoc[] * MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. * MISRA C:2012, 14.3 - Controlling expressions shall not be invariant -* https://cwe.mitre.org/data/definitions/570[MITRE, CWE-570] - Expression is Always False -* https://cwe.mitre.org/data/definitions/571[MITRE, CWE-571] - Expression is Always True +* CWE - https://cwe.mitre.org/data/definitions/570[CWE-570 - Expression is Always False] +* CWE - https://cwe.mitre.org/data/definitions/571[CWE-571 - Expression is Always True] * https://wiki.sei.cmu.edu/confluence/x/5dUxBQ[CERT, MSC12-C.] - Detect and remove code that has no effect or is never executed ifdef::env-github,rspecator-view[] diff --git a/rules/S2583/java/rule.adoc b/rules/S2583/java/rule.adoc index 3c021c34a8..affc10f404 100644 --- a/rules/S2583/java/rule.adoc +++ b/rules/S2583/java/rule.adoc @@ -30,8 +30,8 @@ In these cases it is obvious the code is as intended. == Resources -* https://cwe.mitre.org/data/definitions/570[MITRE, CWE-570] - Expression is Always False -* https://cwe.mitre.org/data/definitions/571[MITRE, CWE-571] - Expression is Always True +* CWE - https://cwe.mitre.org/data/definitions/570[CWE-570 - Expression is Always False] +* CWE - https://cwe.mitre.org/data/definitions/571[CWE-571 - Expression is Always True] * https://wiki.sei.cmu.edu/confluence/x/5dUxBQ[CERT, MSC12-C.] - Detect and remove code that has no effect or is never executed ifdef::env-github,rspecator-view[] diff --git a/rules/S2583/see.adoc b/rules/S2583/see.adoc index 715e652aed..e2be46f652 100644 --- a/rules/S2583/see.adoc +++ b/rules/S2583/see.adoc @@ -1,5 +1,5 @@ == Resources -* https://cwe.mitre.org/data/definitions/570[MITRE, CWE-570] - Expression is Always False -* https://cwe.mitre.org/data/definitions/571[MITRE, CWE-571] - Expression is Always True +* CWE - https://cwe.mitre.org/data/definitions/570[CWE-570 - Expression is Always False] +* CWE - https://cwe.mitre.org/data/definitions/571[CWE-571 - Expression is Always True] * Wikipedia - https://en.wikipedia.org/wiki/Unreachable_code[Unreachable code] diff --git a/rules/S2589/cfamily/rule.adoc b/rules/S2589/cfamily/rule.adoc index 91a5a7e138..eb822b7e40 100644 --- a/rules/S2589/cfamily/rule.adoc +++ b/rules/S2589/cfamily/rule.adoc @@ -42,8 +42,8 @@ if (c) { * MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. * MISRA C:2012, 14.3 - Controlling expressions shall not be invariant -* https://cwe.mitre.org/data/definitions/571[MITRE, CWE-571] - Expression is Always True -* https://cwe.mitre.org/data/definitions/570[MITRE, CWE-570] - Expression is Always False +* CWE - https://cwe.mitre.org/data/definitions/571[CWE-571 - Expression is Always True] +* CWE - https://cwe.mitre.org/data/definitions/570[CWE-570 - Expression is Always False] * https://wiki.sei.cmu.edu/confluence/x/5dUxBQ[CERT, MSC12-C.] - Detect and remove code that has no effect or is never executed ifdef::env-github,rspecator-view[] diff --git a/rules/S2589/csharp/rule.adoc b/rules/S2589/csharp/rule.adoc index 81cd9081e4..ef7a1ff0dc 100644 --- a/rules/S2589/csharp/rule.adoc +++ b/rules/S2589/csharp/rule.adoc @@ -120,8 +120,8 @@ public void Sample(bool b, bool c, string s) === Documentation -* https://cwe.mitre.org/data/definitions/571[MITRE, CWE-571] - Expression is Always True -* https://cwe.mitre.org/data/definitions/570[MITRE, CWE-570] - Expression is Always False +* CWE - https://cwe.mitre.org/data/definitions/571[CWE-571 - Expression is Always True] +* CWE - https://cwe.mitre.org/data/definitions/570[CWE-570 - Expression is Always False] * https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/boolean-logical-operators#conditional-logical-and-operator-[Conditional logical AND operator &&] * https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/boolean-logical-operators#conditional-logical-or-operator-[Conditional logical OR operator ||] * https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/null-coalescing-operator[Null-coalescing operators ?? and ??=] diff --git a/rules/S2589/see.adoc b/rules/S2589/see.adoc index 70ff278ce2..f8f5fb7957 100644 --- a/rules/S2589/see.adoc +++ b/rules/S2589/see.adoc @@ -2,5 +2,5 @@ === Articles & blog posts -* https://cwe.mitre.org/data/definitions/571[MITRE, CWE-571] - Expression is Always True -* https://cwe.mitre.org/data/definitions/570[MITRE, CWE-570] - Expression is Always False +* CWE - https://cwe.mitre.org/data/definitions/571[CWE-571 - Expression is Always True] +* CWE - https://cwe.mitre.org/data/definitions/570[CWE-570 - Expression is Always False] diff --git a/rules/S2589/vbnet/rule.adoc b/rules/S2589/vbnet/rule.adoc index 66c92be5e2..095ef663b1 100644 --- a/rules/S2589/vbnet/rule.adoc +++ b/rules/S2589/vbnet/rule.adoc @@ -86,8 +86,8 @@ End Sub === Documentation -* https://cwe.mitre.org/data/definitions/571[MITRE, CWE-571] - Expression is Always True -* https://cwe.mitre.org/data/definitions/570[MITRE, CWE-570] - Expression is Always False +* CWE - https://cwe.mitre.org/data/definitions/571[CWE-571 - Expression is Always True] +* CWE - https://cwe.mitre.org/data/definitions/570[CWE-570 - Expression is Always False] * Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/operators-and-expressions/logical-and-bitwise-operators[Logical and Bitwise Operators in Visual Basic] * Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/visual-basic/language-reference/operators/null-conditional-operators[?. and ?() null-conditional operators (Visual Basic)] * Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/visual-basic/language-reference/operators/null-conditional-operators[If operator called with two arguments] diff --git a/rules/S2598/javascript/rule.adoc b/rules/S2598/javascript/rule.adoc index 3c6f5ee122..cc60c5cdfb 100644 --- a/rules/S2598/javascript/rule.adoc +++ b/rules/S2598/javascript/rule.adoc @@ -12,9 +12,9 @@ include::how-to-fix-it/multer.adoc[] == Resources -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://cwe.mitre.org/data/definitions/434[MITRE, CWE-434] - Unrestricted Upload of File with Dangerous Type -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* CWE - https://cwe.mitre.org/data/definitions/434[CWE-434 - Unrestricted Upload of File with Dangerous Type] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] * https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload[OWASP Unrestricted File Upload] - Unrestricted File Upload diff --git a/rules/S2608/rule.adoc b/rules/S2608/rule.adoc index 37146a7700..10858e6e18 100644 --- a/rules/S2608/rule.adoc +++ b/rules/S2608/rule.adoc @@ -20,6 +20,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr == Resources -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://cwe.mitre.org/data/definitions/807[MITRE, CWE-807] - Reliance on Untrusted Inputs in a Security Decision +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* CWE - https://cwe.mitre.org/data/definitions/807[CWE-807 - Reliance on Untrusted Inputs in a Security Decision] diff --git a/rules/S2611/javascript/rule.adoc b/rules/S2611/javascript/rule.adoc index 6cc10ca52e..c6c47a5785 100644 --- a/rules/S2611/javascript/rule.adoc +++ b/rules/S2611/javascript/rule.adoc @@ -18,8 +18,8 @@ include("http://hackers.com/steal.js") // Noncompliant == Resources -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/829[CWE-829 - Inclusion of Functionality from Untrusted Control Sphere] ifdef::env-github,rspecator-view[] diff --git a/rules/S2612/cfamily/rule.adoc b/rules/S2612/cfamily/rule.adoc index 2c90be9e88..ab62a57536 100644 --- a/rules/S2612/cfamily/rule.adoc +++ b/rules/S2612/cfamily/rule.adoc @@ -57,12 +57,12 @@ umask(S_IRWXO); // Compliant: further created files or directories will not have == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission[OWASP File Permission] -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/266[MITRE, CWE-266] - Incorrect Privilege Assignment +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] * https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions ifdef::env-github,rspecator-view[] diff --git a/rules/S2612/docker/rule.adoc b/rules/S2612/docker/rule.adoc index 4de40abf81..094423df3c 100644 --- a/rules/S2612/docker/rule.adoc +++ b/rules/S2612/docker/rule.adoc @@ -40,7 +40,7 @@ RUN chmod +t resource == See -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-732 - Incorrect Permission Assignment for Critical Resource] * https://docs.docker.com/engine/reference/builder/#add[ADD] - Docker ADD command * https://docs.docker.com/engine/reference/builder/#copy[COPY] - Docker COPY command * https://man.archlinux.org/man/core/man-pages/chmod.1p.en[chmod reference] - `chmod` command diff --git a/rules/S2612/java/rule.adoc b/rules/S2612/java/rule.adoc index 25ea91b8c0..f273a72530 100644 --- a/rules/S2612/java/rule.adoc +++ b/rules/S2612/java/rule.adoc @@ -64,12 +64,12 @@ On operating systems that implement POSIX standard. This will throw a ``++Unsupp == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission[OWASP File Permission] -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/266[MITRE, CWE-266] - Incorrect Privilege Assignment +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] * https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions[CERT, FIO01-J.] - Create files with appropriate access permissions * https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions diff --git a/rules/S2612/see.adoc b/rules/S2612/see.adoc index 3b146f1533..ac7db81e12 100644 --- a/rules/S2612/see.adoc +++ b/rules/S2612/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission[OWASP File Permission] -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/266[MITRE, CWE-266] - Incorrect Privilege Assignment +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] diff --git a/rules/S2613/cfamily/rule.adoc b/rules/S2613/cfamily/rule.adoc index 79f94383e9..913cf79f94 100644 --- a/rules/S2613/cfamily/rule.adoc +++ b/rules/S2613/cfamily/rule.adoc @@ -22,7 +22,7 @@ char** addOne(char ** cpp, int len) { == Resources -* https://cwe.mitre.org/data/definitions/131[MITRE, CWE-131] - Incorrect Calculation of Buffer Size +* CWE - https://cwe.mitre.org/data/definitions/131[CWE-131 - Incorrect Calculation of Buffer Size] ifdef::env-github,rspecator-view[] diff --git a/rules/S2615/cfamily/rule.adoc b/rules/S2615/cfamily/rule.adoc index 69d8f292f1..0ad7cc79db 100644 --- a/rules/S2615/cfamily/rule.adoc +++ b/rules/S2615/cfamily/rule.adoc @@ -2,8 +2,8 @@ include::../rule.adoc[] == Resources -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/134[MITRE, CWE-134] - Use of Externally-Controlled Format String +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/134[CWE-134 - Use of Externally-Controlled Format String] * https://wiki.sei.cmu.edu/confluence/x/RdYxBQ[CERT, FIO30-C.] - Exclude user input from format strings ifdef::env-github,rspecator-view[] diff --git a/rules/S2615/java/rule.adoc b/rules/S2615/java/rule.adoc index 69d8f292f1..0ad7cc79db 100644 --- a/rules/S2615/java/rule.adoc +++ b/rules/S2615/java/rule.adoc @@ -2,8 +2,8 @@ include::../rule.adoc[] == Resources -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/134[MITRE, CWE-134] - Use of Externally-Controlled Format String +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/134[CWE-134 - Use of Externally-Controlled Format String] * https://wiki.sei.cmu.edu/confluence/x/RdYxBQ[CERT, FIO30-C.] - Exclude user input from format strings ifdef::env-github,rspecator-view[] diff --git a/rules/S2615/swift/rule.adoc b/rules/S2615/swift/rule.adoc index 7997b15337..6d009007df 100644 --- a/rules/S2615/swift/rule.adoc +++ b/rules/S2615/swift/rule.adoc @@ -2,8 +2,8 @@ include::../rule.adoc[] == Resources -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/134[MITRE, CWE-134] - Use of Externally-Controlled Format String +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/134[CWE-134 - Use of Externally-Controlled Format String] ifdef::env-github,rspecator-view[] diff --git a/rules/S2631/common/resources/standards.adoc b/rules/S2631/common/resources/standards.adoc index 79d50edcc5..7322316fac 100644 --- a/rules/S2631/common/resources/standards.adoc +++ b/rules/S2631/common/resources/standards.adoc @@ -1,7 +1,7 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption -* https://cwe.mitre.org/data/definitions/1333[MITRE, CWE-1333] - Inefficient Regular Expression Complexity +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] +* CWE - https://cwe.mitre.org/data/definitions/1333[CWE-1333 - Inefficient Regular Expression Complexity] diff --git a/rules/S2637/standards.adoc b/rules/S2637/standards.adoc index 85f139a036..d4803e2052 100644 --- a/rules/S2637/standards.adoc +++ b/rules/S2637/standards.adoc @@ -2,4 +2,4 @@ * CERT - https://wiki.sei.cmu.edu/confluence/x/QdcxBQ[EXP34-C. Do not dereference null pointers] * CERT - https://wiki.sei.cmu.edu/confluence/display/java/EXP01-J.+Do+not+use+a+null+in+a+case+where+an+object+is+required[EXP01-J. Do not use a null in a case where an object is required] -* CWE - https://cwe.mitre.org/data/definitions/476[476 NULL Pointer Dereference] +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 NULL Pointer Dereference] diff --git a/rules/S2647/common/resources/standards.adoc b/rules/S2647/common/resources/standards.adoc index 542b64d8f2..5dfe721aea 100644 --- a/rules/S2647/common/resources/standards.adoc +++ b/rules/S2647/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html#user-authentication[OWASP Web Service Security Cheat Sheet] -* https://cwe.mitre.org/data/definitions/522[MITRE, CWE-522] - Insufficiently Protected Credentials +* CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] diff --git a/rules/S2652/java/rule.adoc b/rules/S2652/java/rule.adoc index 4146baabb3..1dc610383a 100644 --- a/rules/S2652/java/rule.adoc +++ b/rules/S2652/java/rule.adoc @@ -42,7 +42,7 @@ public class MyBean implements BeanInterface { == Resources -* https://cwe.mitre.org/data/definitions/576[MITRE, CWE-576] - EJB Bad Practices: Use of Java I/O +* CWE - https://cwe.mitre.org/data/definitions/576[CWE-576 - EJB Bad Practices: Use of Java I/O] ifdef::env-github,rspecator-view[] diff --git a/rules/S2653/java/rule.adoc b/rules/S2653/java/rule.adoc index fefab8cd88..1fd34837d2 100644 --- a/rules/S2653/java/rule.adoc +++ b/rules/S2653/java/rule.adoc @@ -26,8 +26,8 @@ public class MyServlet extends HttpServlet { == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] * https://wiki.sei.cmu.edu/confluence/x/qzVGBQ[CERT, ENV06-J.] - Production code must not contain debugging entry points diff --git a/rules/S2654/java/rule.adoc b/rules/S2654/java/rule.adoc index aa165d1991..1768fcb6ec 100644 --- a/rules/S2654/java/rule.adoc +++ b/rules/S2654/java/rule.adoc @@ -24,8 +24,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro == Resources -* https://cwe.mitre.org/data/definitions/383[MITRE, CWE-383] - J2EE Bad Practices: Direct Use of Threads -* https://cwe.mitre.org/data/definitions/574[MITRE, CWE-574] - EJB Bad Practices: Use of Synchronization Primitives +* CWE - https://cwe.mitre.org/data/definitions/383[CWE-383 - J2EE Bad Practices: Direct Use of Threads] +* CWE - https://cwe.mitre.org/data/definitions/574[CWE-574 - EJB Bad Practices: Use of Synchronization Primitives] ifdef::env-github,rspecator-view[] diff --git a/rules/S2655/java/rule.adoc b/rules/S2655/java/rule.adoc index 91eaf42319..32fd54ba97 100644 --- a/rules/S2655/java/rule.adoc +++ b/rules/S2655/java/rule.adoc @@ -67,7 +67,7 @@ throws ServletException, IOException { == Resources === Documentation -* https://cwe.mitre.org/data/definitions/245[MITRE, CWE-245] - J2EE Bad Practices: Direct Management of Connections +* CWE - https://cwe.mitre.org/data/definitions/245[CWE-245 - J2EE Bad Practices: Direct Management of Connections] * https://docs.oracle.com/en/java/javase/20/docs/api/java.sql/javax/sql/DataSource.html[Oracle SDK 20 - javax.sql.DataSource] diff --git a/rules/S2656/java/rule.adoc b/rules/S2656/java/rule.adoc index 5406a32109..d618a2f2a3 100644 --- a/rules/S2656/java/rule.adoc +++ b/rules/S2656/java/rule.adoc @@ -41,8 +41,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro == Resources -* https://cwe.mitre.org/data/definitions/246[MITRE, CWE-246] - J2EE Bad Practices: Direct Use of Sockets -* https://cwe.mitre.org/data/definitions/577[MITRE, CWE-577] - EJB Bad Practices: Use of Sockets +* CWE - https://cwe.mitre.org/data/definitions/246[CWE-246 - J2EE Bad Practices: Direct Use of Sockets] +* CWE - https://cwe.mitre.org/data/definitions/577[CWE-577 - EJB Bad Practices: Use of Sockets] ifdef::env-github,rspecator-view[] diff --git a/rules/S2657/java/rule.adoc b/rules/S2657/java/rule.adoc index 1a3b12fa4e..a6fba47d26 100644 --- a/rules/S2657/java/rule.adoc +++ b/rules/S2657/java/rule.adoc @@ -21,7 +21,7 @@ ClassLoader loader = new MyClassLoader(); // Noncompliant == Resources -* https://cwe.mitre.org/data/definitions/578[MITRE, CWE-578] - EJB Bad Practices: Use of Class Loader +* CWE - https://cwe.mitre.org/data/definitions/578[CWE-578 - EJB Bad Practices: Use of Class Loader] ifdef::env-github,rspecator-view[] diff --git a/rules/S2658/see.adoc b/rules/S2658/see.adoc index b6d58a2173..bbdc4cd205 100644 --- a/rules/S2658/see.adoc +++ b/rules/S2658/see.adoc @@ -1,4 +1,4 @@ == Resources -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/470[MITRE, CWE-470] - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/470[CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')] diff --git a/rules/S2669/cfamily/rule.adoc b/rules/S2669/cfamily/rule.adoc index 5140eb5b59..f5124520d7 100644 --- a/rules/S2669/cfamily/rule.adoc +++ b/rules/S2669/cfamily/rule.adoc @@ -20,7 +20,7 @@ int b = a +1; //What's the value of 'a' and so what's the value of 'b' ? == Resources -* https://cwe.mitre.org/data/definitions/457[MITRE, CWE-457] - Use of Uninitialized Variable +* CWE - https://cwe.mitre.org/data/definitions/457[CWE-457 - Use of Uninitialized Variable] ifdef::env-github,rspecator-view[] diff --git a/rules/S2681/cfamily/rule.adoc b/rules/S2681/cfamily/rule.adoc index 7962938db5..e7bcd671f4 100644 --- a/rules/S2681/cfamily/rule.adoc +++ b/rules/S2681/cfamily/rule.adoc @@ -6,7 +6,7 @@ include::../description.adoc[] == Resources -* https://cwe.mitre.org/data/definitions/483[MITRE, CWE-483] - Incorrect Block Delimitation +* CWE - https://cwe.mitre.org/data/definitions/483[CWE-483 - Incorrect Block Delimitation] ifdef::env-github,rspecator-view[] diff --git a/rules/S2681/java/rule.adoc b/rules/S2681/java/rule.adoc index 78572fec01..fc88000834 100644 --- a/rules/S2681/java/rule.adoc +++ b/rules/S2681/java/rule.adoc @@ -6,7 +6,7 @@ include::../description.adoc[] == Resources -* https://cwe.mitre.org/data/definitions/483[MITRE, CWE-483] - Incorrect Block Delimitation +* CWE - https://cwe.mitre.org/data/definitions/483[CWE-483 - Incorrect Block Delimitation] * https://wiki.sei.cmu.edu/confluence/x/MzZGBQ[CERT, EXP52-J.] - Use braces for the body of an if, for, or while statement ifdef::env-github,rspecator-view[] diff --git a/rules/S2681/javascript/rule.adoc b/rules/S2681/javascript/rule.adoc index 50841d3249..5c3281bebc 100644 --- a/rules/S2681/javascript/rule.adoc +++ b/rules/S2681/javascript/rule.adoc @@ -6,7 +6,7 @@ include::../description.adoc[] == Resources -* https://cwe.mitre.org/data/definitions/483[MITRE, CWE-483] - Incorrect Block Delimitation +* CWE - https://cwe.mitre.org/data/definitions/483[CWE-483 - Incorrect Block Delimitation] ifdef::env-github,rspecator-view[] diff --git a/rules/S2681/see.adoc b/rules/S2681/see.adoc index a2aaf8513b..c2f47bd09e 100644 --- a/rules/S2681/see.adoc +++ b/rules/S2681/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/483[MITRE, CWE-483] - Incorrect Block Delimitation +* CWE - https://cwe.mitre.org/data/definitions/483[CWE-483 - Incorrect Block Delimitation] diff --git a/rules/S2755/common/resources/standards.adoc b/rules/S2755/common/resources/standards.adoc index 9b1151352a..fb7139b7a6 100644 --- a/rules/S2755/common/resources/standards.adoc +++ b/rules/S2755/common/resources/standards.adoc @@ -1,7 +1,7 @@ === Standards -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE) -* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference -* https://cwe.mitre.org/data/definitions/827[MITRE, CWE-827] - Improper Control of Document Type Definition +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] +* CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Information Exposure Through XML External Entity Reference] +* CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] diff --git a/rules/S2774/see.adoc b/rules/S2774/see.adoc index 6e19a66635..9e67a7c0f7 100644 --- a/rules/S2774/see.adoc +++ b/rules/S2774/see.adoc @@ -1,4 +1,4 @@ == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/615[MITRE, CWE-615] - Information Exposure Through Comments \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/615[CWE-615 - Information Exposure Through Comments] \ No newline at end of file diff --git a/rules/S2778/cobol/rule.adoc b/rules/S2778/cobol/rule.adoc index e1a1b87a83..e1fffb6882 100644 --- a/rules/S2778/cobol/rule.adoc +++ b/rules/S2778/cobol/rule.adoc @@ -17,8 +17,8 @@ END-EXEC. == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/497[MITRE, CWE-497] - Exposure of System Data to an Unauthorized Control Sphere +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/497[CWE-497 - Exposure of System Data to an Unauthorized Control Sphere] ifdef::env-github,rspecator-view[] diff --git a/rules/S2809/abap/rule.adoc b/rules/S2809/abap/rule.adoc index 058609df40..1c06809828 100644 --- a/rules/S2809/abap/rule.adoc +++ b/rules/S2809/abap/rule.adoc @@ -73,10 +73,10 @@ No issue will be raised when ``++CALL TRANSACTION++`` is followed by ``++WITHOUT == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/285[MITRE, CWE-285] - Improper Authorization -* https://cwe.mitre.org/data/definitions/862[MITRE, CWE-862] - Missing Authorization +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/285[CWE-285 - Improper Authorization] +* CWE - https://cwe.mitre.org/data/definitions/862[CWE-862 - Missing Authorization] ifdef::env-github,rspecator-view[] diff --git a/rules/S2817/javascript/rule.adoc b/rules/S2817/javascript/rule.adoc index ea0a959341..bbb19932b1 100644 --- a/rules/S2817/javascript/rule.adoc +++ b/rules/S2817/javascript/rule.adoc @@ -16,8 +16,8 @@ var db = window.openDatabase("myDb", "1.0", "Personal secrets stored here", 2*10 == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] ifdef::env-github,rspecator-view[] diff --git a/rules/S2819/common/resources/standards.adoc b/rules/S2819/common/resources/standards.adoc index 6ef6330041..69589dabfa 100644 --- a/rules/S2819/common/resources/standards.adoc +++ b/rules/S2819/common/resources/standards.adoc @@ -3,4 +3,4 @@ * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] -* CWE - https://cwe.mitre.org/data/definitions/345.html[CWE-345 - Insufficient Verification of Data Authenticity] +* CWE - https://cwe.mitre.org/data/definitions/345[CWE-345 - Insufficient Verification of Data Authenticity] diff --git a/rules/S2930/csharp/rule.adoc b/rules/S2930/csharp/rule.adoc index 0ca5f71236..211e22ba7c 100644 --- a/rules/S2930/csharp/rule.adoc +++ b/rules/S2930/csharp/rule.adoc @@ -114,7 +114,7 @@ public class ResourceHolder : IDisposable, IAsyncDisposable ** https://learn.microsoft.com/en-us/dotnet/standard/garbage-collection/implementing-dispose[Implement a Dispose method] ** https://learn.microsoft.com/en-us/dotnet/standard/garbage-collection/implementing-disposeasync[Implement a DisposeAsync method] * https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/statements/using[using statement and using declaration] -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459 - Incomplete Cleanup] +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] ifdef::env-github,rspecator-view[] diff --git a/rules/S2931/rule.adoc b/rules/S2931/rule.adoc index 957083e789..37f9b906be 100644 --- a/rules/S2931/rule.adoc +++ b/rules/S2931/rule.adoc @@ -49,4 +49,4 @@ public class ResourceHolder : IDisposable == Resources -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459] - Incomplete Cleanup \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] \ No newline at end of file diff --git a/rules/S2952/csharp/rule.adoc b/rules/S2952/csharp/rule.adoc index f44af48c05..05b79a4b6a 100644 --- a/rules/S2952/csharp/rule.adoc +++ b/rules/S2952/csharp/rule.adoc @@ -61,7 +61,7 @@ public class ResourceHolder : IDisposable == Resources -* https://cwe.mitre.org/data/definitions/459[MITRE, CWE-459] - Incomplete Cleanup +* CWE - https://cwe.mitre.org/data/definitions/459[CWE-459 - Incomplete Cleanup] ifdef::env-github,rspecator-view[] diff --git a/rules/S2964/php/rule.adoc b/rules/S2964/php/rule.adoc index b1f9f1895e..e5a03c996c 100644 --- a/rules/S2964/php/rule.adoc +++ b/rules/S2964/php/rule.adoc @@ -15,7 +15,7 @@ if (is_bad_ip($requester)) { == Resources -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] ifdef::env-github,rspecator-view[] diff --git a/rules/S2976/java/rule.adoc b/rules/S2976/java/rule.adoc index 37182dc179..451b1c284f 100644 --- a/rules/S2976/java/rule.adoc +++ b/rules/S2976/java/rule.adoc @@ -34,7 +34,7 @@ File tempDir = tempPath.toFile(); == Resources -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] diff --git a/rules/S2998/rule.adoc b/rules/S2998/rule.adoc index 173e610431..e03d6e20f5 100644 --- a/rules/S2998/rule.adoc +++ b/rules/S2998/rule.adoc @@ -5,7 +5,7 @@ A statement without side effects, such as creating an object without assigning i == Resources -* https://cwe.mitre.org/data/definitions/482[MITRE, CWE-482] - Comparing instead of Assigning +* CWE - https://cwe.mitre.org/data/definitions/482[CWE-482 - Comparing instead of Assigning] ifdef::env-github,rspecator-view[] diff --git a/rules/S3135/cfamily/rule.adoc b/rules/S3135/cfamily/rule.adoc index af2d5ba2b7..f9fe2fe4a8 100644 --- a/rules/S3135/cfamily/rule.adoc +++ b/rules/S3135/cfamily/rule.adoc @@ -39,7 +39,7 @@ void fun(int *data, int dataSize, int (&array)[10]) { == Resources * https://wiki.sei.cmu.edu/confluence/x/CdYxBQ[CERT, ARR01-C.] - Do not apply the `sizeof` operator to a pointer when taking the size of an array -* https://cwe.mitre.org/data/definitions/467[MITRE, CWE-467] - Use of sizeof() on a Pointer Type +* CWE - https://cwe.mitre.org/data/definitions/467[CWE-467 - Use of sizeof() on a Pointer Type] diff --git a/rules/S3223/rule.adoc b/rules/S3223/rule.adoc index ecd6ae73ff..1abac9a2d6 100644 --- a/rules/S3223/rule.adoc +++ b/rules/S3223/rule.adoc @@ -17,7 +17,7 @@ if ("foo") { // Noncompliant - always evaluates to true == Resources -* https://cwe.mitre.org/data/definitions/571[MITRE, CWE-571] - Expression is Always True +* CWE - https://cwe.mitre.org/data/definitions/571[CWE-571 - Expression is Always True] ifdef::env-github,rspecator-view[] diff --git a/rules/S3271/javascript/rule.adoc b/rules/S3271/javascript/rule.adoc index 0ca03a0298..0d6f19383a 100644 --- a/rules/S3271/javascript/rule.adoc +++ b/rules/S3271/javascript/rule.adoc @@ -17,7 +17,7 @@ sessionStorage.setItem("sessionId", sessionId); // Noncompliant == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors diff --git a/rules/S3273/javascript/rule.adoc b/rules/S3273/javascript/rule.adoc index de07382422..d30b51803f 100644 --- a/rules/S3273/javascript/rule.adoc +++ b/rules/S3273/javascript/rule.adoc @@ -18,7 +18,7 @@ window.addEventListener("message", function (event){ // Noncompliant == Resources -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] * https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors diff --git a/rules/S3274/html/rule.adoc b/rules/S3274/html/rule.adoc index e9fbeddea4..b3f660b6d4 100644 --- a/rules/S3274/html/rule.adoc +++ b/rules/S3274/html/rule.adoc @@ -34,10 +34,10 @@ Following the principle of minimum privileges, this rule raises an issue for eac == Resources -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/829[CWE-829 - Inclusion of Functionality from Untrusted Control Sphere] ifdef::env-github,rspecator-view[] diff --git a/rules/S3275/rule.adoc b/rules/S3275/rule.adoc index 5b68f87774..4c86574e5c 100644 --- a/rules/S3275/rule.adoc +++ b/rules/S3275/rule.adoc @@ -49,7 +49,7 @@ public void cbcEncrypt(String strKey, String plainText) { == Resources -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://cwe.mitre.org/data/definitions/329[MITRE, CWE-329] - Not Using a Random IV with CBC Mode -* OWASP Top 10 2017 Category A6 - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* CWE - https://cwe.mitre.org/data/definitions/329[CWE-329 - Not Using a Random IV with CBC Mode] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] diff --git a/rules/S3291/php/rule.adoc b/rules/S3291/php/rule.adoc index 08017963b4..7347e5bd61 100644 --- a/rules/S3291/php/rule.adoc +++ b/rules/S3291/php/rule.adoc @@ -49,8 +49,8 @@ try { == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S3318/rule.adoc b/rules/S3318/rule.adoc index 2bce574135..a89a34785e 100644 --- a/rules/S3318/rule.adoc +++ b/rules/S3318/rule.adoc @@ -17,7 +17,7 @@ session.setAttribute("login", login); // Noncompliant == Resources -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/501[MITRE, CWE-501] - Trust Boundary Violation +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/501[CWE-501 - Trust Boundary Violation] diff --git a/rules/S3329/common/resources/standards.adoc b/rules/S3329/common/resources/standards.adoc index 0fdb9d4b72..bcf686a170 100644 --- a/rules/S3329/common/resources/standards.adoc +++ b/rules/S3329/common/resources/standards.adoc @@ -1,8 +1,8 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/329[MITRE, CWE-329] - Not Using an Unpredictable IV with CBC Mode +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/329[CWE-329 - Not Using an Unpredictable IV with CBC Mode] * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation diff --git a/rules/S3330/see.adoc b/rules/S3330/see.adoc index 1a3a84867d..53adae0386 100644 --- a/rules/S3330/see.adoc +++ b/rules/S3330/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://owasp.org/www-community/HttpOnly[OWASP HttpOnly] -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/1004[MITRE, CWE-1004] - Sensitive Cookie Without 'HttpOnly' Flag +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/1004[CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE[HTTPONLY_COOKIE] \ No newline at end of file diff --git a/rules/S3331/see.adoc b/rules/S3331/see.adoc index e1242f989f..3cb626efea 100644 --- a/rules/S3331/see.adoc +++ b/rules/S3331/see.adoc @@ -1,3 +1,3 @@ == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] diff --git a/rules/S3332/php/rule.adoc b/rules/S3332/php/rule.adoc index 694ef7f3f9..7544fbad80 100644 --- a/rules/S3332/php/rule.adoc +++ b/rules/S3332/php/rule.adoc @@ -10,7 +10,7 @@ This rule raises an issue when ``++expires++`` is set for a session cookie, eith == Resources -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] * https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#expire-and-max-age-attributes[OWASP, Session Management Cheat Sheet] - Expire and Max-Age Attributes * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_PERSISTENT[COOKIE_PERSISTENT] diff --git a/rules/S3338/php/rule.adoc b/rules/S3338/php/rule.adoc index b31f27db77..16dced0ea2 100644 --- a/rules/S3338/php/rule.adoc +++ b/rules/S3338/php/rule.adoc @@ -26,8 +26,8 @@ file_uploads=0 == Resources -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/434[MITRE, CWE-434] - Unrestricted Upload of File with Dangerous Type +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/434[CWE-434 - Unrestricted Upload of File with Dangerous Type] ifdef::env-github,rspecator-view[] diff --git a/rules/S3367/java/rule.adoc b/rules/S3367/java/rule.adoc index a85e3593f9..40d33f5840 100644 --- a/rules/S3367/java/rule.adoc +++ b/rules/S3367/java/rule.adoc @@ -26,10 +26,10 @@ public class MyForm extends org.apache.struts.validator.ValidatorForm { == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/104[MITRE, CWE-104] - Struts: Form Bean Does Not Extend Validation Class +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/104[CWE-104 - Struts: Form Bean Does Not Extend Validation Class] diff --git a/rules/S3369/java/rule.adoc b/rules/S3369/java/rule.adoc index a025ea9ec6..843e3f78dd 100644 --- a/rules/S3369/java/rule.adoc +++ b/rules/S3369/java/rule.adoc @@ -8,8 +8,8 @@ This rule raises an issue when a _web.xml_ file has no ``++ == Resources -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] ifdef::env-github,rspecator-view[] diff --git a/rules/S3371/java/rule.adoc b/rules/S3371/java/rule.adoc index 12343bb165..51c5247a42 100644 --- a/rules/S3371/java/rule.adoc +++ b/rules/S3371/java/rule.adoc @@ -26,10 +26,10 @@ PreparedStatement stmt = null; == Resources -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command -* https://www.owasp.org/index.php/Top_10_2013-A1-Injection[OWASP Top Ten 2013 Category A1] - Injection +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] +* OWASP - https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf[Top 10 2013 Category A1 - Injection] ifdef::env-github,rspecator-view[] diff --git a/rules/S3510/java/rule.adoc b/rules/S3510/java/rule.adoc index b087e3e422..07d6852348 100644 --- a/rules/S3510/java/rule.adoc +++ b/rules/S3510/java/rule.adoc @@ -50,8 +50,8 @@ Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifi == Resources -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER[WEAK_HOSTNAME_VERIFIER] diff --git a/rules/S3518/cfamily/rule.adoc b/rules/S3518/cfamily/rule.adoc index ca174f4bdd..6e076e5d42 100644 --- a/rules/S3518/cfamily/rule.adoc +++ b/rules/S3518/cfamily/rule.adoc @@ -137,7 +137,7 @@ std::optional safe_division(int a, int b) { * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow[INT32-C. Ensure that operations on signed integers do not result in overflow] * CERT - https://wiki.sei.cmu.edu/confluence/x/ftYxBQ[INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors] -* CWE - https://cwe.mitre.org/data/definitions/369[369 - Divide by zero] +* CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] === External coding guidelines diff --git a/rules/S3518/java/rule.adoc b/rules/S3518/java/rule.adoc index fc1cb2a7be..ef36009df9 100644 --- a/rules/S3518/java/rule.adoc +++ b/rules/S3518/java/rule.adoc @@ -62,7 +62,7 @@ void test_divide() { === Articles & blog posts -* https://cwe.mitre.org/data/definitions/369[MITRE, CWE-369] - Divide by zero +* CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] * https://wiki.sei.cmu.edu/confluence/x/CTZGBQ[CERT, NUM02-J.] - Ensure that division and remainder operations do not result in divide-by-zero errors === Standards diff --git a/rules/S3518/python/rule.adoc b/rules/S3518/python/rule.adoc index 14fb1ace15..441c4e2327 100644 --- a/rules/S3518/python/rule.adoc +++ b/rules/S3518/python/rule.adoc @@ -106,7 +106,7 @@ if the denominator is zero. === Articles & blog posts -* https://cwe.mitre.org/data/definitions/369[MITRE, CWE-369] - Divide by zero +* CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] //=== Articles & blog posts //=== Conference presentations diff --git a/rules/S3519/cfamily/rule.adoc b/rules/S3519/cfamily/rule.adoc index 47f6927b39..7ff911a1a3 100644 --- a/rules/S3519/cfamily/rule.adoc +++ b/rules/S3519/cfamily/rule.adoc @@ -383,12 +383,12 @@ void tar(std::string const &s) { * CERT - https://wiki.sei.cmu.edu/confluence/x/wtYxBQ[ARR30-C. Do not form or use out-of-bounds pointers or array subscripts] * CERT - https://wiki.sei.cmu.edu/confluence/x/i3w-BQ[STR50-CPP. Guarantee that storage for strings has sufficient space for character data and the null terminator] -* CWE - https://cwe.mitre.org/data/definitions/119[119 Improper Restriction of Operations within the Bounds of a Memory Buffer] -* CWE - https://cwe.mitre.org/data/definitions/121[121 Stack-based Buffer Overflow] -* CWE - https://cwe.mitre.org/data/definitions/122[122 Heap-based Buffer Overflow] -* CWE - https://cwe.mitre.org/data/definitions/131[131 Incorrect Calculation of Buffer Size] -* CWE - https://cwe.mitre.org/data/definitions/193[193 Off-by-one Error] -* CWE - https://cwe.mitre.org/data/definitions/788[788 Access of Memory Location After End of Buffer] +* CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer] +* CWE - https://cwe.mitre.org/data/definitions/121[CWE-121 Stack-based Buffer Overflow] +* CWE - https://cwe.mitre.org/data/definitions/122[CWE-122 Heap-based Buffer Overflow] +* CWE - https://cwe.mitre.org/data/definitions/131[CWE-131 Incorrect Calculation of Buffer Size] +* CWE - https://cwe.mitre.org/data/definitions/193[CWE-193 Off-by-one Error] +* CWE - https://cwe.mitre.org/data/definitions/788[CWE-788 Access of Memory Location After End of Buffer] === Related rules diff --git a/rules/S3520/cfamily/rule.adoc b/rules/S3520/cfamily/rule.adoc index 60b6ae6df8..038ef649e9 100644 --- a/rules/S3520/cfamily/rule.adoc +++ b/rules/S3520/cfamily/rule.adoc @@ -254,7 +254,7 @@ Passing this pointer to a function that might release it can lead to a "double-f === Standards -* CWE - https://cwe.mitre.org/data/definitions/415[415 Double Free] +* CWE - https://cwe.mitre.org/data/definitions/415[CWE-415 Double Free] * CERT - https://wiki.sei.cmu.edu/confluence/x/GdYxBQ[MEM30-C - Do not access freed memory] * CERT - https://wiki.sei.cmu.edu/confluence/x/Gns-BQ[MEM51-CPP - Properly deallocate dynamically allocated resources] * CERT - https://wiki.sei.cmu.edu/confluence/x/Zns-BQ[MEM56-CPP - Do not store an already-owned pointer value in an unrelated smart pointer] diff --git a/rules/S3523/javascript/rule.adoc b/rules/S3523/javascript/rule.adoc index 8a8c237ee3..c7a905b123 100644 --- a/rules/S3523/javascript/rule.adoc +++ b/rules/S3523/javascript/rule.adoc @@ -29,7 +29,7 @@ Function calls where the argument is a string literal (e.g. ``++(Function('retur == Resources -* OWASP Top 10 2017 Category A1 - Injection +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] ifdef::env-github,rspecator-view[] diff --git a/rules/S3529/cfamily/rule.adoc b/rules/S3529/cfamily/rule.adoc index 3860bfb3f2..81f8d84e4e 100644 --- a/rules/S3529/cfamily/rule.adoc +++ b/rules/S3529/cfamily/rule.adoc @@ -138,7 +138,7 @@ Class* p3 = objPtr.get(); // becomes dangling, when objPtr releases the pointer === Standards -* CWE - https://cwe.mitre.org/data/definitions/416[416 - Use After Free] +* CWE - https://cwe.mitre.org/data/definitions/416[CWE-416 - Use After Free] * CERT - https://wiki.sei.cmu.edu/confluence/x/GdYxBQ[MEM30-C - Do not access freed memory] * CERT - https://wiki.sei.cmu.edu/confluence/x/onw-BQ[MEM50-CPP - Do not access freed memory] * CERT - https://wiki.sei.cmu.edu/confluence/x/OXw-BQ[EXP54-CPP - Do not access an object outside of its lifetime] diff --git a/rules/S3584/cfamily/rule.adoc b/rules/S3584/cfamily/rule.adoc index 8eadf8b8a6..ae423a09bf 100644 --- a/rules/S3584/cfamily/rule.adoc +++ b/rules/S3584/cfamily/rule.adoc @@ -225,7 +225,7 @@ bool fire(Point pos, Direction dir, State const& s) { === Standards -* CWE - https://cwe.mitre.org/data/definitions/401[401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')] +* CWE - https://cwe.mitre.org/data/definitions/401[CWE-401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')] * CERT - https://wiki.sei.cmu.edu/confluence/x/FtYxBQ[MEM00-C. Allocate and free memory in the same module, at the same level of abstraction] * CERT - https://wiki.sei.cmu.edu/confluence/x/GNYxBQ[MEM31-C. Free dynamically allocated memory when no longer needed] diff --git a/rules/S3649/common/resources/standards.adoc b/rules/S3649/common/resources/standards.adoc index 77b448af5f..024b19cc62 100644 --- a/rules/S3649/common/resources/standards.adoc +++ b/rules/S3649/common/resources/standards.adoc @@ -1,7 +1,7 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] * https://wiki.sei.cmu.edu/confluence/x/ITdGBQ[CERT, IDS00-J.] - Prevent SQL injection diff --git a/rules/S3655/csharp/rule.adoc b/rules/S3655/csharp/rule.adoc index 82207f1485..8659cf9a56 100644 --- a/rules/S3655/csharp/rule.adoc +++ b/rules/S3655/csharp/rule.adoc @@ -47,6 +47,6 @@ void Sample(bool condition) === Documentation * https://learn.microsoft.com/en-us/dotnet/api/system.nullable-1[Nullable] -* https://cwe.mitre.org/data/definitions/476[MITRE, CWE-476] - NULL Pointer Dereference +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] include::../rspecator-dotnet.adoc[] diff --git a/rules/S3655/see.adoc b/rules/S3655/see.adoc index 7f70ae9c0b..dad40290b1 100644 --- a/rules/S3655/see.adoc +++ b/rules/S3655/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/476[MITRE, CWE-476] - NULL Pointer Dereference \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] \ No newline at end of file diff --git a/rules/S3655/vbnet/rule.adoc b/rules/S3655/vbnet/rule.adoc index 04102051bd..fe56c955cf 100644 --- a/rules/S3655/vbnet/rule.adoc +++ b/rules/S3655/vbnet/rule.adoc @@ -43,6 +43,6 @@ End Sub === Documentation * https://learn.microsoft.com/en-us/dotnet/api/system.nullable-1[Nullable] -* https://cwe.mitre.org/data/definitions/476[MITRE, CWE-476] - NULL Pointer Dereference +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 - NULL Pointer Dereference] include::../rspecator-dotnet.adoc[] diff --git a/rules/S3749/java/rule.adoc b/rules/S3749/java/rule.adoc index 134c255406..e6f52b0ae5 100644 --- a/rules/S3749/java/rule.adoc +++ b/rules/S3749/java/rule.adoc @@ -39,7 +39,7 @@ public class HelloWorld { == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] ifdef::env-github,rspecator-view[] diff --git a/rules/S3751/java/rule.adoc b/rules/S3751/java/rule.adoc index 8c3da2bb28..d2578049d6 100644 --- a/rules/S3751/java/rule.adoc +++ b/rules/S3751/java/rule.adoc @@ -29,7 +29,7 @@ public String greet(String greetee) { == Resources -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] diff --git a/rules/S3752/java/rule.adoc b/rules/S3752/java/rule.adoc index 6c4c4639e6..e82d7bfea7 100644 --- a/rules/S3752/java/rule.adoc +++ b/rules/S3752/java/rule.adoc @@ -35,10 +35,10 @@ String delete2(@RequestParam("id") String id) { == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/352[MITRE, CWE-352] - Cross-Site Request Forgery (CSRF) +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)] * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery] * https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html#csrf-use-proper-verbs[Spring Security Official Documentation: Use proper HTTP verbs (CSRF protection)] diff --git a/rules/S3752/python/rule.adoc b/rules/S3752/python/rule.adoc index 791f2d3fa2..da19dce9e1 100644 --- a/rules/S3752/python/rule.adoc +++ b/rules/S3752/python/rule.adoc @@ -78,10 +78,10 @@ def view(): == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/352[MITRE, CWE-352] - Cross-Site Request Forgery (CSRF) +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)] * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery] * https://docs.djangoproject.com/en/3.1/topics/http/decorators/#allowed-http-methods[Django] - Allowed HTTP Methods * https://flask.palletsprojects.com/en/1.1.x/quickstart/#http-methods[Flask] - HTTP Methods diff --git a/rules/S3807/cfamily/rule.adoc b/rules/S3807/cfamily/rule.adoc index e5084db453..7422625c3b 100644 --- a/rules/S3807/cfamily/rule.adoc +++ b/rules/S3807/cfamily/rule.adoc @@ -146,7 +146,7 @@ wmemchr, wmemcmp, wmemcpy, wmemmove, wmemcpy, wmemset, write, writev === Standards -* CWE - https://cwe.mitre.org/data/definitions/476[476 NULL Pointer Dereference] +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 NULL Pointer Dereference] CERT - https://wiki.sei.cmu.edu/confluence/x/QdcxBQ[EXP34-C.Do not dereference null pointers] === Related rules diff --git a/rules/S3871/resources-dotnet.adoc b/rules/S3871/resources-dotnet.adoc index 22170d8f1b..dcce128323 100644 --- a/rules/S3871/resources-dotnet.adoc +++ b/rules/S3871/resources-dotnet.adoc @@ -3,7 +3,7 @@ === Documentation -* https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[OWASP Top 10 2017 Category A10] - Insufficient Logging & Monitoring +* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] * https://learn.microsoft.com/en-us/dotnet/api/system.exception[Exception] * https://learn.microsoft.com/en-us/dotnet/api/system.systemexception[SystemException] * https://learn.microsoft.com/en-us/dotnet/api/system.applicationexception[ApplicationException] diff --git a/rules/S3884/see.adoc b/rules/S3884/see.adoc index 976752dcc3..783383cad5 100644 --- a/rules/S3884/see.adoc +++ b/rules/S3884/see.adoc @@ -1,5 +1,5 @@ == Resources -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/648[MITRE, CWE-648] - Incorrect Use of Privileged APIs +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/648[CWE-648 - Incorrect Use of Privileged APIs] diff --git a/rules/S3921/cobol/rule.adoc b/rules/S3921/cobol/rule.adoc index ad5d31fd21..db424e954b 100644 --- a/rules/S3921/cobol/rule.adoc +++ b/rules/S3921/cobol/rule.adoc @@ -27,7 +27,7 @@ Moving a large string into a small field will result in data truncation with dat == Resources -* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704] - Incorrect Type Conversion or Cast +* CWE - https://cwe.mitre.org/data/definitions/704[CWE-704 - Incorrect Type Conversion or Cast] === Related rules diff --git a/rules/S3921/plsql/rule.adoc b/rules/S3921/plsql/rule.adoc index 7c248b305b..c9f93abadf 100644 --- a/rules/S3921/plsql/rule.adoc +++ b/rules/S3921/plsql/rule.adoc @@ -36,7 +36,7 @@ end; == Resources -* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704] - Incorrect Type Conversion or Cast +* CWE - https://cwe.mitre.org/data/definitions/704[CWE-704 - Incorrect Type Conversion or Cast] ifdef::env-github,rspecator-view[] diff --git a/rules/S4036/see.adoc b/rules/S4036/see.adoc index 3f7fd3afc1..97554cb596 100644 --- a/rules/S4036/see.adoc +++ b/rules/S4036/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/426[MITRE, CWE-426] - Untrusted Search Path -* https://cwe.mitre.org/data/definitions/427[MITRE, CWE-427] - Uncontrolled Search Path Element \ No newline at end of file +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/426[CWE-426 - Untrusted Search Path] +* CWE - https://cwe.mitre.org/data/definitions/427[CWE-427 - Uncontrolled Search Path Element] \ No newline at end of file diff --git a/rules/S4066/java/rule.adoc b/rules/S4066/java/rule.adoc index f5ee921203..db069ac167 100644 --- a/rules/S4066/java/rule.adoc +++ b/rules/S4066/java/rule.adoc @@ -52,9 +52,9 @@ class MyFilter implements ObjectInputFilter { == Resources -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] * https://www.securecoding.cert.org/confluence/x/ZwBzCg[CERT, SER12-J.] - Prevent deserialization of untrusted data -* OWASP Top 10 2017 Category A8 - Insecure Deserialization +* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization] ifdef::env-github,rspecator-view[] diff --git a/rules/S4212/csharp/rule.adoc b/rules/S4212/csharp/rule.adoc index 2f018be968..e565d2f765 100644 --- a/rules/S4212/csharp/rule.adoc +++ b/rules/S4212/csharp/rule.adoc @@ -87,8 +87,8 @@ namespace MyLibrary == Resources -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization ] ifdef::env-github,rspecator-view[] diff --git a/rules/S4347/common/resources/standards.adoc b/rules/S4347/common/resources/standards.adoc index 7fa844ff2d..df425cefa0 100644 --- a/rules/S4347/common/resources/standards.adoc +++ b/rules/S4347/common/resources/standards.adoc @@ -1,9 +1,9 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values -* https://cwe.mitre.org/data/definitions/332[MITRE, CWE-332] - Insufficient Entropy in PRNG -* https://cwe.mitre.org/data/definitions/336[MITRE, CWE-336] - Same Seed in Pseudo-Random Number Generator (PRNG) -* https://cwe.mitre.org/data/definitions/337[MITRE, CWE-337] - Predictable Seed in Pseudo-Random Number Generator (PRNG) +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] +* CWE - https://cwe.mitre.org/data/definitions/332[CWE-332 - Insufficient Entropy in PRNG] +* CWE - https://cwe.mitre.org/data/definitions/336[CWE-336 - Same Seed in Pseudo-Random Number Generator (PRNG)] +* CWE - https://cwe.mitre.org/data/definitions/337[CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)] * https://wiki.sei.cmu.edu/confluence/display/java/MSC63-J.+Ensure+that+SecureRandom+is+properly+seeded[CERT, MSC63J.] - Ensure that SecureRandom is properly seeded diff --git a/rules/S4423/common/resources/standards.adoc b/rules/S4423/common/resources/standards.adoc index f949322ca0..44104ae2a0 100644 --- a/rules/S4423/common/resources/standards.adoc +++ b/rules/S4423/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S4423/java/rule.adoc b/rules/S4423/java/rule.adoc index 48ae5beb9d..aa24f3caee 100644 --- a/rules/S4423/java/rule.adoc +++ b/rules/S4423/java/rule.adoc @@ -23,9 +23,9 @@ include::../common/resources/presentations.adoc[] include::../common/resources/standards.adoc[] -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/kotlin/rule.adoc b/rules/S4423/kotlin/rule.adoc index 5557628573..7cee98d5df 100644 --- a/rules/S4423/kotlin/rule.adoc +++ b/rules/S4423/kotlin/rule.adoc @@ -23,9 +23,9 @@ include::../common/resources/presentations.adoc[] include::../common/resources/standards.adoc[] -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S4424/java/rule.adoc b/rules/S4424/java/rule.adoc index 07e0dc00f6..54a97ef879 100644 --- a/rules/S4424/java/rule.adoc +++ b/rules/S4424/java/rule.adoc @@ -31,8 +31,8 @@ class TrustAllManager implements X509TrustManager { == Resources -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S4425/java/rule.adoc b/rules/S4425/java/rule.adoc index 66d14d3d5c..1948f79170 100644 --- a/rules/S4425/java/rule.adoc +++ b/rules/S4425/java/rule.adoc @@ -38,7 +38,7 @@ for (byte b : bytes) { == Resources -* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704] - Incorrect Type Conversion or Cast +* CWE - https://cwe.mitre.org/data/definitions/704[CWE-704 - Incorrect Type Conversion or Cast] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION[BAD_HEXA_CONVERSION] ifdef::env-github,rspecator-view[] diff --git a/rules/S4426/common/resources/standards.adoc b/rules/S4426/common/resources/standards.adoc index da3a94e3bb..794988f4af 100644 --- a/rules/S4426/common/resources/standards.adoc +++ b/rules/S4426/common/resources/standards.adoc @@ -1,10 +1,11 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf[NIST 800-131A] - Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf[NIST 800-131A] - Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms diff --git a/rules/S4432/csharp/rule.adoc b/rules/S4432/csharp/rule.adoc index 3a89e26497..d0c2c6491b 100644 --- a/rules/S4432/csharp/rule.adoc +++ b/rules/S4432/csharp/rule.adoc @@ -26,8 +26,8 @@ AesManaged aes = new AesManaged == Resources -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[Recommendation for Block Cipher Modes of Operation] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#ECB_MODE[ECB_MODE] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE[PADDING_ORACLE] diff --git a/rules/S4432/java/rule.adoc b/rules/S4432/java/rule.adoc index 63f1a02d41..c0ed1fab91 100644 --- a/rules/S4432/java/rule.adoc +++ b/rules/S4432/java/rule.adoc @@ -27,8 +27,8 @@ Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); == Resources -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[Recommendation for Block Cipher Modes of Operation] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#ECB_MODE[ECB_MODE] diff --git a/rules/S4433/common/resources/standards.adoc b/rules/S4433/common/resources/standards.adoc index cdce41ad10..02a21ed04c 100644 --- a/rules/S4433/common/resources/standards.adoc +++ b/rules/S4433/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/521[MITRE, CWE-521] - Weak Password Requirements \ No newline at end of file +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/521[CWE-521 - Weak Password Requirements] \ No newline at end of file diff --git a/rules/S4434/java/rule.adoc b/rules/S4434/java/rule.adoc index 67d74a35a8..9e9aab8fb6 100644 --- a/rules/S4434/java/rule.adoc +++ b/rules/S4434/java/rule.adoc @@ -43,9 +43,9 @@ ctx.search(query, filter, == See -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data -* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data] +* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization] * https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf[BlackHat presentation] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING[LDAP_ENTRY_POISONING] diff --git a/rules/S4435/java/rule.adoc b/rules/S4435/java/rule.adoc index 6a6b1c4925..2062e3e60d 100644 --- a/rules/S4435/java/rule.adoc +++ b/rules/S4435/java/rule.adoc @@ -47,9 +47,9 @@ transformer.transform(input, result); == Resources -* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE) +* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory[OWASP XXE Cheat Sheet] -* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Improper Restriction of XML External Entity Reference ('XXE') +* CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XXE_DTD_TRANSFORM_FACTORY[XXE_DTD_TRANSFORM_FACTORY] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XXE_XSLT_TRANSFORM_FACTORY[XXE_XSLT_TRANSFORM_FACTORY] diff --git a/rules/S4487/csharp/rule.adoc b/rules/S4487/csharp/rule.adoc index eb566d86d3..ecccd1c528 100644 --- a/rules/S4487/csharp/rule.adoc +++ b/rules/S4487/csharp/rule.adoc @@ -54,6 +54,6 @@ public class Rectangle === Standards -* https://cwe.mitre.org/data/definitions/563[MITRE, CWE-563] - Assignment to Variable without Use ('Unused Variable') +* CWE - https://cwe.mitre.org/data/definitions/563[CWE-563 - Assignment to Variable without Use ('Unused Variable')] include::../rspecator.adoc[] \ No newline at end of file diff --git a/rules/S4487/java/rule.adoc b/rules/S4487/java/rule.adoc index f1087a3a2d..9ab5185081 100644 --- a/rules/S4487/java/rule.adoc +++ b/rules/S4487/java/rule.adoc @@ -42,7 +42,7 @@ public class Rectangle { === Standards -* https://cwe.mitre.org/data/definitions/563[MITRE, CWE-563] - Assignment to Variable without Use ('Unused Variable') +* CWE - https://cwe.mitre.org/data/definitions/563[CWE-563 - Assignment to Variable without Use ('Unused Variable')] * https://wiki.sei.cmu.edu/confluence/x/39UxBQ[CERT, MSC13-C.] - Detect and remove unused values * https://wiki.sei.cmu.edu/confluence/x/9DZGBQ[CERT, MSC56-J.] - Detect and remove superfluous code and values diff --git a/rules/S4499/java/rule.adoc b/rules/S4499/java/rule.adoc index 2f149ede15..c57b046e1d 100644 --- a/rules/S4499/java/rule.adoc +++ b/rules/S4499/java/rule.adoc @@ -63,8 +63,8 @@ Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator == Resources -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/297[MITRE, CWE-297] - Improper Validation of Certificate with Host Mismatch +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/297[CWE-297 - Improper Validation of Certificate with Host Mismatch] ifdef::env-github,rspecator-view[] diff --git a/rules/S4502/see.adoc b/rules/S4502/see.adoc index 9dc13d3ba2..a8ff3555b2 100644 --- a/rules/S4502/see.adoc +++ b/rules/S4502/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://cwe.mitre.org/data/definitions/352[MITRE, CWE-352] - Cross-Site Request Forgery (CSRF) -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery] diff --git a/rules/S4507/see.adoc b/rules/S4507/see.adoc index 5c040a88aa..eb470e3c91 100644 --- a/rules/S4507/see.adoc +++ b/rules/S4507/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code -* https://cwe.mitre.org/data/definitions/215[MITRE, CWE-215] - Information Exposure Through Debug Information \ No newline at end of file +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] +* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information] \ No newline at end of file diff --git a/rules/S4507/xml/rule.adoc b/rules/S4507/xml/rule.adoc index e39c3c5f88..447acc03d4 100644 --- a/rules/S4507/xml/rule.adoc +++ b/rules/S4507/xml/rule.adoc @@ -76,10 +76,10 @@ In a `web.config` file, the `customErrors` element's `mode` attribute is set to == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://mobile-security.gitbook.io/masvs/security-requirements/0x12-v7-code_quality_and_build_setting_requirements[Mobile AppSec Verification Standard] - Code Quality and Build Setting Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[OWASP Mobile Top 10 2016 Category M10] - Extraneous Functionality -* https://cwe.mitre.org/data/definitions/215[MITRE, CWE-215] - Information Exposure Through Debug Information +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x12-v7-code_quality_and_build_setting_requirements[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality] +* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information] * https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release * https://learn.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/aspnet-error-handling[learn.microsoft.com] - ASP.NET Error Handling diff --git a/rules/S4508/see.adoc b/rules/S4508/see.adoc index ccac3ca73d..53091a756d 100644 --- a/rules/S4508/see.adoc +++ b/rules/S4508/see.adoc @@ -1,6 +1,6 @@ == See * https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[OWASP - Deserialization of untrusted data] -* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization -* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data +* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization] +* CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION[OBJECT_DESERIALIZATION ] diff --git a/rules/S4510/java/rule.adoc b/rules/S4510/java/rule.adoc index 1739b032ac..30d56e9918 100644 --- a/rules/S4510/java/rule.adoc +++ b/rules/S4510/java/rule.adoc @@ -38,9 +38,9 @@ public void decode(InputStream in) { == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization -* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization] +* CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data] * https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[OWASP Deserialization of untrusted data] * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XML_DECODER[XML_DECODER ] diff --git a/rules/S4512/java/rule.adoc b/rules/S4512/java/rule.adoc index 99a9aa98f8..ab8d881aac 100644 --- a/rules/S4512/java/rule.adoc +++ b/rules/S4512/java/rule.adoc @@ -43,10 +43,10 @@ BeanUtils.populate(bean, map); // Sensitive: "map" is populated with data coming == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/915[MITRE, CWE-915] - Improperly Controlled Modification of Dynamically-Determined Object Attributes +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/915[CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#BEAN_PROPERTY_INJECTION[BEAN_PROPERTY_INJECTION] diff --git a/rules/S4529/see.adoc b/rules/S4529/see.adoc index 5b289f86b9..0cf2e10a04 100644 --- a/rules/S4529/see.adoc +++ b/rules/S4529/see.adoc @@ -1,9 +1,9 @@ == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/352[MITRE, CWE-352] - Cross-Site Request Forgery (CSRF) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -* https://cwe.mitre.org/data/definitions/22[MITRE, CWE-22] - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation ] +* CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] diff --git a/rules/S4530/java/rule.adoc b/rules/S4530/java/rule.adoc index e5e837d3f6..998bf2b7e7 100644 --- a/rules/S4530/java/rule.adoc +++ b/rules/S4530/java/rule.adoc @@ -47,8 +47,8 @@ public final class CashTransferAction extends Action { == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/105[MITRE, CWE-105] - Struts Form Field Without Validator +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/105[CWE-105 - Struts Form Field Without Validator] ifdef::env-github,rspecator-view[] diff --git a/rules/S4531/java/rule.adoc b/rules/S4531/java/rule.adoc index d556cfe958..6e000cd321 100644 --- a/rules/S4531/java/rule.adoc +++ b/rules/S4531/java/rule.adoc @@ -45,7 +45,7 @@ public class AccountBalanceAction extends ActionSupport { == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] ifdef::env-github,rspecator-view[] diff --git a/rules/S4544/java/rule.adoc b/rules/S4544/java/rule.adoc index 5c2a8877ea..ce90ddb6b9 100644 --- a/rules/S4544/java/rule.adoc +++ b/rules/S4544/java/rule.adoc @@ -43,10 +43,10 @@ abstract class PhoneNumber { == See -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization] * OWASP - https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[Deserialization of untrusted data] -* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data +* CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data] * https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062[On Jackson CVEs: Don’t Panic] * https://nvd.nist.gov/vuln/detail/CVE-2017-15095[CVE-2017-1509] * https://nvd.nist.gov/vuln/detail/CVE-2017-7525[CVE-2017-7525] diff --git a/rules/S4564/csharp/rule.adoc b/rules/S4564/csharp/rule.adoc index 7d766fefdd..965771045f 100644 --- a/rules/S4564/csharp/rule.adoc +++ b/rules/S4564/csharp/rule.adoc @@ -51,8 +51,8 @@ Parameterless methods marked with ``++System.Web.Mvc.HttpPostAttribute++`` will == Resources -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] * https://www.owasp.org/index.php/ASP.NET_Request_Validation[OWASP ASP.NET Request Validation] diff --git a/rules/S4601/java/rule.adoc b/rules/S4601/java/rule.adoc index c044847886..79b085404d 100644 --- a/rules/S4601/java/rule.adoc +++ b/rules/S4601/java/rule.adoc @@ -94,8 +94,8 @@ protected void configure(HttpSecurity http) throws Exception { * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 - Category A1 - Broken Access Control] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 - Category A6 - Security Misconfiguration] -* CWE - https://cwe.mitre.org/data/definitions/285.html[CWE-285 - Improper Authorization] -* CWE - https://cwe.mitre.org/data/definitions/287.html[CWE-287 - Improper Authentication] +* CWE - https://cwe.mitre.org/data/definitions/285[CWE-285 - Improper Authorization] +* CWE - https://cwe.mitre.org/data/definitions/287[CWE-287 - Improper Authentication] ifdef::env-github,rspecator-view[] diff --git a/rules/S4639/java/rule.adoc b/rules/S4639/java/rule.adoc index e0fd29b4c3..c1053d70bc 100644 --- a/rules/S4639/java/rule.adoc +++ b/rules/S4639/java/rule.adoc @@ -46,9 +46,9 @@ public static void sanitizeAgainstZipFlipVulnerability(String fileName, String c == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/409[MITRE, CWE-409] - Improper Handling of Highly Compressed Data (Data Amplification) +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)] * https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream[CERT, IDS04-J.] - Safely extract files from ZipInputStream * Snyk Research Team: https://snyk.io/research/zip-slip-vulnerability[Zip Slip Vulnerability] * https://nvd.nist.gov/vuln/detail/CVE-2016-0709 diff --git a/rules/S4639/see.adoc b/rules/S4639/see.adoc index ba9caee092..4e3a67922d 100644 --- a/rules/S4639/see.adoc +++ b/rules/S4639/see.adoc @@ -1,8 +1,8 @@ == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/409[MITRE, CWE-409] - Improper Handling of Highly Compressed Data (Data Amplification) +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)] * Snyk Research Team: https://snyk.io/research/zip-slip-vulnerability[Zip Slip Vulnerability] * https://nvd.nist.gov/vuln/detail/CVE-2016-0709 * https://nvd.nist.gov/vuln/detail/CVE-2017-5946 diff --git a/rules/S4721/see.adoc b/rules/S4721/see.adoc index 37ed5b0938..70b93de5e0 100644 --- a/rules/S4721/see.adoc +++ b/rules/S4721/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/78[MITRE, CWE-78] - Improper Neutralization of Special Elements used in an OS Command +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/78[CWE-78 - Improper Neutralization of Special Elements used in an OS Command] diff --git a/rules/S4784/see.adoc b/rules/S4784/see.adoc index c9a9d0d6bc..10118d24c0 100644 --- a/rules/S4784/see.adoc +++ b/rules/S4784/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS[MITRE, CWE-624] - Executable Regular Expression Error +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS[CWE-624 - Executable Regular Expression Error] * OWASP Regular expression Denial of Service - ReDoS \ No newline at end of file diff --git a/rules/S4787/see.adoc b/rules/S4787/see.adoc index c5110adfb2..43cfcf18f8 100644 --- a/rules/S4787/see.adoc +++ b/rules/S4787/see.adoc @@ -1,11 +1,11 @@ == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/321[MITRE, CWE-321] - Use of Hard-coded Cryptographic Key -* https://cwe.mitre.org/data/definitions/322[MITRE, CWE-322] - Key Exchange without Entity Authentication -* https://cwe.mitre.org/data/definitions/323[MITRE, CWE-323] - Reusing a Nonce, Key Pair in Encryption -* https://cwe.mitre.org/data/definitions/324[MITRE, CWE-324] - Use of a Key Past its Expiration Date -* https://cwe.mitre.org/data/definitions/325[MITRE, CWE-325] - Missing Required Cryptographic Step -* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/321[CWE-321 - Use of Hard-coded Cryptographic Key] +* CWE - https://cwe.mitre.org/data/definitions/322[CWE-322 - Key Exchange without Entity Authentication] +* CWE - https://cwe.mitre.org/data/definitions/323[CWE-323 - Reusing a Nonce, Key Pair in Encryption] +* CWE - https://cwe.mitre.org/data/definitions/324[CWE-324 - Use of a Key Past its Expiration Date] +* CWE - https://cwe.mitre.org/data/definitions/325[CWE-325 - Missing Required Cryptographic Step] +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S4790/see.adoc b/rules/S4790/see.adoc index 23d4fc6a56..fe276b5b9b 100644 --- a/rules/S4790/see.adoc +++ b/rules/S4790/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/1240[MITRE, CWE-1240] - Use of a Risky Cryptographic Primitive +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/1240[CWE-1240 - Use of a Risky Cryptographic Primitive] diff --git a/rules/S4792/see.adoc b/rules/S4792/see.adoc index c0954ec9c0..7fe512c893 100644 --- a/rules/S4792/see.adoc +++ b/rules/S4792/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[OWASP Top 10 2017 Category A10] - Insufficient Logging & Monitoring -* https://cwe.mitre.org/data/definitions/117[MITRE, CWE-117] - Improper Output Neutralization for Logs -* https://cwe.mitre.org/data/definitions/532[MITRE, CWE-532] - Information Exposure Through Log Files +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] +* CWE - https://cwe.mitre.org/data/definitions/117[CWE-117 - Improper Output Neutralization for Logs] +* CWE - https://cwe.mitre.org/data/definitions/532[CWE-532 - Information Exposure Through Log Files] diff --git a/rules/S4797/java/rule.adoc b/rules/S4797/java/rule.adoc index a5bba1e557..2b6949c589 100644 --- a/rules/S4797/java/rule.adoc +++ b/rules/S4797/java/rule.adoc @@ -134,14 +134,14 @@ For example we highlight new ``++File(String parent, String child)++`` but not n == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/73[MITRE, CWE-73] - External Control of File Name or Path -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/22[MITRE, CWE-22] - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption ('Resource Exhaustion') -* https://cwe.mitre.org/data/definitions/538[MITRE, CWE-538] - File and Directory Information Exposure -* https://cwe.mitre.org/data/definitions/403[MITRE, CWE-403] - Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/73[CWE-73 - External Control of File Name or Path] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation ] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')] +* CWE - https://cwe.mitre.org/data/definitions/538[CWE-538 - File and Directory Information Exposure] +* CWE - https://cwe.mitre.org/data/definitions/403[CWE-403 - Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')] * https://wiki.sei.cmu.edu/confluence/x/qDZGBQ[CERT, FIO01-J.] - Create files with appropriate access permissions * https://wiki.sei.cmu.edu/confluence/x/B9cxBQ[CERT, FIO06-C.] - Create files with appropriate access permissions * https://wiki.sei.cmu.edu/confluence/display/c/FIO22-C.+Close+files+before+spawning+processes[CERT, FIO22-C.] Close files before spawning processes diff --git a/rules/S4797/see.adoc b/rules/S4797/see.adoc index 9b19a54e7e..bf0321f18b 100644 --- a/rules/S4797/see.adoc +++ b/rules/S4797/see.adoc @@ -1,10 +1,10 @@ == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/73[MITRE, CWE-73] - External Control of File Name or Path -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/22[MITRE, CWE-22] - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption ('Resource Exhaustion') -* https://cwe.mitre.org/data/definitions/538[MITRE, CWE-538] - File and Directory Information Exposure -* https://cwe.mitre.org/data/definitions/403[MITRE, CWE-403] - Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/73[CWE-73 - External Control of File Name or Path] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation ] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')] +* CWE - https://cwe.mitre.org/data/definitions/538[CWE-538 - File and Directory Information Exposure] +* CWE - https://cwe.mitre.org/data/definitions/403[CWE-403 - Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')] diff --git a/rules/S4817/java/rule.adoc b/rules/S4817/java/rule.adoc index a89e347085..acfb6750b5 100644 --- a/rules/S4817/java/rule.adoc +++ b/rules/S4817/java/rule.adoc @@ -92,8 +92,8 @@ abstract class A extends JXPathContext{ == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/643[MITRE, CWE-643] - Improper Neutralization of Data within XPath Expressions +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/643[CWE-643 - Improper Neutralization of Data within XPath Expressions] * https://wiki.sei.cmu.edu/confluence/x/cDZGBQ[CERT, IDS53-J.] - Prevent XPath Injection ifdef::env-github,rspecator-view[] diff --git a/rules/S4817/see.adoc b/rules/S4817/see.adoc index 596ed636e0..8c26ebc8aa 100644 --- a/rules/S4817/see.adoc +++ b/rules/S4817/see.adoc @@ -1,4 +1,4 @@ == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/643[MITRE, CWE-643] - Improper Neutralization of Data within XPath Expressions +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/643[CWE-643 - Improper Neutralization of Data within XPath Expressions] diff --git a/rules/S4818/see.adoc b/rules/S4818/see.adoc index 25ad2c350a..665bbef62a 100644 --- a/rules/S4818/see.adoc +++ b/rules/S4818/see.adoc @@ -1,6 +1,6 @@ == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption ('Resource Exhaustion') -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] diff --git a/rules/S4823/see.adoc b/rules/S4823/see.adoc index 7ccbfb13e2..16cd6249eb 100644 --- a/rules/S4823/see.adoc +++ b/rules/S4823/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/88[MITRE, CWE-88] - Argument Injection or Modification -* https://cwe.mitre.org/data/definitions/214[MITRE, CWE-214] - Information Exposure Through Process Environment +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/88[CWE-88 - Argument Injection or Modification] +* CWE - https://cwe.mitre.org/data/definitions/214[CWE-214 - Information Exposure Through Process Environment] diff --git a/rules/S4825/see.adoc b/rules/S4825/see.adoc index 7d347084d3..0e6c283405 100644 --- a/rules/S4825/see.adoc +++ b/rules/S4825/see.adoc @@ -1,6 +1,6 @@ == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption ('Resource Exhaustion') -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation ] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] \ No newline at end of file diff --git a/rules/S4828/see.adoc b/rules/S4828/see.adoc index 57ca3706f2..11c289cae0 100644 --- a/rules/S4828/see.adoc +++ b/rules/S4828/see.adoc @@ -1,5 +1,5 @@ == See -* https://cwe.mitre.org/data/definitions/283[MITRE, CWE-283] - Unverified Ownership +* CWE - https://cwe.mitre.org/data/definitions/283[CWE-283 - Unverified Ownership] * https://man7.org/linux/man-pages/man1/kill.1.html[kill(1) — Linux manual page] * https://man7.org/linux/man-pages/man2/kill.2.html[kill(2) — Linux manual page] diff --git a/rules/S4829/see.adoc b/rules/S4829/see.adoc index 1239fb1110..5ce26eef1e 100644 --- a/rules/S4829/see.adoc +++ b/rules/S4829/see.adoc @@ -1,3 +1,3 @@ == See -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] diff --git a/rules/S4830/common/resources/standards.adoc b/rules/S4830/common/resources/standards.adoc index 47432b0d86..37b356eba7 100644 --- a/rules/S4830/common/resources/standards.adoc +++ b/rules/S4830/common/resources/standards.adoc @@ -1,10 +1,10 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[OWASP Mobile Top 10 2016 Category M3] - Insecure Communication -* https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard] - Network Communication Requirements -* https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] +* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] diff --git a/rules/S4834/see.adoc b/rules/S4834/see.adoc index f526a42c27..b6ee23966c 100644 --- a/rules/S4834/see.adoc +++ b/rules/S4834/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/276[MITRE, CWE-276] - Incorrect Default Permissions -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere -* https://cwe.mitre.org/data/definitions/277[MITRE, CWE-277] - Insecure Inherited Permissions +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/276[CWE-276 - Incorrect Default Permissions] +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] +* CWE - https://cwe.mitre.org/data/definitions/277[CWE-277 - Insecure Inherited Permissions] diff --git a/rules/S4973/java/rule.adoc b/rules/S4973/java/rule.adoc index 0ebbcfe4e5..29b3a81e6e 100644 --- a/rules/S4973/java/rule.adoc +++ b/rules/S4973/java/rule.adoc @@ -27,8 +27,8 @@ if (firstName != null && firstName.equals(lastName)) { ... }; == Resources -* https://cwe.mitre.org/data/definitions/595[MITRE, CWE-595] - Comparison of Object References Instead of Object Contents -* https://cwe.mitre.org/data/definitions/597[MITRE, CWE-597] - Use of Wrong Operator in String Comparison +* CWE - https://cwe.mitre.org/data/definitions/595[CWE-595 - Comparison of Object References Instead of Object Contents] +* CWE - https://cwe.mitre.org/data/definitions/597[CWE-597 - Use of Wrong Operator in String Comparison] * https://wiki.sei.cmu.edu/confluence/x/UjdGBQ[CERT, EXP03-J.] - Do not use the equality operators when comparing values of boxed primitives * https://wiki.sei.cmu.edu/confluence/x/yDdGBQ[CERT, EXP50-J.] - Do not confuse abstract object equality with reference equality diff --git a/rules/S5042/cfamily/rule.adoc b/rules/S5042/cfamily/rule.adoc index a7949b8d79..705df0e4f9 100644 --- a/rules/S5042/cfamily/rule.adoc +++ b/rules/S5042/cfamily/rule.adoc @@ -103,10 +103,10 @@ int f(const char *filename, int flags) { == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/409[MITRE, CWE-409] - Improper Handling of Highly Compressed Data (Data Amplification) +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)] * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb ifdef::env-github,rspecator-view[] diff --git a/rules/S5042/java/rule.adoc b/rules/S5042/java/rule.adoc index 26981c3115..856055452c 100644 --- a/rules/S5042/java/rule.adoc +++ b/rules/S5042/java/rule.adoc @@ -71,10 +71,10 @@ while(entries.hasMoreElements()) { == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/409[MITRE, CWE-409] - Improper Handling of Highly Compressed Data (Data Amplification) +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)] * https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream[CERT, IDS04-J.] - Safely extract files from ZipInputStream * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb diff --git a/rules/S5042/javascript/rule.adoc b/rules/S5042/javascript/rule.adoc index 9ef6a00554..74a1664ec6 100644 --- a/rules/S5042/javascript/rule.adoc +++ b/rules/S5042/javascript/rule.adoc @@ -284,10 +284,10 @@ main(); == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/409[MITRE, CWE-409] - Improper Handling of Highly Compressed Data (Data Amplification) +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)] * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb ifdef::env-github,rspecator-view[] diff --git a/rules/S5042/php/rule.adoc b/rules/S5042/php/rule.adoc index 9fa8ac0591..8239a4a524 100644 --- a/rules/S5042/php/rule.adoc +++ b/rules/S5042/php/rule.adoc @@ -154,10 +154,10 @@ zip_close($zip); == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/409[MITRE, CWE-409] - Improper Handling of Highly Compressed Data (Data Amplification) +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)] * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb ifdef::env-github,rspecator-view[] diff --git a/rules/S5042/see.adoc b/rules/S5042/see.adoc index c14df36a65..517867ea3a 100644 --- a/rules/S5042/see.adoc +++ b/rules/S5042/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/409[MITRE, CWE-409] - Improper Handling of Highly Compressed Data (Data Amplification) +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/409[CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)] * https://www.bamsoftware.com/hacks/zipbomb/[bamsoftware.com] - A better Zip Bomb diff --git a/rules/S5122/see.adoc b/rules/S5122/see.adoc index e362d9cfd2..6dfac6c04f 100644 --- a/rules/S5122/see.adoc +++ b/rules/S5122/see.adoc @@ -1,10 +1,10 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] * https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS[developer.mozilla.org] - CORS * https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy[developer.mozilla.org] - Same origin policy -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#cross-origin-resource-sharing[OWASP HTML5 Security Cheat Sheet] - Cross Origin Resource Sharing -* https://cwe.mitre.org/data/definitions/346[MITRE, CWE-346] - Origin Validation Error -* https://cwe.mitre.org/data/definitions/942[MITRE, CWE-942] - Overly Permissive Cross-domain Whitelist +* CWE - https://cwe.mitre.org/data/definitions/346[CWE-346 - Origin Validation Error] +* CWE - https://cwe.mitre.org/data/definitions/942[CWE-942 - Overly Permissive Cross-domain Whitelist] diff --git a/rules/S5131/common/resources/standards.adoc b/rules/S5131/common/resources/standards.adoc index 4779a67396..a0aa59a280 100644 --- a/rules/S5131/common/resources/standards.adoc +++ b/rules/S5131/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79.html[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] diff --git a/rules/S5135/common/resources/standards.adoc b/rules/S5135/common/resources/standards.adoc index d2a2c040d7..1d61528094 100644 --- a/rules/S5135/common/resources/standards.adoc +++ b/rules/S5135/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data] diff --git a/rules/S5144/common/resources/standards.adoc b/rules/S5144/common/resources/standards.adoc index b3cd2a5edf..298228690e 100644 --- a/rules/S5144/common/resources/standards.adoc +++ b/rules/S5144/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/[OWASP Top 10 2021 Category A10] - Server-Side Request Forgery (SSRF) -* https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/918[MITRE, CWE-918] - Server-Side Request Forgery (SSRF) \ No newline at end of file +* OWASP - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/[Top 10 2021 Category A10 - Server-Side Request Forgery (SSRF)] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/918[CWE-918 - Server-Side Request Forgery (SSRF)] \ No newline at end of file diff --git a/rules/S5145/common/resources/standards.adoc b/rules/S5145/common/resources/standards.adoc index 114ef0feaa..bbd930e59e 100644 --- a/rules/S5145/common/resources/standards.adoc +++ b/rules/S5145/common/resources/standards.adoc @@ -1,8 +1,8 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[OWASP Top 10 2017 Category A10] - Insufficient Logging & Monitoring -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/117[MITRE, CWE-117] - Improper Output Neutralization for Logs \ No newline at end of file +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/117[CWE-117 - Improper Output Neutralization for Logs] \ No newline at end of file diff --git a/rules/S5146/common/resources/standards.adoc b/rules/S5146/common/resources/standards.adoc index 85880f7c80..6db11d4064 100644 --- a/rules/S5146/common/resources/standards.adoc +++ b/rules/S5146/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/601[MITRE, CWE-601] - URL Redirection to Untrusted Site ('Open Redirect') \ No newline at end of file +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/601[CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')] \ No newline at end of file diff --git a/rules/S5147/common/resources/standards.adoc b/rules/S5147/common/resources/standards.adoc index 1909538b4c..90ee342659 100644 --- a/rules/S5147/common/resources/standards.adoc +++ b/rules/S5147/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/943[MITRE, CWE-943] - Improper Neutralization of Special Elements in Data Query Logic +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/943[CWE-943 - Improper Neutralization of Special Elements in Data Query Logic] diff --git a/rules/S5148/see.adoc b/rules/S5148/see.adoc index 39423c9763..8cccbb42b4 100644 --- a/rules/S5148/see.adoc +++ b/rules/S5148/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://owasp.org/www-community/attacks/Reverse_Tabnabbing[Reverse Tabnabbing] -* https://cwe.mitre.org/data/definitions/1022[MITRE, CWE-1022] - Use of Web Link to Untrusted Target with window.opener Access -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* CWE - https://cwe.mitre.org/data/definitions/1022[CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://mathiasbynens.github.io/rel-noopener/ \ No newline at end of file diff --git a/rules/S5167/see.adoc b/rules/S5167/see.adoc index f1447eb926..6e0c7421f7 100644 --- a/rules/S5167/see.adoc +++ b/rules/S5167/see.adoc @@ -1,6 +1,6 @@ == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/HTTP_Response_Splitting[OWASP Attack Category] - HTTP Response Splitting -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/113[MITRE, CWE-113] - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/index.php/HTTP_Response_Splitting[Attack Category - HTTP Response Splitting] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/113[CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')] diff --git a/rules/S5247/see.adoc b/rules/S5247/see.adoc index 4760330e8d..719e04258d 100644 --- a/rules/S5247/see.adoc +++ b/rules/S5247/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP Cheat Sheet] - XSS Prevention Cheat Sheet -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] diff --git a/rules/S5273/cfamily/rule.adoc b/rules/S5273/cfamily/rule.adoc index ca57f0b73b..d5db22fc0e 100644 --- a/rules/S5273/cfamily/rule.adoc +++ b/rules/S5273/cfamily/rule.adoc @@ -138,9 +138,9 @@ void bar(const char *src) { === Standards * CERT - https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator[STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator] -* CWE - https://cwe.mitre.org/data/definitions/121.html[121 Stack-based Buffer Overflow] -* CWE - https://cwe.mitre.org/data/definitions/122.html[122 Heap-based Buffer Overflow] -* CWE - https://cwe.mitre.org/data/definitions/676.html[676 Use of Potentially Dangerous Function] +* CWE - https://cwe.mitre.org/data/definitions/121[CWE-121 Stack-based Buffer Overflow] +* CWE - https://cwe.mitre.org/data/definitions/122[CWE-122 Heap-based Buffer Overflow] +* CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 Use of Potentially Dangerous Function] diff --git a/rules/S5300/see.adoc b/rules/S5300/see.adoc index ea0ae4df17..144684fa4d 100644 --- a/rules/S5300/see.adoc +++ b/rules/S5300/see.adoc @@ -1,6 +1,6 @@ == See * https://www.damonkohler.com/2008/12/email-injection.html[Email Injection] -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/93[MITRE, CWE-93] - Improper Neutralization of CRLF Sequences ('CRLF Injection') -* https://cwe.mitre.org/data/definitions/80[MITRE, CWE-80] - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/93[CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')] +* CWE - https://cwe.mitre.org/data/definitions/80[CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)] diff --git a/rules/S5304/java/rule.adoc b/rules/S5304/java/rule.adoc index 4e43342f42..61e83c8f07 100644 --- a/rules/S5304/java/rule.adoc +++ b/rules/S5304/java/rule.adoc @@ -55,8 +55,8 @@ public class Main { == See -* https://cwe.mitre.org/data/definitions/526[MITRE, CWE-526] - Information Exposure Through Environmental Variables -* https://cwe.mitre.org/data/definitions/74[MITRE, CWE-74] - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') +* CWE - https://cwe.mitre.org/data/definitions/526[CWE-526 - Information Exposure Through Environmental Variables] +* CWE - https://cwe.mitre.org/data/definitions/74[CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] ifdef::env-github,rspecator-view[] diff --git a/rules/S5308/cfamily/rule.adoc b/rules/S5308/cfamily/rule.adoc index 526185fa9f..9f3194857f 100644 --- a/rules/S5308/cfamily/rule.adoc +++ b/rules/S5308/cfamily/rule.adoc @@ -176,5 +176,5 @@ void undo_setuid(void) { * CERT - https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges[POS36-C. Ensure that privilege relinquishment is successful] * CERT - https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful[POS37-C. Observe correct revocation order while relinquishing privileges] -* CWE - https://cwe.mitre.org/data/definitions/252.html[252 Unchecked Return Value] -* CWE - https://cwe.mitre.org/data/definitions/272.html[272 Least Privilege Violation] +* CWE - https://cwe.mitre.org/data/definitions/252[CWE-252 Unchecked Return Value] +* CWE - https://cwe.mitre.org/data/definitions/272[CWE-272 Least Privilege Violation] diff --git a/rules/S5314/cfamily/rule.adoc b/rules/S5314/cfamily/rule.adoc index 926a860c93..71a5a0c3db 100644 --- a/rules/S5314/cfamily/rule.adoc +++ b/rules/S5314/cfamily/rule.adoc @@ -213,7 +213,7 @@ the ABA problem, where `A` and `B` refers to the values of the resource. * {cpp} reference - https://en.cppreference.com/w/cpp/thread/mutex[`std::mutex`] * {cpp} reference - https://en.cppreference.com/w/cpp/thread/scoped_lock[`std::scoped_lock`] -* https://cwe.mitre.org/data/definitions/367[MITRE, CWE-367] - Time-of-check Time-of-use (TOCTOU) Race Condition +* CWE - https://cwe.mitre.org/data/definitions/367[CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition] * Wikipedia - https://en.wikipedia.org/wiki/ABA_problem[ABA problem] ifdef::env-github,rspecator-view[] diff --git a/rules/S5320/see.adoc b/rules/S5320/see.adoc index a0a45666b6..cfc21d1d65 100644 --- a/rules/S5320/see.adoc +++ b/rules/S5320/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[OWASP Mobile Top 10 2016 Category M1] - Improper Platform Usage -* https://cwe.mitre.org/data/definitions/927[MITRE, CWE-927] - Use of Implicit Intent for Sensitive Communication +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* CWE - https://cwe.mitre.org/data/definitions/927[CWE-927 - Use of Implicit Intent for Sensitive Communication] * https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions[Android documentation] - Broadcast Overview - Security considerations and best practices \ No newline at end of file diff --git a/rules/S5322/see.adoc b/rules/S5322/see.adoc index 6cbe993cdc..3581225bee 100644 --- a/rules/S5322/see.adoc +++ b/rules/S5322/see.adoc @@ -1,7 +1,7 @@ == See -* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[OWASP Mobile Top 10 2016 Category M1] - Improper Platform Usage -* https://cwe.mitre.org/data/definitions/925[MITRE, CWE-925] - Improper Verification of Intent by Broadcast Receiver -* https://cwe.mitre.org/data/definitions/926[MITRE, CWE-926] - Improper Export of Android Application Components +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* CWE - https://cwe.mitre.org/data/definitions/925[CWE-925 - Improper Verification of Intent by Broadcast Receiver] +* CWE - https://cwe.mitre.org/data/definitions/926[CWE-926 - Improper Export of Android Application Components] * https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions[Android documentation] - Broadcast Overview - Security considerations and best practices diff --git a/rules/S5324/see.adoc b/rules/S5324/see.adoc index 9710691d01..ce0c03b66c 100644 --- a/rules/S5324/see.adoc +++ b/rules/S5324/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * https://developer.android.com/privacy-and-security/security-tips#ExternalStorage[Android Security tips on external file storage] -* https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard] - Data Storage and Privacy Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[OWASP Mobile Top 10 2016 Category M2] - Insecure Data Storage -* https://cwe.mitre.org/data/definitions/312[MITRE, CWE-312] - Cleartext Storage of Sensitive Information +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* CWE - https://cwe.mitre.org/data/definitions/312[CWE-312 - Cleartext Storage of Sensitive Information] diff --git a/rules/S5326/java/rule.adoc b/rules/S5326/java/rule.adoc index ef1d66b6f8..4e508fb80e 100644 --- a/rules/S5326/java/rule.adoc +++ b/rules/S5326/java/rule.adoc @@ -61,9 +61,9 @@ public class SSLTLSValidation extends WebViewClient { == See -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] ifdef::env-github,rspecator-view[] diff --git a/rules/S5328/php/rule.adoc b/rules/S5328/php/rule.adoc index dc97eea7f8..95dc9743eb 100644 --- a/rules/S5328/php/rule.adoc +++ b/rules/S5328/php/rule.adoc @@ -35,12 +35,12 @@ session_id(bin2hex(random_bytes(16))); // Compliant == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://owasp.org/www-community/attacks/Session_fixation[OWASP Sesssion Fixation] -* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values -* https://cwe.mitre.org/data/definitions/340[MITRE, CWE-340] - Generation of Predictable Numbers or Identifiers +* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] +* CWE - https://cwe.mitre.org/data/definitions/340[CWE-340 - Generation of Predictable Numbers or Identifiers] * https://www.php.net/random-bytes[PHP: random_bytes()] * https://www.php.net/session-regenerate-id[PHP: session_regenerate_id()] diff --git a/rules/S5332/apex/rule.adoc b/rules/S5332/apex/rule.adoc index 4bf66abd07..59a629934d 100644 --- a/rules/S5332/apex/rule.adoc +++ b/rules/S5332/apex/rule.adoc @@ -34,9 +34,9 @@ include::../exceptions.adoc[] == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Information Exposure +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Information Exposure] ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/azureresourcemanager/see.adoc b/rules/S5332/azureresourcemanager/see.adoc index d9786e743d..a517da6d6d 100644 --- a/rules/S5332/azureresourcemanager/see.adoc +++ b/rules/S5332/azureresourcemanager/see.adoc @@ -1,6 +1,6 @@ == See -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor -* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] * https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] * https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] diff --git a/rules/S5332/docker/rule.adoc b/rules/S5332/docker/rule.adoc index d6e66f7b76..12a70aa029 100644 --- a/rules/S5332/docker/rule.adoc +++ b/rules/S5332/docker/rule.adoc @@ -36,8 +36,8 @@ RUN curl https://www.example.com/ == See -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor -* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] * https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] * https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] diff --git a/rules/S5332/see.adoc b/rules/S5332/see.adoc index c2beb0b365..fe90c2dc7b 100644 --- a/rules/S5332/see.adoc +++ b/rules/S5332/see.adoc @@ -1,11 +1,11 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard] - Network Communication Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[OWASP Mobile Top 10 2016 Category M3] - Insecure Communication -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor -* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure ] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] * https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] * https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] * https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers diff --git a/rules/S5334/common/resources/standards.adoc b/rules/S5334/common/resources/standards.adoc index b6c43509c5..19d4ffcbe6 100644 --- a/rules/S5334/common/resources/standards.adoc +++ b/rules/S5334/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/95[MITRE, CWE-95] - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')] diff --git a/rules/S5335/php/rule.adoc b/rules/S5335/php/rule.adoc index 0bf79bb5e4..60c46fb758 100644 --- a/rules/S5335/php/rule.adoc +++ b/rules/S5335/php/rule.adoc @@ -96,13 +96,13 @@ client-side front-ends. == Resources -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/97[MITRE, CWE-97] - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page -* https://cwe.mitre.org/data/definitions/98[MITRE, CWE-98] - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') -* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/97[CWE-97 - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page] +* CWE - https://cwe.mitre.org/data/definitions/98[CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')] +* CWE - https://cwe.mitre.org/data/definitions/829[CWE-829 - Inclusion of Functionality from Untrusted Control Sphere] ifdef::env-github,rspecator-view[] diff --git a/rules/S5344/java/rule.adoc b/rules/S5344/java/rule.adoc index 9c5be09149..164baf26ae 100644 --- a/rules/S5344/java/rule.adoc +++ b/rules/S5344/java/rule.adoc @@ -74,11 +74,11 @@ The ``BCryptPasswordEncoder`` is a password hashing function in Java that is des === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/256[MITRE, CWE-256] - Plaintext Storage of a Password -* https://cwe.mitre.org/data/definitions/916[MITRE, CWE-916] - Use of Password Hash With Insufficient Computational Effort +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/256[CWE-256 - Plaintext Storage of a Password] +* CWE - https://cwe.mitre.org/data/definitions/916[CWE-916 - Use of Password Hash With Insufficient Computational Effort] ifdef::env-github,rspecator-view[] diff --git a/rules/S5392/apex/rule.adoc b/rules/S5392/apex/rule.adoc index b26c4db47a..13c9eb3385 100644 --- a/rules/S5392/apex/rule.adoc +++ b/rules/S5392/apex/rule.adoc @@ -51,11 +51,11 @@ public class My { == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * https://trailhead.salesforce.com/en/content/learn/modules/secure-serverside-development/mitigate-soql-injection[Prevent SOQL Injection in Your Code] -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] ifdef::env-github,rspecator-view[] diff --git a/rules/S5435/python/rule.adoc b/rules/S5435/python/rule.adoc index 7b88bdbbb9..1b8f2679b9 100644 --- a/rules/S5435/python/rule.adoc +++ b/rules/S5435/python/rule.adoc @@ -26,11 +26,11 @@ You are at risk if you answered yes to all those questions. == See -* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities -* https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation +* OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[Top 10 2021 Category A6 - Vulnerable and Outdated Components] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] +* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] * https://www.python.org/dev/peps/pep-0476/[PEP-476] * https://www.youtube.com/watch?v=4o-xqqidvKA[Benjamin Peterson - A Dive into TLS - PyCon 2015] * https://wiki.openstack.org/wiki/OSSN/OSSN-0033[OSSN/OSSN-0033] diff --git a/rules/S5439/python/rule.adoc b/rules/S5439/python/rule.adoc index 562f879075..460c38844b 100644 --- a/rules/S5439/python/rule.adoc +++ b/rules/S5439/python/rule.adoc @@ -43,17 +43,17 @@ env = Environment(autoescape=True) # Compliant == Resources * https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP Cheat Sheet] - XSS Prevention Cheat Sheet -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -* https://cwe.mitre.org/data/definitions/80[MITRE, CWE-80] - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) -* https://cwe.mitre.org/data/definitions/81[MITRE, CWE-81] - Improper Neutralization of Script in an Error Message Web Page -* https://cwe.mitre.org/data/definitions/82[MITRE, CWE-82] - Improper Neutralization of Script in Attributes of IMG Tags in a Web Page -* https://cwe.mitre.org/data/definitions/83[MITRE, CWE-83] - Improper Neutralization of Script in Attributes in a Web Page -* https://cwe.mitre.org/data/definitions/84[MITRE, CWE-84] - Improper Neutralization of Encoded URI Schemes in a Web Page -* https://cwe.mitre.org/data/definitions/85[MITRE, CWE-85] - Doubled Character XSS Manipulations -* https://cwe.mitre.org/data/definitions/86[MITRE, CWE-86] - Improper Neutralization of Invalid Characters in Identifiers in Web Pages -* https://cwe.mitre.org/data/definitions/87[MITRE, CWE-87] - Improper Neutralization of Alternate XSS Syntax +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* CWE - https://cwe.mitre.org/data/definitions/80[CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)] +* CWE - https://cwe.mitre.org/data/definitions/81[CWE-81 - Improper Neutralization of Script in an Error Message Web Page] +* CWE - https://cwe.mitre.org/data/definitions/82[CWE-82 - Improper Neutralization of Script in Attributes of IMG Tags in a Web Page] +* CWE - https://cwe.mitre.org/data/definitions/83[CWE-83 - Improper Neutralization of Script in Attributes in a Web Page] +* CWE - https://cwe.mitre.org/data/definitions/84[CWE-84 - Improper Neutralization of Encoded URI Schemes in a Web Page] +* CWE - https://cwe.mitre.org/data/definitions/85[CWE-85 - Doubled Character XSS Manipulations] +* CWE - https://cwe.mitre.org/data/definitions/86[CWE-86 - Improper Neutralization of Invalid Characters in Identifiers in Web Pages] +* CWE - https://cwe.mitre.org/data/definitions/87[CWE-87 - Improper Neutralization of Alternate XSS Syntax] diff --git a/rules/S5443/python/rule.adoc b/rules/S5443/python/rule.adoc index 77978a86c5..fda36cb1b7 100644 --- a/rules/S5443/python/rule.adoc +++ b/rules/S5443/python/rule.adoc @@ -26,11 +26,11 @@ file = tempfile.TemporaryFile(dir="/tmp/my_subdirectory", mode='"w+") # Complian == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/377[MITRE, CWE-377] - Insecure Temporary File -* https://cwe.mitre.org/data/definitions/379[MITRE, CWE-379] - Creation of Temporary File in Directory with Incorrect Permissions +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] +* CWE - https://cwe.mitre.org/data/definitions/379[CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions] * https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File[OWASP, Insecure Temporary File] * https://docs.python.org/3/library/tempfile.html[Python tempfile module] diff --git a/rules/S5443/see.adoc b/rules/S5443/see.adoc index 58632693b9..af5a0ffc22 100644 --- a/rules/S5443/see.adoc +++ b/rules/S5443/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/377[MITRE, CWE-377] - Insecure Temporary File -* https://cwe.mitre.org/data/definitions/379[MITRE, CWE-379] - Creation of Temporary File in Directory with Incorrect Permissions +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] +* CWE - https://cwe.mitre.org/data/definitions/379[CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions] * https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File[OWASP, Insecure Temporary File] \ No newline at end of file diff --git a/rules/S5445/common/resources/standards.adoc b/rules/S5445/common/resources/standards.adoc index 1088b04145..037e90b8e6 100644 --- a/rules/S5445/common/resources/standards.adoc +++ b/rules/S5445/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP] - Top 10 2021 - A01:2021 - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP] - Top 10 2017 - A9:2017 - Using Components with Known Vulnerabilities -* https://cwe.mitre.org/data/definitions/377[MITRE] - CWE-377: Insecure Temporary File -* https://cwe.mitre.org/data/definitions/379[MITRE] - CWE-379: Creation of Temporary File in Directory with Incorrect Permissions +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] +* CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] +* CWE - https://cwe.mitre.org/data/definitions/379[CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions] diff --git a/rules/S5485/cfamily/rule.adoc b/rules/S5485/cfamily/rule.adoc index f130cd60a3..a098daf4dd 100644 --- a/rules/S5485/cfamily/rule.adoc +++ b/rules/S5485/cfamily/rule.adoc @@ -133,7 +133,7 @@ int process_tmp_file() { === Standards -* CWE - https://cwe.mitre.org/data/definitions/476[476 NULL Pointer Dereference] +* CWE - https://cwe.mitre.org/data/definitions/476[CWE-476 NULL Pointer Dereference] === Related rules diff --git a/rules/S5486/cfamily/rule.adoc b/rules/S5486/cfamily/rule.adoc index 6c7f591c05..04dae45dc9 100644 --- a/rules/S5486/cfamily/rule.adoc +++ b/rules/S5486/cfamily/rule.adoc @@ -167,8 +167,8 @@ void locks(bool calcFib, int n) { === Standards -* CWE - https://cwe.mitre.org/data/definitions/764[764 Multiple Locks of a Critical Resource] -* CWE - https://cwe.mitre.org/data/definitions/362[362 Multiple Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')] +* CWE - https://cwe.mitre.org/data/definitions/764[CWE-764 Multiple Locks of a Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/362[CWE-362 Multiple Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')] === Related rules diff --git a/rules/S5496/python/rule.adoc b/rules/S5496/python/rule.adoc index dbec80c465..9e0df2a983 100644 --- a/rules/S5496/python/rule.adoc +++ b/rules/S5496/python/rule.adoc @@ -112,9 +112,9 @@ of the initially intended template logic. === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/94[MITRE, CWE-94] - Improper Control of Generation of Code +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code] ifdef::env-github,rspecator-view[] diff --git a/rules/S5527/common/resources/standards.adoc b/rules/S5527/common/resources/standards.adoc index 2eaade5380..f94cf27d19 100644 --- a/rules/S5527/common/resources/standards.adoc +++ b/rules/S5527/common/resources/standards.adoc @@ -1,10 +1,10 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard] - Network Communication Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[OWASP Mobile Top 10 2016 Category M3] - Insecure Communication -* https://cwe.mitre.org/data/definitions/297[MITRE, CWE-297] - Improper Validation of Certificate with Host Mismatch +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/297[CWE-297 - Improper Validation of Certificate with Host Mismatch] diff --git a/rules/S5542/common/resources/standards.adoc b/rules/S5542/common/resources/standards.adoc index f949322ca0..44104ae2a0 100644 --- a/rules/S5542/common/resources/standards.adoc +++ b/rules/S5542/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S5542/java/rule.adoc b/rules/S5542/java/rule.adoc index 3b8bdb6257..785dcbee2b 100644 --- a/rules/S5542/java/rule.adoc +++ b/rules/S5542/java/rule.adoc @@ -21,9 +21,9 @@ include::../common/resources/presentations.adoc[] include::../common/resources/standards.adoc[] -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms diff --git a/rules/S5542/kotlin/rule.adoc b/rules/S5542/kotlin/rule.adoc index 19bb1b7c11..a41e040bda 100644 --- a/rules/S5542/kotlin/rule.adoc +++ b/rules/S5542/kotlin/rule.adoc @@ -21,9 +21,9 @@ include::../common/resources/presentations.adoc[] include::../common/resources/standards.adoc[] -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S5547/common/resources/standards.adoc b/rules/S5547/common/resources/standards.adoc index 8bb786449e..924a066865 100644 --- a/rules/S5547/common/resources/standards.adoc +++ b/rules/S5547/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S5547/kotlin/rule.adoc b/rules/S5547/kotlin/rule.adoc index 466c5b8eae..a7bf94d173 100644 --- a/rules/S5547/kotlin/rule.adoc +++ b/rules/S5547/kotlin/rule.adoc @@ -14,8 +14,8 @@ include::how-to-fix-it/java-cryptographic-extension.adoc[] include::../common/resources/standards.adoc[] -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] ifdef::env-github,rspecator-view[] diff --git a/rules/S5594/xml/rule.adoc b/rules/S5594/xml/rule.adoc index 4b468eea51..cc63602bd8 100644 --- a/rules/S5594/xml/rule.adoc +++ b/rules/S5594/xml/rule.adoc @@ -129,7 +129,7 @@ When targeting Android API versions lower than 12, intent filters will cause ``+ === Standards -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1] - Improper platform usage +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] diff --git a/rules/S5604/javascript/rule.adoc b/rules/S5604/javascript/rule.adoc index c8d7e06eb5..38561a1c89 100644 --- a/rules/S5604/javascript/rule.adoc +++ b/rules/S5604/javascript/rule.adoc @@ -50,10 +50,10 @@ If geolocation is required, always explain to the user why the application needs == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Web Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges -* https://cwe.mitre.org/data/definitions/359[MITRE, CWE-359] - Exposure of Private Information +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Web Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges] +* CWE - https://cwe.mitre.org/data/definitions/359[CWE-359 - Exposure of Private Information] * https://www.w3.org/TR/permissions/[W3C] - Permissions * https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites[Mozilla] - Does Firefox share my location with websites? ifdef::env-github,rspecator-view[] diff --git a/rules/S5604/xml/rule.adoc b/rules/S5604/xml/rule.adoc index db97f432af..a9df8dd1d9 100644 --- a/rules/S5604/xml/rule.adoc +++ b/rules/S5604/xml/rule.adoc @@ -29,10 +29,10 @@ In AndroidManifest.xml: == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[OWASP Mobile Top 10 2016 Category M1] - Improper Platform Usage -* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges] * https://developer.android.com/training/permissions/usage-notes[developer.android.com] - App permissions best practices * https://play.google.com/about/privacy-security-deception/permissions/[Google Play] - Privacy, Security, and Deception - Permissions ifdef::env-github,rspecator-view[] diff --git a/rules/S5659/common/resources/standards.adoc b/rules/S5659/common/resources/standards.adoc index 55922a18b0..2113999782 100644 --- a/rules/S5659/common/resources/standards.adoc +++ b/rules/S5659/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/347[MITRE, CWE-347] - Improper Verification of Cryptographic Signature +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/347[CWE-347 - Improper Verification of Cryptographic Signature] diff --git a/rules/S5689/see.adoc b/rules/S5689/see.adoc index 045d8dded3..b331a7aba1 100644 --- a/rules/S5689/see.adoc +++ b/rules/S5689/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework.html[OWASP Testing Guide - OTG-INFO-008] - Fingerprint Web Application Framework -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Information Exposure +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Information Exposure] diff --git a/rules/S5691/see.adoc b/rules/S5691/see.adoc index aaf2bcbee4..bf35fb6d71 100644 --- a/rules/S5691/see.adoc +++ b/rules/S5691/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://github.com/mtojek/go-url-fuzzer[github.com/mtojek/go-url-fuzzer] - Discover hidden files and directories on a web server. -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Web Top 10 2017 Category A6] - Security Misconfiguration. -* https://cwe.mitre.org/data/definitions/538[MITRE, CWE-538] - File and Directory Information Exposure +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/538[CWE-538 - File and Directory Information Exposure] diff --git a/rules/S5693/see.adoc b/rules/S5693/see.adoc index b6ae957232..b72264b663 100644 --- a/rules/S5693/see.adoc +++ b/rules/S5693/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html[Owasp Cheat Sheet] - Owasp Denial of Service Cheat Sheet -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/770[MITRE, CWE-770] - Allocation of Resources Without Limits or Throttling -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/770[CWE-770 - Allocation of Resources Without Limits or Throttling] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] \ No newline at end of file diff --git a/rules/S5696/common/resources/standards.adoc b/rules/S5696/common/resources/standards.adoc index aae20e2bad..a0aa59a280 100644 --- a/rules/S5696/common/resources/standards.adoc +++ b/rules/S5696/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] diff --git a/rules/S5725/see.adoc b/rules/S5725/see.adoc index c5c350119d..ce49284dfc 100644 --- a/rules/S5725/see.adoc +++ b/rules/S5725/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://cwe.mitre.org/data/definitions/353[MITRE, CWE-353] - Missing Support for Integrity Check -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* CWE - https://cwe.mitre.org/data/definitions/353[CWE-353 - Missing Support for Integrity Check] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration.html[Top 10 2017 Category A6 - Security Misconfiguration] * https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity[developer.mozilla.org] - Subresource Integrity * https://en.wikipedia.org/wiki/Watering_hole_attack[Wikipedia, Watering Hole Attacks] diff --git a/rules/S5728/see.adoc b/rules/S5728/see.adoc index 83b0648cad..56e44f7163 100644 --- a/rules/S5728/see.adoc +++ b/rules/S5728/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://www.w3.org/TR/CSP3/[w3.org] - Content Security Policy Level 3 -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration.html[Top 10 2017 Category A6 - Security Misconfiguration] * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP[developer.mozilla.org] - Content Security Policy (CSP) \ No newline at end of file diff --git a/rules/S5730/see.adoc b/rules/S5730/see.adoc index 9219e37785..63ebcd2bfd 100644 --- a/rules/S5730/see.adoc +++ b/rules/S5730/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content[developer.mozilla.org] - Mixed-content * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP[developer.mozilla.org] - Content Security Policy (CSP) * https://www.w3.org/TR/CSP3/[w3.org] - Content Security Policy Level 3 \ No newline at end of file diff --git a/rules/S5732/see.adoc b/rules/S5732/see.adoc index 6c64dcd72f..f00e205122 100644 --- a/rules/S5732/see.adoc +++ b/rules/S5732/see.adoc @@ -1,10 +1,10 @@ == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html[OWASP Cheat Sheets] - Clickjacking Defense Cheat Sheet * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors[developer.mozilla.org] - Frame-ancestors * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP[developer.mozilla.org] - Content Security Policy (CSP) -* https://cwe.mitre.org/data/definitions/451[MITRE, CWE-451] - User Interface (UI) Misrepresentation of Critical Information +* CWE - https://cwe.mitre.org/data/definitions/451[CWE-451 - User Interface (UI) Misrepresentation of Critical Information] * https://www.w3.org/TR/CSP3/[w3.org] - Content Security Policy Level 3 \ No newline at end of file diff --git a/rules/S5734/see.adoc b/rules/S5734/see.adoc index 641a39514c..caaf061a6d 100644 --- a/rules/S5734/see.adoc +++ b/rules/S5734/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options[developer.mozilla.org] - X-Content-Type-Options * https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/[blog.mozilla.org] - Mitigating MIME Confusion Attacks in Firefox \ No newline at end of file diff --git a/rules/S5736/see.adoc b/rules/S5736/see.adoc index a2e1fd9988..52a78012e6 100644 --- a/rules/S5736/see.adoc +++ b/rules/S5736/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy[developer.mozilla.org] - Referrer-Policy * https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns[developer.mozilla.org] - Referer header: privacy and security concerns -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] \ No newline at end of file diff --git a/rules/S5738/java/rule.adoc b/rules/S5738/java/rule.adoc index 46e5feb9ba..57762d24ee 100644 --- a/rules/S5738/java/rule.adoc +++ b/rules/S5738/java/rule.adoc @@ -61,7 +61,7 @@ public class Bar extends Foo { // Noncompliant; Foo is deprecated and will be r == Resources -* https://cwe.mitre.org/data/definitions/477[MITRE, CWE-477] - Use of Obsolete Functions +* CWE - https://cwe.mitre.org/data/definitions/477[CWE-477 - Use of Obsolete Functions] * https://wiki.sei.cmu.edu/confluence/x/6TdGBQ[CERT, MET02-J.] - Do not use deprecated or obsolete classes or methods * RSPEC-1874 for standard deprecation use diff --git a/rules/S5739/see.adoc b/rules/S5739/see.adoc index 1e6317f2a0..2ee28810b9 100644 --- a/rules/S5739/see.adoc +++ b/rules/S5739/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[developer.mozilla.org] - Strict Transport Security \ No newline at end of file diff --git a/rules/S5742/see.adoc b/rules/S5742/see.adoc index 81430efadc..b1e5c41afe 100644 --- a/rules/S5742/see.adoc +++ b/rules/S5742/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency[developer.mozilla.org] - Certificate Transparency * https://en.wikipedia.org/wiki/Certificate_authority[wikipedia.org] - Certificate Authority \ No newline at end of file diff --git a/rules/S5743/see.adoc b/rules/S5743/see.adoc index a0660e608e..50705a82a4 100644 --- a/rules/S5743/see.adoc +++ b/rules/S5743/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control[developer.mozilla.org] - X-DNS-Prefetch-Control * https://developer.mozilla.org/en-US/docs/Web/Performance/dns-prefetch[developer.mozilla.org] - Using dns-prefetch \ No newline at end of file diff --git a/rules/S5750/see.adoc b/rules/S5750/see.adoc index cba3b4f585..723cb781e3 100644 --- a/rules/S5750/see.adoc +++ b/rules/S5750/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/525[MITRE, CWE-525] -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/525[CWE-525 - Use of Web Browser Cache Containing Sensitive Information] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control[developer.mozilla.org] - Cache-Control diff --git a/rules/S5753/see.adoc b/rules/S5753/see.adoc index b1ed4ff063..4cfb779e3c 100644 --- a/rules/S5753/see.adoc +++ b/rules/S5753/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8[HttpRuntimeSection.RequestValidationMode Property] * https://owasp.org/www-community/ASP-NET_Request_Validation[OWASP ASP.NET Request Validation] * https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html[OWASP Cheat Sheet] - XSS Prevention Cheat Sheet -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] \ No newline at end of file diff --git a/rules/S5754/python/rule.adoc b/rules/S5754/python/rule.adoc index 73c0565c12..7f319b356d 100644 --- a/rules/S5754/python/rule.adoc +++ b/rules/S5754/python/rule.adoc @@ -72,7 +72,7 @@ except FileNotFoundError: * PEP 352 - https://www.python.org/dev/peps/pep-0352/#id5[Required Superclass for Exceptions] * Python Documentation - https://docs.python.org/3/library/exceptions.html[Built-in exceptions] * Python Documentation - https://docs.python.org/3/reference/compound_stmts.html#the-try-statement[The ``++try++`` statement] -* CWE - https://cwe.mitre.org/data/definitions/391[MITRE, CWE-391, Unchecked Error Condition] +* CWE - https://cwe.mitre.org/data/definitions/391[CWE-391, Unchecked Error Condition] ifdef::env-github,rspecator-view[] diff --git a/rules/S5757/see.adoc b/rules/S5757/see.adoc index efe699c862..114b9d26a9 100644 --- a/rules/S5757/see.adoc +++ b/rules/S5757/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://cwe.mitre.org/data/definitions/532[MITRE, CWE-532] - Insertion of Sensitive Information into Log File -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] +* CWE - https://cwe.mitre.org/data/definitions/532[CWE-532 - Insertion of Sensitive Information into Log File] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[Top 10 2017 Category A3 - Sensitive Data Exposure] diff --git a/rules/S5759/see.adoc b/rules/S5759/see.adoc index a76647d4f4..1c8c10541c 100644 --- a/rules/S5759/see.adoc +++ b/rules/S5759/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For[developer.mozilla.org] - X-Forwarded-For \ No newline at end of file diff --git a/rules/S5766/see.adoc b/rules/S5766/see.adoc index a9626e3dd8..9f3e0aff6a 100644 --- a/rules/S5766/see.adoc +++ b/rules/S5766/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization] * https://docs.microsoft.com/en-us/dotnet/framework/misc/security-and-serialization[docs.microsoft.com] - security-and-serialization -* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data] \ No newline at end of file diff --git a/rules/S5782/common/resources/standards.adoc b/rules/S5782/common/resources/standards.adoc index ffec55080b..8c418f8af0 100644 --- a/rules/S5782/common/resources/standards.adoc +++ b/rules/S5782/common/resources/standards.adoc @@ -1,7 +1,7 @@ === Standards * OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[Top 10 2021 - A06 - Vulnerable and Outdated Components] -* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer] * CWE - https://cwe.mitre.org/data/definitions/131[CWE-131 - Incorrect Calculation of Buffer Size] * CWE - https://cwe.mitre.org/data/definitions/788[CWE-788 - Access of Memory Location After End of Buffer] diff --git a/rules/S5798/cfamily/rule.adoc b/rules/S5798/cfamily/rule.adoc index ff14f38f61..9fb1b87556 100644 --- a/rules/S5798/cfamily/rule.adoc +++ b/rules/S5798/cfamily/rule.adoc @@ -63,7 +63,7 @@ void f(char *password, size_t bufferSize) { * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://github.com/OWASP/ASVS/blob/master/4.0/en/0x16-V8-Data-Protection.md#v83-sensitive-private-data[Application Security Verification Standard 4.0 - 8.3.6] -* MITRE - https://cwe.mitre.org/data/definitions/14[CWE-14 - Compiler Removal of Code to Clear Buffers] +* CWE - https://cwe.mitre.org/data/definitions/14[CWE-14 - Compiler Removal of Code to Clear Buffers] ifdef::env-github,rspecator-view[] diff --git a/rules/S5801/cfamily/rule.adoc b/rules/S5801/cfamily/rule.adoc index d157dc899c..f9f030eec1 100644 --- a/rules/S5801/cfamily/rule.adoc +++ b/rules/S5801/cfamily/rule.adoc @@ -50,9 +50,9 @@ int f(char *src) { == See -* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities -* https://cwe.mitre.org/data/definitions/120[MITRE, CWE-120] - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') +* OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[Top 10 2021 Category A6 - Vulnerable and Outdated Components] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] +* CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation diff --git a/rules/S5802/see.adoc b/rules/S5802/see.adoc index 9f16dcbd12..b5f49e696b 100644 --- a/rules/S5802/see.adoc +++ b/rules/S5802/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/243[MITRE, CWE-243] - Creation of chroot Jail Without Changing Working Directory +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/243[CWE-243 - Creation of chroot Jail Without Changing Working Directory] * https://man7.org/linux/man-pages/man2/chdir.2.html[man7.org] - chdir * https://man7.org/linux/man-pages/man2/chroot.2.html[man7.org] - chroot \ No newline at end of file diff --git a/rules/S5804/see.adoc b/rules/S5804/see.adoc index e27f1b0677..cef7751d5b 100644 --- a/rules/S5804/see.adoc +++ b/rules/S5804/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] diff --git a/rules/S5808/common/resources/standards.adoc b/rules/S5808/common/resources/standards.adoc index 35cc93b5ca..ccea0bd319 100644 --- a/rules/S5808/common/resources/standards.adoc +++ b/rules/S5808/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/285[MITRE, CWE-285] - Improper Authorization +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/285[CWE-285 - Improper Authorization] diff --git a/rules/S5813/cfamily/rule.adoc b/rules/S5813/cfamily/rule.adoc index df7804d25e..f8b4aa5a2a 100644 --- a/rules/S5813/cfamily/rule.adoc +++ b/rules/S5813/cfamily/rule.adoc @@ -54,7 +54,7 @@ size_t f(char *src) { == See -* https://cwe.mitre.org/data/definitions/120[MITRE, CWE-120] - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') +* CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation diff --git a/rules/S5814/cfamily/rule.adoc b/rules/S5814/cfamily/rule.adoc index 1bbe7515d6..9287864578 100644 --- a/rules/S5814/cfamily/rule.adoc +++ b/rules/S5814/cfamily/rule.adoc @@ -53,9 +53,9 @@ int f(char *src) { == See -* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities -* https://cwe.mitre.org/data/definitions/120[MITRE, CWE-120] - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') +* OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[Top 10 2021 Category A6 - Vulnerable and Outdated Components] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] +* CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation diff --git a/rules/S5815/cfamily/rule.adoc b/rules/S5815/cfamily/rule.adoc index 4b72dc3eef..11e4899933 100644 --- a/rules/S5815/cfamily/rule.adoc +++ b/rules/S5815/cfamily/rule.adoc @@ -51,9 +51,9 @@ int f(char *src) { == See -* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities -* https://cwe.mitre.org/data/definitions/120[MITRE, CWE-120] - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') +* OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[Top 10 2021 Category A6 - Vulnerable and Outdated Components] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] +* CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation diff --git a/rules/S5816/cfamily/rule.adoc b/rules/S5816/cfamily/rule.adoc index f42a1773c7..5ad6aef967 100644 --- a/rules/S5816/cfamily/rule.adoc +++ b/rules/S5816/cfamily/rule.adoc @@ -63,9 +63,9 @@ int f(char *src) { == See -* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities -* https://cwe.mitre.org/data/definitions/120[MITRE, CWE-120] - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') +* OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[Top 10 2021 Category A6 - Vulnerable and Outdated Components] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] +* CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation diff --git a/rules/S5824/cfamily/rule.adoc b/rules/S5824/cfamily/rule.adoc index a17f2f3fe4..733ba2c30b 100644 --- a/rules/S5824/cfamily/rule.adoc +++ b/rules/S5824/cfamily/rule.adoc @@ -52,10 +52,10 @@ int f(char *tempData) { == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities -* https://cwe.mitre.org/data/definitions/377[MITRE, CWE-377] - Insecure Temporary File +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[Top 10 2021 Category A6 - Vulnerable and Outdated Components] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] +* CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] * https://wiki.sei.cmu.edu/confluence/display/c/CON33-C.+Avoid+race+conditions+when+using+library+functions[CERT, CON33-C.] - Avoid race conditions when using library functions * https://wiki.sei.cmu.edu/confluence/display/c/FIO21-C.+Do+not+create+temporary+files+in+shared+directories[CERT, FIO21-C.] - Do not create temporary files in shared directories diff --git a/rules/S5849/cfamily/rule.adoc b/rules/S5849/cfamily/rule.adoc index b250b287a8..cf0e7aca9f 100644 --- a/rules/S5849/cfamily/rule.adoc +++ b/rules/S5849/cfamily/rule.adoc @@ -48,10 +48,10 @@ fchmod(fd, S_ISUID|S_ISGID); // Sensitive == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges -* https://cwe.mitre.org/data/definitions/266[MITRE, CWE-266] - Incorrect Privilege Assignment +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges] +* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] * https://forums.grsecurity.net/viewtopic.php?f=7&t=2522[False Boundaries and Arbitrary Code Execution] * https://man7.org/linux/man-pages/man7/capabilities.7.html[Linux manual page] - capabilities(7) diff --git a/rules/S5849/kubernetes/rule.adoc b/rules/S5849/kubernetes/rule.adoc index 6e89da3d57..7061a056d1 100644 --- a/rules/S5849/kubernetes/rule.adoc +++ b/rules/S5849/kubernetes/rule.adoc @@ -54,8 +54,8 @@ spec: == See -* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges -* https://cwe.mitre.org/data/definitions/266[MITRE, CWE-266] - Incorrect Privilege Assignment +* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges] +* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] * https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Kubernetes Documentation] - Configure a Security Context for a Pod or Container * https://man7.org/linux/man-pages/man7/capabilities.7.html[Linux manual page] - capabilities(7) diff --git a/rules/S5852/see.adoc b/rules/S5852/see.adoc index 9f49c48d7b..9623123561 100644 --- a/rules/S5852/see.adoc +++ b/rules/S5852/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption -* https://cwe.mitre.org/data/definitions/1333[MITRE, CWE-1333] - Inefficient Regular Expression Complexity +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] +* CWE - https://cwe.mitre.org/data/definitions/1333[CWE-1333 - Inefficient Regular Expression Complexity] * https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS[owasp.org] - OWASP Regular expression Denial of Service - ReDoS * https://web.archive.org/web/20220506215733/https://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016[stackstatus.net(archived)] - Outage Postmortem - July 20, 2016 * https://www.regular-expressions.info/catastrophic.html[regular-expressions.info] - Runaway Regular Expressions: Catastrophic Backtracking diff --git a/rules/S5876/common/resources/standards.adoc b/rules/S5876/common/resources/standards.adoc index ad513b70f6..9e883df7d1 100644 --- a/rules/S5876/common/resources/standards.adoc +++ b/rules/S5876/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] * https://owasp.org/www-community/attacks/Session_fixation[OWASP Sesssion Fixation] -* https://cwe.mitre.org/data/definitions/384[MITRE, CWE-384] - Session Fixation +* CWE - https://cwe.mitre.org/data/definitions/384[CWE-384 - Session Fixation] diff --git a/rules/S5883/common/resources/standards.adoc b/rules/S5883/common/resources/standards.adoc index 17a557bf3f..cc226e06ac 100644 --- a/rules/S5883/common/resources/standards.adoc +++ b/rules/S5883/common/resources/standards.adoc @@ -1,7 +1,7 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/88[MITRE, CWE-88] - Argument Injection or Modification +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/88[CWE-88 - Argument Injection or Modification] diff --git a/rules/S5982/cfamily/rule.adoc b/rules/S5982/cfamily/rule.adoc index 942928ff2a..14c55993fa 100644 --- a/rules/S5982/cfamily/rule.adoc +++ b/rules/S5982/cfamily/rule.adoc @@ -48,9 +48,9 @@ if(fchdir(fd) == -1) { == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/252[MITRE, CWE-252] - Unchecked Return Value +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/252[CWE-252 - Unchecked Return Value] * https://man7.org/linux/man-pages/man2/chdir.2.html[man7.org] - chdir ifdef::env-github,rspecator-view[] diff --git a/rules/S6069/cfamily/rule.adoc b/rules/S6069/cfamily/rule.adoc index 6cd19b9519..f1c1734549 100644 --- a/rules/S6069/cfamily/rule.adoc +++ b/rules/S6069/cfamily/rule.adoc @@ -49,10 +49,10 @@ sprintf(buf, "%s", message);{code} == See -* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components -* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities -* https://cwe.mitre.org/data/definitions/676[MITRE, CWE-676] - Use of Potentially Dangerous Function -* https://cwe.mitre.org/data/definitions/119[MITRE, CWE-119] - Improper Restriction of Operations within the Bounds of a Memory Buffer +* OWASP - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[Top 10 2021 Category A6 - Vulnerable and Outdated Components] +* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] +* CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function] +* CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer] ifdef::env-github,rspecator-view[] diff --git a/rules/S6096/common/resources/standards.adoc b/rules/S6096/common/resources/standards.adoc index f8aad022fd..2ae72b4f8d 100644 --- a/rules/S6096/common/resources/standards.adoc +++ b/rules/S6096/common/resources/standards.adoc @@ -1,8 +1,8 @@ === Standards -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/22[MITRE, CWE-22] - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] diff --git a/rules/S6105/common/resources/standards.adoc b/rules/S6105/common/resources/standards.adoc index f903208423..0e28ee0f96 100644 --- a/rules/S6105/common/resources/standards.adoc +++ b/rules/S6105/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/601[MITRE, CWE-601] - URL Redirection to Untrusted Site ('Open Redirect') +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/601[CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')] diff --git a/rules/S6108/javascript/rule.adoc b/rules/S6108/javascript/rule.adoc index 83a3c40d6f..6b3ef8017d 100644 --- a/rules/S6108/javascript/rule.adoc +++ b/rules/S6108/javascript/rule.adoc @@ -109,5 +109,5 @@ function for_set(target, path, value) { == See * https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf[Prototype pollution attack in NodeJS application - Olivier Arteau] -* https://cwe.mitre.org/data/definitions/1321[MITRE, CWE-1321] - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') +* CWE - https://cwe.mitre.org/data/definitions/1321[CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] diff --git a/rules/S6109/javascript/rule.adoc b/rules/S6109/javascript/rule.adoc index ce5a6fb9c4..d0e7ecb2d5 100644 --- a/rules/S6109/javascript/rule.adoc +++ b/rules/S6109/javascript/rule.adoc @@ -107,5 +107,5 @@ for_set(req.query.path, req.query.val); // Compliant == Resources * https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf[Prototype pollution attack in NodeJS application - Olivier Arteau] -* https://cwe.mitre.org/data/definitions/1321[MITRE, CWE-1321] - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') +* CWE - https://cwe.mitre.org/data/definitions/1321[CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] diff --git a/rules/S6173/common/resources/standards.adoc b/rules/S6173/common/resources/standards.adoc index 884c95a914..cdaedc45fb 100644 --- a/rules/S6173/common/resources/standards.adoc +++ b/rules/S6173/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/470[MITRE, CWE-470] - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/470[CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')] diff --git a/rules/S6183/cfamily/rule.adoc b/rules/S6183/cfamily/rule.adoc index ceefef6303..8cbe4951e0 100644 --- a/rules/S6183/cfamily/rule.adoc +++ b/rules/S6183/cfamily/rule.adoc @@ -175,7 +175,7 @@ void foo() { * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules[INT02-C. Understand integer conversion rules] * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT31-C.+Ensure+that+integer+conversions+do+not+result+in+lost+or+misinterpreted+data[INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data] -* CWE - https://cwe.mitre.org/data/definitions/195.html[195 Signed to Unsigned Conversion Error] +* CWE - https://cwe.mitre.org/data/definitions/195[CWE-195 Signed to Unsigned Conversion Error] === Related rules diff --git a/rules/S6245/see.adoc b/rules/S6245/see.adoc index 985907e9d7..54f581d5d1 100644 --- a/rules/S6245/see.adoc +++ b/rules/S6245/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html[AWS documentation] - Protecting data using server-side encryption diff --git a/rules/S6249/see.adoc b/rules/S6249/see.adoc index 1424bc1ecf..a95d413996 100644 --- a/rules/S6249/see.adoc +++ b/rules/S6249/see.adoc @@ -1,9 +1,9 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#transit[AWS documentation] - Enforce encryption of data in transit * https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5[AWS Foundational Security Best Practices controls] - S3 buckets should require requests to use Secure Socket Layer -* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] \ No newline at end of file diff --git a/rules/S6252/see.adoc b/rules/S6252/see.adoc index 4b4e07038a..4461fb059c 100644 --- a/rules/S6252/see.adoc +++ b/rules/S6252/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html[AWS documentation] - Using versioning in S3 buckets diff --git a/rules/S6255/terraform/rule.adoc b/rules/S6255/terraform/rule.adoc index 6cb74acdda..9d403c2315 100644 --- a/rules/S6255/terraform/rule.adoc +++ b/rules/S6255/terraform/rule.adoc @@ -85,10 +85,10 @@ resource "aws_s3_bucket_versioning" "example" { == See -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] * https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html[AWS documentation] - Configuring MFA delete -* https://cwe.mitre.org/data/definitions/308[MITRE, CWE-308] - Use of Single-factor Authentication -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication +* CWE - https://cwe.mitre.org/data/definitions/308[CWE-308 - Use of Single-factor Authentication] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication ] ifdef::env-github,rspecator-view[] diff --git a/rules/S6258/see.adoc b/rules/S6258/see.adoc index 9f25c500c3..de072318d5 100644 --- a/rules/S6258/see.adoc +++ b/rules/S6258/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures] * https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html[AWS Documentation] - Logging requests using server access logging -* https://cwe.mitre.org/data/definitions/778[MITRE, CWE-778] - Insufficient Logging -* https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[OWASP Top 10 2017 Category A10] - Insufficient Logging & Monitoring \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/778[CWE-778 - Insufficient Logging] +* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] \ No newline at end of file diff --git a/rules/S6265/see.adoc b/rules/S6265/see.adoc index 17454cbc74..8c31e5c52d 100644 --- a/rules/S6265/see.adoc +++ b/rules/S6265/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl[AWS Documentation] - Access control list (ACL) overview (canned ACLs) * https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html[AWS Documentation] - Controlling access to a bucket with user policies -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] diff --git a/rules/S6268/javascript/rule.adoc b/rules/S6268/javascript/rule.adoc index 1324fd91aa..e55971c4ec 100644 --- a/rules/S6268/javascript/rule.adoc +++ b/rules/S6268/javascript/rule.adoc @@ -66,9 +66,9 @@ export class HelloComponent implements OnInit { == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] * https://angular.io/guide/security[Angular - Best Practices - Security] diff --git a/rules/S6270/see.adoc b/rules/S6270/see.adoc index a132b69ed9..333919dfce 100644 --- a/rules/S6270/see.adoc +++ b/rules/S6270/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege[AWS Documentation] - Grant least privilege -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] \ No newline at end of file diff --git a/rules/S6275/see.adoc b/rules/S6275/see.adoc index f043383f94..0aa99b69bc 100644 --- a/rules/S6275/see.adoc +++ b/rules/S6275/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html[Amazon EBS encryption] -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] \ No newline at end of file diff --git a/rules/S6281/see.adoc b/rules/S6281/see.adoc index 866174ac56..47cea005b2 100644 --- a/rules/S6281/see.adoc +++ b/rules/S6281/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html[AWS Documentation] - Blocking public access to your Amazon S3 storage -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] \ No newline at end of file diff --git a/rules/S6287/common/resources/standards.adoc b/rules/S6287/common/resources/standards.adoc index 37755cd8a0..eebe613941 100644 --- a/rules/S6287/common/resources/standards.adoc +++ b/rules/S6287/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/384[MITRE, CWE-384] - Session Fixation \ No newline at end of file +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/384[CWE-384 - Session Fixation] \ No newline at end of file diff --git a/rules/S6288/see.adoc b/rules/S6288/see.adoc index 30a0e264d6..463a80c06a 100644 --- a/rules/S6288/see.adoc +++ b/rules/S6288/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * https://developer.android.com/privacy-and-security/keystore[developer.android.com] - Android keystore system * https://developer.android.com/privacy-and-security/keystore#UserAuthentication[developer.android.com] - Require user authentication for key use -* https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard] - Authentication and Session Management Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication[OWASP Mobile Top 10 2016 Category M4] - Insecure Authentication -* https://cwe.mitre.org/data/definitions/522[MITRE, CWE-522] - Insufficiently Protected Credentials \ No newline at end of file +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard - Authentication and Session Management Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication[Mobile Top 10 2016 Category M4 - Insecure Authentication] +* CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] \ No newline at end of file diff --git a/rules/S6291/see.adoc b/rules/S6291/see.adoc index f847e07828..ac20a76e6c 100644 --- a/rules/S6291/see.adoc +++ b/rules/S6291/see.adoc @@ -1,10 +1,10 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard] - Data Storage and Privacy Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[OWASP Mobile Top 10 2016 Category M2] - Insecure Data Storage -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6293/see.adoc b/rules/S6293/see.adoc index bf6ff33ef1..4628f07d49 100644 --- a/rules/S6293/see.adoc +++ b/rules/S6293/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] * https://developer.android.com/training/sign-in/biometric-auth[developer.android.com] - Use a cryptographic solution that depends on authentication -* https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication[OWASP Mobile Top 10 Category M4] - Insecure Authentication -* https://mobile-security.gitbook.io/masvs/security-requirements/0x09-v4-authentication_and_session_management_requirements[OWASP MASVS] - Authentication and Session Management Requirements -* https://cwe.mitre.org/data/definitions/287[MITRE, CWE-287] - Improper Authentication \ No newline at end of file +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication[Mobile Top 10 2016 Category M4 - Insecure Authentication] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x09-v4-authentication_and_session_management_requirements[Mobile AppSec Verification Standard - Authentication and Session Management Requirements] +* CWE - https://cwe.mitre.org/data/definitions/287[CWE-287 - Improper Authentication] \ No newline at end of file diff --git a/rules/S6299/javascript/rule.adoc b/rules/S6299/javascript/rule.adoc index d6fcc7bd68..23bd4c0b4c 100644 --- a/rules/S6299/javascript/rule.adoc +++ b/rules/S6299/javascript/rule.adoc @@ -83,8 +83,8 @@ When using JSX, putting the content as a child node of the element is safe: == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] * https://vuejs.org/v2/guide/security.html#Injecting-HTML[Vue.js - Security - Injecting HTML] diff --git a/rules/S6300/see.adoc b/rules/S6300/see.adoc index 57de178dda..566e69b13d 100644 --- a/rules/S6300/see.adoc +++ b/rules/S6300/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard] - Data Storage and Privacy Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[OWASP Mobile Top 10 2016 Category M2] - Insecure Data Storage -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6301/common/resources/standards.adoc b/rules/S6301/common/resources/standards.adoc index 787382bf55..05a760c1c1 100644 --- a/rules/S6301/common/resources/standards.adoc +++ b/rules/S6301/common/resources/standards.adoc @@ -1,10 +1,10 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard] - Data Storage and Privacy Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[OWASP Mobile Top 10 2016 Category M2] - Insecure Data Storage -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data -* https://cwe.mitre.org/data/definitions/321[MITRE, CWE-321] - Use of Hard-coded Cryptographic Key \ No newline at end of file +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* CWE - https://cwe.mitre.org/data/definitions/321[CWE-321 - Use of Hard-coded Cryptographic Key] \ No newline at end of file diff --git a/rules/S6302/see.adoc b/rules/S6302/see.adoc index 97f32c9c81..48cbfafc54 100644 --- a/rules/S6302/see.adoc +++ b/rules/S6302/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege[AWS Documentation] - Grant least privilege * https://cloud.google.com/iam/docs/understanding-roles[Google Cloud Documentation] - Understanding roles -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] diff --git a/rules/S6303/see.adoc b/rules/S6303/see.adoc index 05b23ce67c..1256a7452c 100644 --- a/rules/S6303/see.adoc +++ b/rules/S6303/see.adoc @@ -1,4 +1,4 @@ == See * https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html[AWS Documentation] - Encrypting Amazon RDS resources -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6304/see.adoc b/rules/S6304/see.adoc index a132b69ed9..333919dfce 100644 --- a/rules/S6304/see.adoc +++ b/rules/S6304/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege[AWS Documentation] - Grant least privilege -* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] \ No newline at end of file diff --git a/rules/S6308/elasticsearch_see.adoc b/rules/S6308/elasticsearch_see.adoc index c0122d8b41..01bcb119c0 100644 --- a/rules/S6308/elasticsearch_see.adoc +++ b/rules/S6308/elasticsearch_see.adoc @@ -1,9 +1,9 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html[AWS Documentation] - Encryption of data at rest for Amazon Elasticsearch Service -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6308/opensearch_see.adoc b/rules/S6308/opensearch_see.adoc index cb9028cf39..458b4a3700 100644 --- a/rules/S6308/opensearch_see.adoc +++ b/rules/S6308/opensearch_see.adoc @@ -1,9 +1,9 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html[AWS Documentation] - Encryption of data at rest for Amazon OpenSearch Service -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6317/common/resources/standards.adoc b/rules/S6317/common/resources/standards.adoc index 38d55ddc67..1c79cb1117 100644 --- a/rules/S6317/common/resources/standards.adoc +++ b/rules/S6317/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-269] - Improper Privilege Management \ No newline at end of file +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-269 - Improper Privilege Management] \ No newline at end of file diff --git a/rules/S6319/see.adoc b/rules/S6319/see.adoc index 6bdd2b97fa..d09fb20e54 100644 --- a/rules/S6319/see.adoc +++ b/rules/S6319/see.adoc @@ -1,9 +1,9 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html[Protect Data at Rest Using Encryption] -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6321/common/resources/standards.adoc b/rules/S6321/common/resources/standards.adoc index 98bb019491..7338271e28 100644 --- a/rules/S6321/common/resources/standards.adoc +++ b/rules/S6321/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] diff --git a/rules/S6327/see.adoc b/rules/S6327/see.adoc index 41af62b45d..c5a64b059c 100644 --- a/rules/S6327/see.adoc +++ b/rules/S6327/see.adoc @@ -1,10 +1,10 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html[AWS Documentation] - Encryption at rest * https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/[Encrypting messages published to Amazon SNS with AWS KMS] -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6329/see.adoc b/rules/S6329/see.adoc index 56267b6caa..66781096e8 100644 --- a/rules/S6329/see.adoc +++ b/rules/S6329/see.adoc @@ -1,9 +1,9 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html[AWS Documentation] - Amazon EC2 instance IP addressing * https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html[AWS Documentation] - Public and private replication instances * https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html[AWS Documentation] - VPC Peering -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] diff --git a/rules/S6330/see.adoc b/rules/S6330/see.adoc index a3df50064a..634f056366 100644 --- a/rules/S6330/see.adoc +++ b/rules/S6330/see.adoc @@ -1,9 +1,9 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html[AWS Documentation] - Encryption at rest -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6332/see.adoc b/rules/S6332/see.adoc index 09b2e62d88..4b3acf499d 100644 --- a/rules/S6332/see.adoc +++ b/rules/S6332/see.adoc @@ -1,9 +1,9 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://docs.aws.amazon.com/efs/latest/ug/encryption.html[AWS Documentation] - Data encryption in Amazon EFS -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6333/see.adoc b/rules/S6333/see.adoc index 835c2a2914..1cf6dd8e5e 100644 --- a/rules/S6333/see.adoc +++ b/rules/S6333/see.adoc @@ -1,6 +1,6 @@ == See * https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html[AWS Documentation] - Controlling and managing access to a REST API in API Gateway -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] diff --git a/rules/S6339/php/rule.adoc b/rules/S6339/php/rule.adoc index aa789e7962..9754a3d683 100644 --- a/rules/S6339/php/rule.adoc +++ b/rules/S6339/php/rule.adoc @@ -28,5 +28,5 @@ define('AUTH_SALT', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI == Resources -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * https://wordpress.org/support/article/editing-wp-config-php/#security-keys[wordpress.org] - WordPress Security Keys diff --git a/rules/S6341/php/rule.adoc b/rules/S6341/php/rule.adoc index 3c74b727e6..489e47af98 100644 --- a/rules/S6341/php/rule.adoc +++ b/rules/S6341/php/rule.adoc @@ -40,13 +40,13 @@ define( 'DISALLOW_FILE_EDIT', true ); == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://wordpress.org/support/article/editing-wp-config-php/#disable-the-plugin-and-theme-editor[wordpress.org] - Disable the Plugin and Theme Editor -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -* https://cwe.mitre.org/data/definitions/94[MITRE, CWE-94] - Improper Control of Generation of Code ('Code Injection') -* https://cwe.mitre.org/data/definitions/95[MITRE, CWE-95] - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code ('Code Injection')] +* CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')] \ No newline at end of file diff --git a/rules/S6342/php/rule.adoc b/rules/S6342/php/rule.adoc index dd43ae2445..d633a049e9 100644 --- a/rules/S6342/php/rule.adoc +++ b/rules/S6342/php/rule.adoc @@ -36,13 +36,13 @@ define( 'DISALLOW_FILE_MODS', true ); == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://wordpress.org/support/article/editing-wp-config-php/#disable-plugin-and-theme-update-and-installation[wordpress.org] - Disable Plugin and Theme Update and Installation -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -* https://cwe.mitre.org/data/definitions/94[MITRE, CWE-94] - Improper Control of Generation of Code ('Code Injection') -* https://cwe.mitre.org/data/definitions/95[MITRE, CWE-95] - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code ('Code Injection')] +* CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')] diff --git a/rules/S6343/php/rule.adoc b/rules/S6343/php/rule.adoc index a50b6d67c7..fed348459a 100644 --- a/rules/S6343/php/rule.adoc +++ b/rules/S6343/php/rule.adoc @@ -33,7 +33,7 @@ define( 'AUTOMATIC_UPDATER_DISABLED', false ); == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://wordpress.org/support/article/editing-wp-config-php/#disable-wordpress-auto-updates[Wordpress.org] - Disable WordPress Auto Updates -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] diff --git a/rules/S6345/php/rule.adoc b/rules/S6345/php/rule.adoc index d6e88fcd04..ae50ded0c4 100644 --- a/rules/S6345/php/rule.adoc +++ b/rules/S6345/php/rule.adoc @@ -35,9 +35,9 @@ define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org' ); == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/[OWASP Top 10 2021 Category A10] - Server-Side Request Forgery (SSRF) +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/[Top 10 2021 Category A10 - Server-Side Request Forgery (SSRF)] * https://wordpress.org/support/article/editing-wp-config-php/#block-external-url-requestsl[wordpress.org] - Block External URL Requests -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://owasp.org/www-community/attacks/Server_Side_Request_Forgery[OWASP Attack Category] - Server Side Request Forgery -* https://cwe.mitre.org/data/definitions/918[MITRE, CWE-918] - Server-Side Request Forgery (SSRF) +* CWE - https://cwe.mitre.org/data/definitions/918[CWE-918 - Server-Side Request Forgery (SSRF)] diff --git a/rules/S6346/php/rule.adoc b/rules/S6346/php/rule.adoc index 9d685c45b2..49204baac9 100644 --- a/rules/S6346/php/rule.adoc +++ b/rules/S6346/php/rule.adoc @@ -30,7 +30,7 @@ define( 'WP_ALLOW_REPAIR', false ); == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] * https://wordpress.org/support/article/editing-wp-config-php/#automatic-database-optimizing[wordpress.org] - Automatic Database Optimizing -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] \ No newline at end of file diff --git a/rules/S6348/php/rule.adoc b/rules/S6348/php/rule.adoc index c257113ec1..b1627d4055 100644 --- a/rules/S6348/php/rule.adoc +++ b/rules/S6348/php/rule.adoc @@ -29,8 +29,8 @@ define( 'DISALLOW_UNFILTERED_HTML', true ); == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') \ No newline at end of file +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] \ No newline at end of file diff --git a/rules/S6350/see.adoc b/rules/S6350/see.adoc index fd4e96842d..00a3434a09 100644 --- a/rules/S6350/see.adoc +++ b/rules/S6350/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/88[MITRE, CWE-88] - Argument Injection or Modification +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/88[CWE-88 - Argument Injection or Modification] * https://blog.sonarsource.com/php-supply-chain-attack-on-composer[CVE-2021-29472] - PHP Supply Chain Attack on Composer diff --git a/rules/S6358/xml/rule.adoc b/rules/S6358/xml/rule.adoc index a8ee2fa5af..58b6cab793 100644 --- a/rules/S6358/xml/rule.adoc +++ b/rules/S6358/xml/rule.adoc @@ -67,14 +67,14 @@ If targeting Android 6.0 or above (API level 23), define files to include/exclud == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * https://developer.android.com/guide/topics/data/autobackup[Back up user data with Auto Backup] -* https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard] - Data Storage and Privacy Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[OWASP Mobile Top 10 2016 Category M1] - Improper platform usage -* https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[OWASP Mobile Top 10 2016 Category M2] - Insecure Data Storage -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/312[MITRE, CWE-922] - Insecure Storage of Sensitive Information +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/312[CWE-922 - Insecure Storage of Sensitive Information] ifdef::env-github,rspecator-view[] diff --git a/rules/S6359/xml/rule.adoc b/rules/S6359/xml/rule.adoc index c8eaa141ba..9648c9565f 100644 --- a/rules/S6359/xml/rule.adoc +++ b/rules/S6359/xml/rule.adoc @@ -68,8 +68,8 @@ It is common practice to use the application package name as part of the namespa * Mobile AppSec Verification Standard - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] -* MITRE - https://cwe.mitre.org/data/definitions/265[CWE-265 - Privilege Issues] -* MITRE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* CWE - https://cwe.mitre.org/data/definitions/265[CWE-265 - Privilege Issues] +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] === External coding guidelines diff --git a/rules/S6361/xml/rule.adoc b/rules/S6361/xml/rule.adoc index 98fb0f9923..d3a1a96669 100644 --- a/rules/S6361/xml/rule.adoc +++ b/rules/S6361/xml/rule.adoc @@ -53,10 +53,10 @@ There is a risk if you answered yes to this question. == See * https://developer.android.com/guide/topics/providers/content-provider-creating#Permissions[developer.android.com] - Implementing content provider permissions -* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[OWASP Mobile Top 10 2016 Category M1] - Improper platform usage -* https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization[OWASP Mobile Top 10 2016 Category M6] - Insecure Authorization -* https://cwe.mitre.org/data/definitions/1220[MITRE, CWE-1220] - Insufficient Granularity of Access Control +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization[Mobile Top 10 2016 Category M6 - Insecure Authorization] +* CWE - https://cwe.mitre.org/data/definitions/1220[CWE-1220 - Insufficient Granularity of Access Control] ifdef::env-github,rspecator-view[] diff --git a/rules/S6362/see.adoc b/rules/S6362/see.adoc index bc38738028..53c7c2eb15 100644 --- a/rules/S6362/see.adoc +++ b/rules/S6362/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] diff --git a/rules/S6363/see.adoc b/rules/S6363/see.adoc index bc38738028..53c7c2eb15 100644 --- a/rules/S6363/see.adoc +++ b/rules/S6363/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] diff --git a/rules/S6374/java/rule.adoc b/rules/S6374/java/rule.adoc index bc4090659e..5b971f9f5b 100644 --- a/rules/S6374/java/rule.adoc +++ b/rules/S6374/java/rule.adoc @@ -86,10 +86,10 @@ builder.setEntityResolver(new EntityResolver()); == Resources * https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack -* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE) +* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet] -* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference -* https://cwe.mitre.org/data/definitions/827[MITRE, CWE-827] - Improper Control of Document Type Definition +* CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Information Exposure Through XML External Entity Reference] +* CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] ifdef::env-github,rspecator-view[] diff --git a/rules/S6375/terraform/rule.adoc b/rules/S6375/terraform/rule.adoc index a03be8ca6c..406b0b2c67 100644 --- a/rules/S6375/terraform/rule.adoc +++ b/rules/S6375/terraform/rule.adoc @@ -60,10 +60,10 @@ resource "azuread_directory_role_member" "example" { == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-266] - Incorrect Privilege Assignment +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-266 - Incorrect Privilege Assignment] * https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference[Azure AD Documentation] - Azure AD built-in roles * https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices[Azure AD Documentation] - Best practices for Azure AD roles diff --git a/rules/S6376/java/rule.adoc b/rules/S6376/java/rule.adoc index a7ecbe9e24..6ace43e673 100644 --- a/rules/S6376/java/rule.adoc +++ b/rules/S6376/java/rule.adoc @@ -37,8 +37,8 @@ include::how-to-fix-it/jdom2.adoc[] === Standards -* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5 - Security Misconfiguration] -* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4 - XML External Entities (XXE)] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * CWE - https://cwe.mitre.org/data/definitions/776[CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')] ifdef::env-github,rspecator-view[] diff --git a/rules/S6377/java/rule.adoc b/rules/S6377/java/rule.adoc index 10f824f81f..1e4dabf65f 100644 --- a/rules/S6377/java/rule.adoc +++ b/rules/S6377/java/rule.adoc @@ -67,7 +67,7 @@ These restrictions can protect you from XML Signatures that may contain potentia === Standards * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10:2021 A02:2021 - Cryptographic Failures] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 -Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/347[CWE-347 - Improper Verification of Cryptographic Signature] diff --git a/rules/S6378/see.adoc b/rules/S6378/see.adoc index 0897fb72e5..924f11ea84 100644 --- a/rules/S6378/see.adoc +++ b/rules/S6378/see.adoc @@ -1,7 +1,7 @@ == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A05] - Security Misconfiguration -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A06] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5- Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview[Azure AD Documentation - Managed Identities Overview] * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations[Azure AD Documentation - Managed Identities Best Practices] * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities[Azure AD Documentation - Services that support managed identities] diff --git a/rules/S6379/see.adoc b/rules/S6379/see.adoc index 047d248058..db23e908b0 100644 --- a/rules/S6379/see.adoc +++ b/rules/S6379/see.adoc @@ -1,3 +1,3 @@ == See -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] diff --git a/rules/S6380/see.adoc b/rules/S6380/see.adoc index 73fdba8c44..a72b3234e7 100644 --- a/rules/S6380/see.adoc +++ b/rules/S6380/see.adoc @@ -1,5 +1,5 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Boken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] diff --git a/rules/S6381/see.adoc b/rules/S6381/see.adoc index bab2ea3c8b..20c60188d4 100644 --- a/rules/S6381/see.adoc +++ b/rules/S6381/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-266] - Incorrect Privilege Assignment +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-266 - Incorrect Privilege Assignment] * https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles[Azure Documentation] - Azure built-in roles * https://docs.microsoft.com/en-us/azure/role-based-access-control/best-practices[Azure Documentation] - Best practices for Azure RBAC \ No newline at end of file diff --git a/rules/S6382/common/resources/standards.adoc b/rules/S6382/common/resources/standards.adoc index c6af0d9503..02cd9a9424 100644 --- a/rules/S6382/common/resources/standards.adoc +++ b/rules/S6382/common/resources/standards.adoc @@ -1,3 +1,3 @@ -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere \ No newline at end of file +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Boken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] \ No newline at end of file diff --git a/rules/S6383/see.adoc b/rules/S6383/see.adoc index f916ce3814..eca87e68c1 100644 --- a/rules/S6383/see.adoc +++ b/rules/S6383/see.adoc @@ -1,6 +1,6 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Boken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] diff --git a/rules/S6384/common/resources/standards.adoc b/rules/S6384/common/resources/standards.adoc index b9c6aade53..1089a1dcfc 100644 --- a/rules/S6384/common/resources/standards.adoc +++ b/rules/S6384/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[OWASP Mobile Top 10 2016 Category M1] - Improper Platform Usage -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation \ No newline at end of file +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] \ No newline at end of file diff --git a/rules/S6385/see.adoc b/rules/S6385/see.adoc index 5b9e2de7b5..2b53fc0b85 100644 --- a/rules/S6385/see.adoc +++ b/rules/S6385/see.adoc @@ -9,5 +9,5 @@ * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] -* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] \ No newline at end of file diff --git a/rules/S6387/see.adoc b/rules/S6387/see.adoc index 217c693e87..bd9200936e 100644 --- a/rules/S6387/see.adoc +++ b/rules/S6387/see.adoc @@ -1,8 +1,8 @@ == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/266[MITRE, CWE-266] - Incorrect Privilege Assignment +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] * https://docs.microsoft.com/en-us/azure/role-based-access-control/scope-overview[Azure Documentation] - Understand scope for Azure RBAC * https://docs.microsoft.com/en-us/azure/role-based-access-control/best-practices[Azure Documentation] - Best practices for Azure RBAC \ No newline at end of file diff --git a/rules/S6388/see.adoc b/rules/S6388/see.adoc index 04be82e838..f5820c5a7d 100644 --- a/rules/S6388/see.adoc +++ b/rules/S6388/see.adoc @@ -1,12 +1,12 @@ == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://docs.aws.amazon.com/efs/latest/ug/encryption.html[Data encryption in Amazon EFS] -* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] * https://learn.microsoft.com/en-us/azure/backup/backup-encryption[Encryption in Azure Backup] * https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-security[Security in Azure Database for MySQL] * https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-security[Security in Azure Database for PostgreSQL] diff --git a/rules/S6389/text/rule.adoc b/rules/S6389/text/rule.adoc index d8439d4c19..7db6274db8 100644 --- a/rules/S6389/text/rule.adoc +++ b/rules/S6389/text/rule.adoc @@ -63,7 +63,7 @@ def subtract_funds(account: str, amount: int): * https://en.wikipedia.org/wiki/Bidirectional_text[Wikipedia] - Bidirectional Text * https://www.trojansource.codes/trojan-source.pdf[Trojan Source Report] * https://www.trojansource.codes/trojan-source.pdf#page=15[Trojan Source Report] - IDEs revealing hidden characters -* https://cwe.mitre.org/data/definitions/94[MITRE, CWE-94] - Improper Control of Generation of Code ('Code Injection') +* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code ('Code Injection')] ifdef::env-github,rspecator-view[] diff --git a/rules/S6390/common/resources/standards.adoc b/rules/S6390/common/resources/standards.adoc index 2321160186..355aa7a6c9 100644 --- a/rules/S6390/common/resources/standards.adoc +++ b/rules/S6390/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] diff --git a/rules/S6398/common/resources/standards.adoc b/rules/S6398/common/resources/standards.adoc index feb7240874..17c9ee19d5 100644 --- a/rules/S6398/common/resources/standards.adoc +++ b/rules/S6398/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/76[MITRE, CWE-76] - Improper Neutralization of Equivalent Special Elements \ No newline at end of file +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/76[CWE-76 - Improper Neutralization of Equivalent Special Elements] \ No newline at end of file diff --git a/rules/S6399/common/resources/standards.adoc b/rules/S6399/common/resources/standards.adoc index 472024e653..e3be73f57c 100644 --- a/rules/S6399/common/resources/standards.adoc +++ b/rules/S6399/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/91[MITRE, CWE-91] - XML Injection (aka Blind XPath Injection) \ No newline at end of file +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] \ No newline at end of file diff --git a/rules/S6400/terraform/rule.adoc b/rules/S6400/terraform/rule.adoc index d05b7caf5b..373d701132 100644 --- a/rules/S6400/terraform/rule.adoc +++ b/rules/S6400/terraform/rule.adoc @@ -123,9 +123,9 @@ resource "google_cloud_run_service_iam_member" "example" { == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] ifdef::env-github,rspecator-view[] diff --git a/rules/S6401/terraform/rule.adoc b/rules/S6401/terraform/rule.adoc index e3be715cdb..f864387934 100644 --- a/rules/S6401/terraform/rule.adoc +++ b/rules/S6401/terraform/rule.adoc @@ -35,8 +35,8 @@ resource "google_kms_crypto_key" "compliant-key" { == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://cloud.google.com/kms/docs/key-rotation[GCP Documentation] - KMS Key rotation diff --git a/rules/S6402/terraform/rule.adoc b/rules/S6402/terraform/rule.adoc index dc40b13cac..6b3ec08eaf 100644 --- a/rules/S6402/terraform/rule.adoc +++ b/rules/S6402/terraform/rule.adoc @@ -55,11 +55,11 @@ resource "google_dns_managed_zone" "example" { == See -* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://cloud.google.com/dns/docs/dnssec-config[GCP Documentation] - Manage DNSSEC configuration -* https://cwe.mitre.org/data/definitions/345[MITRE, CWE-345] - Insufficient Verification of Data Authenticity -* https://cwe.mitre.org/data/definitions/353[MITRE, CWE-353] - Missing Support for Integrity Check +* CWE - https://cwe.mitre.org/data/definitions/345[CWE-345 - Insufficient Verification of Data Authenticity] +* CWE - https://cwe.mitre.org/data/definitions/353[CWE-353 - Missing Support for Integrity Check] ifdef::env-github,rspecator-view[] diff --git a/rules/S6403/terraform/rule.adoc b/rules/S6403/terraform/rule.adoc index 92941eb47f..5f72a64bce 100644 --- a/rules/S6403/terraform/rule.adoc +++ b/rules/S6403/terraform/rule.adoc @@ -60,10 +60,10 @@ resource "google_sql_database_instance" "example" { == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/311[MITRE, CWE-311] - Missing Encryption of Sensitive Data -* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* CWE - https://cwe.mitre.org/data/definitions/79[CWE-319 - Cleartext Transmission of Sensitive Information] * https://cloud.google.com/sql/docs/mysql/authorize-ssl[GCP Documentation] - Cloud SQL: Authorizing with SSL/TLS certificates diff --git a/rules/S6404/terraform/rule.adoc b/rules/S6404/terraform/rule.adoc index 51a0583d45..0b45f09ea4 100644 --- a/rules/S6404/terraform/rule.adoc +++ b/rules/S6404/terraform/rule.adoc @@ -119,9 +119,9 @@ resource "google_container_cluster" "example" { == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Boken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] ifdef::env-github,rspecator-view[] diff --git a/rules/S6405/terraform/rule.adoc b/rules/S6405/terraform/rule.adoc index 8d52481998..4e05322509 100644 --- a/rules/S6405/terraform/rule.adoc +++ b/rules/S6405/terraform/rule.adoc @@ -62,11 +62,11 @@ resource "google_compute_instance" "example" { == See -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication.html[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/266[MITRE, CWE-266] - Incorrect Privilege Assignment -* https://cwe.mitre.org/data/definitions/269[MITRE, CWE-269] - Improper Privilege Management -* https://cwe.mitre.org/data/definitions/272[MITRE, CWE-272] - Least Privilege Violation +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] +* CWE - https://cwe.mitre.org/data/definitions/269[CWE-269 - Improper Privilege Management] +* CWE - https://cwe.mitre.org/data/definitions/272[CWE-272 - Least Privilege Violation] * https://cloud.google.com/compute/docs/connect/restrict-ssh-keys#remove-metadata-key[GCP Documentation] - Restrict SSH keys from VMs * https://cloud.google.com/compute/docs/instances/access-overview#risks[GCP Documentation] - Risks of manual key management diff --git a/rules/S6406/terraform/rule.adoc b/rules/S6406/terraform/rule.adoc index 6998a59403..03961e2357 100644 --- a/rules/S6406/terraform/rule.adoc +++ b/rules/S6406/terraform/rule.adoc @@ -106,9 +106,9 @@ resource "google_project_iam_custom_role" "example" { * https://cloud.google.com/iam/docs/recommender-overview[GCP Docs] - Enforce least privilege with role recommendations * https://cloud.google.com/iam/docs/manage-policy-insights[GCP Docs] - Security Insights -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Boken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] ifdef::env-github,rspecator-view[] diff --git a/rules/S6407/terraform/rule.adoc b/rules/S6407/terraform/rule.adoc index eede8d92ee..cbf06c18f0 100644 --- a/rules/S6407/terraform/rule.adoc +++ b/rules/S6407/terraform/rule.adoc @@ -63,11 +63,11 @@ resource "google_app_engine_standard_app_version" "example" { == See -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor -* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] * https://cloud.google.com/appengine/docs/standard/nodejs/application-security[GCP Documentation] - Overview of App Security diff --git a/rules/S6408/terraform/rule.adoc b/rules/S6408/terraform/rule.adoc index f8785be813..c99236d0a6 100644 --- a/rules/S6408/terraform/rule.adoc +++ b/rules/S6408/terraform/rule.adoc @@ -147,9 +147,9 @@ resource "google_project_iam_custom_role" "example" { * https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/[Rhino Security Labs] - Privilege Escalation in Google Cloud Platform - Part 2 (Non-IAM) * https://www.praetorian.com/blog/google-cloud-platform-gcp-service-account-based-privilege-escalation-paths/[Praetorian] - Google Cloud Platform (GCP) Service Account-based Privilege Escalation paths * https://cloud.google.com/iam/docs/manage-policy-insights[GCP Docs] - Security Insights -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Boken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] ifdef::env-github,rspecator-view[] diff --git a/rules/S6409/terraform/rule.adoc b/rules/S6409/terraform/rule.adoc index f210a4f8ad..8d17db4ba7 100644 --- a/rules/S6409/terraform/rule.adoc +++ b/rules/S6409/terraform/rule.adoc @@ -38,9 +38,9 @@ resource "google_container_cluster" "example" { == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Boken Access Control -* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Boken Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Boken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] * https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled[Google Cloud Documentation] - Hardening your cluster's security ifdef::env-github,rspecator-view[] diff --git a/rules/S6410/terraform/rule.adoc b/rules/S6410/terraform/rule.adoc index 10b7f7d4f5..4fa5cb0181 100644 --- a/rules/S6410/terraform/rule.adoc +++ b/rules/S6410/terraform/rule.adoc @@ -62,7 +62,7 @@ If the ``++MODERN++`` or ``++COMPATIBLE++`` profiles must be used so that older * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] -* MITRE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] === External coding guidelines diff --git a/rules/S6412/terraform/rule.adoc b/rules/S6412/terraform/rule.adoc index 0acbd6e8bd..6ef1792a2b 100644 --- a/rules/S6412/terraform/rule.adoc +++ b/rules/S6412/terraform/rule.adoc @@ -43,9 +43,9 @@ resource "google_storage_bucket" "example" { == See -* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * https://cloud.google.com/storage/docs/object-versioning?hl=en[GCP documentation] - Object Versioning -* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] ifdef::env-github,rspecator-view[] diff --git a/rules/S6414/terraform/rule.adoc b/rules/S6414/terraform/rule.adoc index 7fd405da3e..b126ab5837 100644 --- a/rules/S6414/terraform/rule.adoc +++ b/rules/S6414/terraform/rule.adoc @@ -46,8 +46,8 @@ resource "google_project_iam_audit_config" "example" { == See -* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures -* https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring.html[OWASP Top 10 2017 Category A10] - Insufficient Logging & Monitoring +* OWASP - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[Top 10 2021 Category A9 - Security Logging and Monitoring Failures ] +* OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] * https://cloud.google.com/logging/docs/audit[GCP Documentation] - Cloud Audit Logs overview diff --git a/rules/S6418/java/rule.adoc b/rules/S6418/java/rule.adoc index dd84cda13e..297e322219 100644 --- a/rules/S6418/java/rule.adoc +++ b/rules/S6418/java/rule.adoc @@ -75,9 +75,9 @@ public static void doSomething(SecretClient secretClient, String secretName) { == See -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication -* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] * https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information ifdef::env-github,rspecator-view[] diff --git a/rules/S6428/kubernetes/rule.adoc b/rules/S6428/kubernetes/rule.adoc index d46bca1fc9..880324a710 100644 --- a/rules/S6428/kubernetes/rule.adoc +++ b/rules/S6428/kubernetes/rule.adoc @@ -62,7 +62,7 @@ spec: == See -* https://cwe.mitre.org/data/definitions/284.html[MITRE, CWE-284] - Improper Access Control +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] ifdef::env-github,rspecator-view[] diff --git a/rules/S6429/kubernetes/rule.adoc b/rules/S6429/kubernetes/rule.adoc index 7bb04cd71c..c3169c5e90 100644 --- a/rules/S6429/kubernetes/rule.adoc +++ b/rules/S6429/kubernetes/rule.adoc @@ -55,7 +55,7 @@ spec: * https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[Kubernetes Documentation] - Volumes * https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option[Docker Documention] - Daemon socket option -* https://cwe.mitre.org/data/definitions/284.html[MITRE, CWE-284] - Improper Access Control +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] ifdef::env-github,rspecator-view[] diff --git a/rules/S6430/kubernetes/rule.adoc b/rules/S6430/kubernetes/rule.adoc index b46a8cc373..fda2519b01 100644 --- a/rules/S6430/kubernetes/rule.adoc +++ b/rules/S6430/kubernetes/rule.adoc @@ -67,7 +67,7 @@ spec: == See -* https://cwe.mitre.org/data/definitions/284.html[MITRE, CWE-284] - Improper Access Control +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] * https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt[Linux Kernel Archives, no_new_privs] - Official docs ifdef::env-github,rspecator-view[] diff --git a/rules/S6431/docker/rule.adoc b/rules/S6431/docker/rule.adoc index c259f9d067..e1e09b8a57 100644 --- a/rules/S6431/docker/rule.adoc +++ b/rules/S6431/docker/rule.adoc @@ -41,7 +41,7 @@ RUN --network=none wget -O /home/sessions http://127.0.0.1:9000/sessions == See * https://docs.docker.com/build/buildkit/dockerfile-frontend/[Dockerfile reference] - Custom Dockerfile syntax * https://docs.docker.com/engine/reference/builder/#run---network[Dockerfile reference] - RUN --network -* https://cwe.mitre.org/data/definitions/653.html[MITRE, CWE-653] - Improper Isolation or Compartmentalization +* CWE - https://cwe.mitre.org/data/definitions/653[CWE-653 - Improper Isolation or Compartmentalization] ifdef::env-github,rspecator-view[] diff --git a/rules/S6431/kubernetes/rule.adoc b/rules/S6431/kubernetes/rule.adoc index ebdb840961..685fe11d3b 100644 --- a/rules/S6431/kubernetes/rule.adoc +++ b/rules/S6431/kubernetes/rule.adoc @@ -74,7 +74,7 @@ spec: == See -* https://cwe.mitre.org/data/definitions/653.html[MITRE, CWE-653] - Improper Isolation or Compartmentalization +* CWE - https://cwe.mitre.org/data/definitions/653[CWE-653 - Improper Isolation or Compartmentalization] ifdef::env-github,rspecator-view[] diff --git a/rules/S6432/common/resources/standards.adoc b/rules/S6432/common/resources/standards.adoc index 8a9e51ebac..fd38755ab7 100644 --- a/rules/S6432/common/resources/standards.adoc +++ b/rules/S6432/common/resources/standards.adoc @@ -1,10 +1,10 @@ === Standards -* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures -* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography -* https://cwe.mitre.org/data/definitions/323[MITRE, CWE-323] - Reusing a Nonce, Key Pair in Encryption +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/323[CWE-323 - Reusing a Nonce, Key Pair in Encryption] * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf[NIST, SP-800-38C] - Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf[NIST, SP-800-38D] - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC diff --git a/rules/S6433/kubernetes/rule.adoc b/rules/S6433/kubernetes/rule.adoc index d4754195db..75369c7b24 100644 --- a/rules/S6433/kubernetes/rule.adoc +++ b/rules/S6433/kubernetes/rule.adoc @@ -64,7 +64,7 @@ spec: == See * https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[Kubernetes Documentation] - Volumes -* https://cwe.mitre.org/data/definitions/284.html[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-668 - Exposure of Resource to Wrong Sphere] ifdef::env-github,rspecator-view[] diff --git a/rules/S6437/common/resources/standards.adoc b/rules/S6437/common/resources/standards.adoc index 63b583867d..07ac2b3526 100644 --- a/rules/S6437/common/resources/standards.adoc +++ b/rules/S6437/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 - Category A7 - Identification and Authentication Failures] -* OWASP - https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[Top 10 2017 - Category A2 - Broken Authentication] -* CWE - https://cwe.mitre.org/data/definitions/798.html[CWE-798 - Use of Hard-coded Credentials] -* CWE - https://cwe.mitre.org/data/definitions/259.html[CWE-259 - Use of Hard-coded Password] \ No newline at end of file +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 - Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] +* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password] \ No newline at end of file diff --git a/rules/S6437/docker/rule.adoc b/rules/S6437/docker/rule.adoc index 1a827e746f..018d501477 100644 --- a/rules/S6437/docker/rule.adoc +++ b/rules/S6437/docker/rule.adoc @@ -109,8 +109,8 @@ include::../common/resources/documentation.adoc[] === Standards -* CWE - https://cwe.mitre.org/data/definitions/522.html[CWE-522 - Insufficiently Protected Credentials] -* CWE - https://cwe.mitre.org/data/definitions/798.html[CWE-798 - Use of Hard-coded Credentials] +* CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] +* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S6444/see.adoc b/rules/S6444/see.adoc index 5bc7dfdc2c..060cb30dc3 100644 --- a/rules/S6444/see.adoc +++ b/rules/S6444/see.adoc @@ -1,11 +1,11 @@ == See -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption -* https://cwe.mitre.org/data/definitions/1333[MITRE, CWE-1333] - Inefficient Regular Expression Complexity +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] +* CWE - https://cwe.mitre.org/data/definitions/1333[CWE-1333 - Inefficient Regular Expression Complexity] * https://www.regular-expressions.info/catastrophic.html[regular-expressions.info] - Runaway Regular Expressions: Catastrophic Backtracking * https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS[owasp.org] - Regular expression Denial of Service - ReDoS -* https://cwe.mitre.org/data/definitions/1333[MITRE, CWE-1333] - Inefficient Regular Expression Complexity +* CWE - https://cwe.mitre.org/data/definitions/1333[CWE-1333 - Inefficient Regular Expression Complexity] * https://docs.microsoft.com/dotnet/standard/base-types/best-practices[docs.microsoft.com] - Best practices for regular expressions in .NET * https://docs.microsoft.com/dotnet/standard/base-types/backtracking-in-regular-expressions[docs.microsoft.com] - Backtracking in Regular Expressions * https://devblogs.microsoft.com/dotnet/regular-expression-improvements-in-dotnet-7/#backtracking-and-regexoptions-nonbacktracking[devblogs.microsoft.com] - Regular Expression Improvements in .NET 7: Backtracking (and RegexOptions.NonBacktracking) diff --git a/rules/S6463/python/rule.adoc b/rules/S6463/python/rule.adoc index e6489818d5..e37a89dfd9 100644 --- a/rules/S6463/python/rule.adoc +++ b/rules/S6463/python/rule.adoc @@ -64,10 +64,10 @@ sg.add_egress_rule( == See -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html[AWS Documentation] - Control traffic to resources using security groups -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] ifdef::env-github,rspecator-view[] diff --git a/rules/S6470/docker/rule.adoc b/rules/S6470/docker/rule.adoc index 2be0a76298..24f926007b 100644 --- a/rules/S6470/docker/rule.adoc +++ b/rules/S6470/docker/rule.adoc @@ -72,8 +72,8 @@ CMD /run.sh * https://docs.docker.com/engine/reference/builder/#copy[Dockerfile reference] - COPY directive * https://docs.docker.com/engine/reference/builder/#add[Dockerfile reference] - ADD directive -* https://cwe.mitre.org/data/definitions/668.html[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere -* https://cwe.mitre.org/data/definitions/497.html[MITRE, CWE-497] - Exposure of Sensitive System Information to an Unauthorized Control Sphere +* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] +* CWE - https://cwe.mitre.org/data/definitions/497[CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere] ifdef::env-github,rspecator-view[] diff --git a/rules/S6471/docker/rule.adoc b/rules/S6471/docker/rule.adoc index ae4a176aca..4f4892351e 100644 --- a/rules/S6471/docker/rule.adoc +++ b/rules/S6471/docker/rule.adoc @@ -143,7 +143,7 @@ ENTRYPOINT ["/app/production_binary"] == See -* https://cwe.mitre.org/data/definitions/284.html[MITRE, CWE-284] - Improper Access Control +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] * https://hub.docker.com/r/nginxinc/nginx-unprivileged[nginxinc/nginx-unprivileged: Example of a non-root container by default] * https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-security#when-to-use-containeradmin-and-containeruser-user-accounts[Microsoft docs, When to use ContainerAdmin and ContainerUser user accounts] diff --git a/rules/S6472/docker/rule.adoc b/rules/S6472/docker/rule.adoc index c84e76d0b1..19c9731383 100644 --- a/rules/S6472/docker/rule.adoc +++ b/rules/S6472/docker/rule.adoc @@ -94,7 +94,7 @@ docker run --env-file .env myImage * https://docs.docker.com/engine/reference/builder/#arg[Dockerfile reference] - ARG command * https://docs.docker.com/engine/reference/builder/#run---mounttypesecret[Dockerfile reference] - RUN command secrets mount points * https://docs.docker.com/engine/swarm/secrets/[Docker documentation] - Manage sensitive data with Docker secrets -* https://cwe.mitre.org/data/definitions/522.html[MITRE, CWE-522] - Insufficiently Protected Credentials +* CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] ifdef::env-github,rspecator-view[] diff --git a/rules/S6473/see.adoc b/rules/S6473/see.adoc index b26854bcf4..191e0f1f97 100644 --- a/rules/S6473/see.adoc +++ b/rules/S6473/see.adoc @@ -1,3 +1,3 @@ == See -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] \ No newline at end of file diff --git a/rules/S6474/docker/rule.adoc b/rules/S6474/docker/rule.adoc index 5f902e827c..6da3a58316 100644 --- a/rules/S6474/docker/rule.adoc +++ b/rules/S6474/docker/rule.adoc @@ -210,7 +210,7 @@ RUN make install == See -* https://cwe.mitre.org/data/definitions/384.html[MITRE, CWE-345] - Insufficient Verification of Data Authenticity +* CWE - https://cwe.mitre.org/data/definitions/384[CWE-345 - Insufficient Verification of Data Authenticity] * https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode[Microsoft, Authenticode Digital Signatures] * https://www.linux.com/training-tutorials/pgp-web-trust-core-concepts-behind-trusted-communication/[Linux.com, PGP Web of Trust: Core Concepts Behind Trusted Communication] ifdef::env-github,rspecator-view[] diff --git a/rules/S6502/docker/rule.adoc b/rules/S6502/docker/rule.adoc index a3ca2f75da..d66bef74ea 100644 --- a/rules/S6502/docker/rule.adoc +++ b/rules/S6502/docker/rule.adoc @@ -55,8 +55,8 @@ RUN --security=sandbox ./example.sh == See -* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control +* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges] +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] * https://docs.docker.com/engine/reference/builder/#run---security[Dockerfile reference] - RUN diff --git a/rules/S6504/docker/rule.adoc b/rules/S6504/docker/rule.adoc index a7a0ae5d6a..8a72acdd3e 100644 --- a/rules/S6504/docker/rule.adoc +++ b/rules/S6504/docker/rule.adoc @@ -52,7 +52,7 @@ COPY --chown=root:root --chmod=644 src.py dst.py * https://docs.docker.com/engine/reference/builder/#add[Dockerfile reference] - ADD instruction * https://docs.docker.com/engine/reference/builder/#copy[Dockerfile reference] - COPY instruction -* https://cwe.mitre.org/data/definitions/732.html[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource +* CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] * https://cloud.google.com/architecture/best-practices-for-operating-containers#immutability[Google Cloud, Immutability] - Best practices for operating containers diff --git a/rules/S6505/docker/rule.adoc b/rules/S6505/docker/rule.adoc index 5cf82c8abc..0e58e84bf8 100644 --- a/rules/S6505/docker/rule.adoc +++ b/rules/S6505/docker/rule.adoc @@ -58,8 +58,8 @@ RUN yarn install --ignore-scripts == See -* https://cwe.mitre.org/data/definitions/506[MITRE, CWE-506] - Embedded Malicious Code -* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere +* CWE - https://cwe.mitre.org/data/definitions/506[CWE-506 - Embedded Malicious Code] +* CWE - https://cwe.mitre.org/data/definitions/829[CWE-829 - Inclusion of Functionality from Untrusted Control Sphere] * https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/[ESLint blog] - Postmortem for Malicious Packages Published on July 12th, 2018 diff --git a/rules/S6506/docker/rule.adoc b/rules/S6506/docker/rule.adoc index 124339c430..553aa91136 100644 --- a/rules/S6506/docker/rule.adoc +++ b/rules/S6506/docker/rule.adoc @@ -86,7 +86,7 @@ RUN wget --secure-protocol=TLSv1_2 --max-redirect=0 -q -O - https://might-redire == See -* https://cwe.mitre.org/data/definitions/757[MITRE, CWE-757] - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') +* CWE - https://cwe.mitre.org/data/definitions/757[CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')] * https://curl.se/docs/manpage.html#--proto[curl.1 the man page] - `--proto ` * https://www.gnu.org/software/wget/manual/wget.html#HTTP-Options[wget - GNU Wget Manual] - `--max-redirect=` * https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#41-encrypt-everything[SSL and TLS Deployment Best Practices] - Encrypt Everything diff --git a/rules/S6507/csharp/rule.adoc b/rules/S6507/csharp/rule.adoc index 07d3d29427..e9d7a01d7f 100644 --- a/rules/S6507/csharp/rule.adoc +++ b/rules/S6507/csharp/rule.adoc @@ -37,8 +37,8 @@ private void DoSomething() == Resources * https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/statements/lock[Lock Statement] - lock statement - ensure exclusive access to a shared resource -* https://cwe.mitre.org/data/definitions/412[MITRE, CWE-412] - Unrestricted Externally Accessible Lock -* https://cwe.mitre.org/data/definitions/413[MITRE, CWE-413] - Improper Resource Locking +* CWE - https://cwe.mitre.org/data/definitions/412[CWE-412 - Unrestricted Externally Accessible Lock] +* CWE - https://cwe.mitre.org/data/definitions/413[CWE-413 - Improper Resource Locking] ifdef::env-github,rspecator-view[] diff --git a/rules/S6547/common/resources/standards.adoc b/rules/S6547/common/resources/standards.adoc index 19ab637313..13b319ecd2 100644 --- a/rules/S6547/common/resources/standards.adoc +++ b/rules/S6547/common/resources/standards.adoc @@ -1,6 +1,6 @@ === Standards -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/454[MITRE, CWE-454] - External Initialization of Trusted Variables or Data Stores \ No newline at end of file +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/454[CWE-454 - External Initialization of Trusted Variables or Data Stores] \ No newline at end of file diff --git a/rules/S6549/common/resources/standards.adoc b/rules/S6549/common/resources/standards.adoc index a36bf93077..fd25a09f46 100644 --- a/rules/S6549/common/resources/standards.adoc +++ b/rules/S6549/common/resources/standards.adoc @@ -1,8 +1,8 @@ === Standards -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control -* https://cwe.mitre.org/data/definitions/20[MITRE, CWE-20] - Improper Input Validation -* https://cwe.mitre.org/data/definitions/22[MITRE, CWE-22] - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') \ No newline at end of file +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] \ No newline at end of file diff --git a/rules/S6639/common/resources/standards.adoc b/rules/S6639/common/resources/standards.adoc index 70c30cdc1b..202ce61bfc 100644 --- a/rules/S6639/common/resources/standards.adoc +++ b/rules/S6639/common/resources/standards.adoc @@ -1,3 +1,3 @@ -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection -* https://cwe.mitre.org/data/definitions/789.html[MITRE, CWE789] - Memory Allocation with Excessive Size Value \ No newline at end of file +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/789[CWE-789 - Memory Allocation with Excessive Size Value] \ No newline at end of file diff --git a/rules/S6640/csharp/rule.adoc b/rules/S6640/csharp/rule.adoc index 4c9f9c57a2..6972d28631 100644 --- a/rules/S6640/csharp/rule.adoc +++ b/rules/S6640/csharp/rule.adoc @@ -60,7 +60,7 @@ public int SubarraySum(int[] array, int start, int end) == See -* https://cwe.mitre.org/data/definitions/787.html[MITRE, CWE-787] - Out-of-bounds Write +* CWE - https://cwe.mitre.org/data/definitions/787[CWE-787 - Out-of-bounds Write] * https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/unsafe-code[Microsoft Learn] - Unsafe code, pointer types, and function pointers diff --git a/rules/S6641/common/resources/standards.adoc b/rules/S6641/common/resources/standards.adoc index ee9a1d4c60..74feb18d29 100644 --- a/rules/S6641/common/resources/standards.adoc +++ b/rules/S6641/common/resources/standards.adoc @@ -1,3 +1,3 @@ -* https://cwe.mitre.org/data/definitions/15.html[MITRE, CWE15] - External Control of System or Configuration Setting -* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection -* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection +* CWE - https://cwe.mitre.org/data/definitions/15[CWE-15 - External Control of System or Configuration Setting] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] diff --git a/rules/S6648/azureresourcemanager/rule.adoc b/rules/S6648/azureresourcemanager/rule.adoc index 715f5e3788..39b9855a45 100644 --- a/rules/S6648/azureresourcemanager/rule.adoc +++ b/rules/S6648/azureresourcemanager/rule.adoc @@ -22,8 +22,8 @@ include::how-to-fix-it/bicep.adoc[] === Standards -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor -* https://cwe.mitre.org/data/definitions/532[MITRE, CWE-532] - Insertion of Sensitive Information into Log File +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/532[CWE-532 - Insertion of Sensitive Information into Log File] ifdef::env-github,rspecator-view[] == Implementation Specification diff --git a/rules/S6656/azureresourcemanager/rule.adoc b/rules/S6656/azureresourcemanager/rule.adoc index b6fcb9a5bf..c26abc52c0 100644 --- a/rules/S6656/azureresourcemanager/rule.adoc +++ b/rules/S6656/azureresourcemanager/rule.adoc @@ -19,8 +19,8 @@ include::how-to-fix-it/bicep.adoc[] * Microsoft Learn - https://learn.microsoft.com/en-us/azure/templates/microsoft.resources/deployments?pivots=deployment-language-arm-template[`Microsoft.Resources/deployments`] === Standards -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor -* https://cwe.mitre.org/data/definitions/532[MITRE, CWE-532] - Insertion of Sensitive Information into Log File +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/532[CWE-532 - Insertion of Sensitive Information into Log File] ifdef::env-github,rspecator-view[] diff --git a/rules/S6680/common/resources/standards.adoc b/rules/S6680/common/resources/standards.adoc index 444925fef8..52c0993384 100644 --- a/rules/S6680/common/resources/standards.adoc +++ b/rules/S6680/common/resources/standards.adoc @@ -1,5 +1,5 @@ === Standards * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] -* OWASP - https://www.owasp.org/index.php/Top_10-2017_A1-Injection[Top 10 2017 Category A1 - Injection] -* CWE - https://cwe.mitre.org/data/definitions/606[606 - Unchecked Input for Loop Condition] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* CWE - https://cwe.mitre.org/data/definitions/606[CWE-606 - Unchecked Input for Loop Condition] diff --git a/rules/S6776/python/rule.adoc b/rules/S6776/python/rule.adoc index 9c89e5b88a..95eeedea62 100644 --- a/rules/S6776/python/rule.adoc +++ b/rules/S6776/python/rule.adoc @@ -17,10 +17,10 @@ Python Documentation - https://docs.python.org/3/library/traceback.html[tracebac === Standards -* OWASP Top 10 - https://owasp.org/Top10/A04_2021-Insecure_Design/[A4:2021 Insecure Design] -* OWASP Top 10 - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[A3:2017 Sensitive Data Exposure] -* MITRE - https://cwe.mitre.org/data/definitions/209[CWE-209: Generation of Error Message Containing Sensitive Information] -* MITRE - https://cwe.mitre.org/data/definitions/489[CWE-489: Active Debug Code] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* CWE - https://cwe.mitre.org/data/definitions/209[CWE-209 - Generation of Error Message Containing Sensitive Information] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] ifdef::env-github,rspecator-view[] diff --git a/rules/S6785/python/rule.adoc b/rules/S6785/python/rule.adoc index 2d5caf0d23..0a5ec1fab5 100644 --- a/rules/S6785/python/rule.adoc +++ b/rules/S6785/python/rule.adoc @@ -91,9 +91,9 @@ The easiest way to set such a limit is to use the query validation API available === Standards -* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 – Insecure Design] -* OWASP - https://www.owasp.org/index.php/Top_10-2017_A1-Injection[Top 10 2017 Category A6 - Security Misconfiguration] -* CWE - https://cwe.mitre.org/data/definitions/770.html[CWE-707 - Allocation of Resources Without Limits or Throttling] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/770[CWE-707 - Allocation of Resources Without Limits or Throttling] ifdef::env-github,rspecator-view[] diff --git a/rules/S6786/python/rule.adoc b/rules/S6786/python/rule.adoc index 9477990f71..b22b96a83d 100644 --- a/rules/S6786/python/rule.adoc +++ b/rules/S6786/python/rule.adoc @@ -105,9 +105,9 @@ specific right, or requests from a specific set of IP addresses. === Standards -* OWASP Top 10 - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[2021:A5 - Security Misconfiguration] -* OWASP Top 10 - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html[2017:A3 - Sensitive Data Exposure] -* OWASP Top 10 - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[2017:A6 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] ifdef::env-github,rspecator-view[] diff --git a/rules/S6867/kubernetes/rule.adoc b/rules/S6867/kubernetes/rule.adoc index 36bb7ca6c0..634ab9e6a9 100644 --- a/rules/S6867/kubernetes/rule.adoc +++ b/rules/S6867/kubernetes/rule.adoc @@ -63,7 +63,7 @@ When defining RBAC permissions, it is important to follow the principle of least //=== Conference presentations === Standards -* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] //=== External coding guidelines //=== Benchmarks diff --git a/rules/S836/cfamily/rule.adoc b/rules/S836/cfamily/rule.adoc index 3dba5ce941..5377cf8211 100644 --- a/rules/S836/cfamily/rule.adoc +++ b/rules/S836/cfamily/rule.adoc @@ -253,7 +253,7 @@ auto [px, py, pz] = [&] { === External coding guidelines -* CWE - https://cwe.mitre.org/data/definitions/457[457 Use of Uninitialized Variable] +* CWE - https://cwe.mitre.org/data/definitions/457[CWE-457 Use of Uninitialized Variable] * MISRA C:2004, 9.1 - All automatic variables shall have been assigned a value before being used. * MISRA {cpp}:2008, 8-5-1 - All variables shall have a defined value before they are used. diff --git a/rules/S836/php/rule.adoc b/rules/S836/php/rule.adoc index 80f2c4a355..c92824582b 100644 --- a/rules/S836/php/rule.adoc +++ b/rules/S836/php/rule.adoc @@ -39,7 +39,7 @@ function getText(array $lines): string { == Resources -* https://cwe.mitre.org/data/definitions/457[MITRE, CWE-457] - Use of Uninitialized Variable +* CWE - https://cwe.mitre.org/data/definitions/457[CWE-457 - Use of Uninitialized Variable] ifdef::env-github,rspecator-view[] diff --git a/rules/S864/cfamily/rule.adoc b/rules/S864/cfamily/rule.adoc index 58b0a2f732..c3e150be98 100644 --- a/rules/S864/cfamily/rule.adoc +++ b/rules/S864/cfamily/rule.adoc @@ -61,7 +61,7 @@ if ( (a = f(b,c)) == true) { ... } * MISRA {cpp}:2008, 5-2-1 - Each operand of a logical && or || shall be a postfix-expression. * MISRA C:2012, 12.1 - The precedence of operators within expressions should be made explicit * https://wiki.sei.cmu.edu/confluence/x/YdYxBQ[CERT, EXP00-C.] - Use parentheses for precedence of operation -* https://cwe.mitre.org/data/definitions/783[MITRE, CWE-783] - Operator Precedence Logic Error +* CWE - https://cwe.mitre.org/data/definitions/783[CWE-783 - Operator Precedence Logic Error] ifdef::env-github,rspecator-view[] diff --git a/rules/S864/cobol/rule.adoc b/rules/S864/cobol/rule.adoc index c8fd980d82..5eb17bc6ed 100644 --- a/rules/S864/cobol/rule.adoc +++ b/rules/S864/cobol/rule.adoc @@ -25,7 +25,7 @@ COMPUTE WSRESULT2 = WS1 + 5 + WS2 + WS3 + WS4 END-COMPUTE == Resources -* https://cwe.mitre.org/data/definitions/783[MITRE, CWE-783] - Operator Precedence Logic Error +* CWE - https://cwe.mitre.org/data/definitions/783[CWE-783 - Operator Precedence Logic Error] ifdef::env-github,rspecator-view[] diff --git a/rules/S864/java/rule.adoc b/rules/S864/java/rule.adoc index 366e14db7b..d3c9d1585c 100644 --- a/rules/S864/java/rule.adoc +++ b/rules/S864/java/rule.adoc @@ -52,7 +52,7 @@ if ( (a = f(b,c)) == 1) { ... } * https://wiki.sei.cmu.edu/confluence/x/YdYxBQ[CERT, EXP00-C.] - Use parentheses for precedence of operation * https://wiki.sei.cmu.edu/confluence/x/ZzZGBQ[CERT, EXP53-J.] - Use parentheses for precedence of operation -* https://cwe.mitre.org/data/definitions/783[MITRE, CWE-783] - Operator Precedence Logic Error +* CWE - https://cwe.mitre.org/data/definitions/783[CWE-783 - Operator Precedence Logic Error] ifdef::env-github,rspecator-view[] diff --git a/rules/S874/cfamily/rule.adoc b/rules/S874/cfamily/rule.adoc index 7d1deff7d6..50825c61da 100644 --- a/rules/S874/cfamily/rule.adoc +++ b/rules/S874/cfamily/rule.adoc @@ -64,7 +64,7 @@ unsigned int f(unsigned short src) { * MISRA {cpp}:2008, 5-0-21 - Bitwise operators shall only be applied to operands of unsigned underlying type * MISRA C:2012, 10.1 - Operands shall not be of an inappropriate essential type * https://wiki.sei.cmu.edu/confluence/x/9tYxBQ[CERT, INT13-C.] - Use bitwise operators only on unsigned operands -* https://cwe.mitre.org/data/definitions/682[MITRE, CWE-682] - Incorrect Calculation +* CWE - https://cwe.mitre.org/data/definitions/682[CWE-682 - Incorrect Calculation] ifdef::env-github,rspecator-view[] diff --git a/rules/S888/java/rule.adoc b/rules/S888/java/rule.adoc index 78fe7eace3..ba6a095892 100644 --- a/rules/S888/java/rule.adoc +++ b/rules/S888/java/rule.adoc @@ -47,7 +47,7 @@ for (int i = 0; (item = arr[i]) != null; i++) { == Resources -* https://cwe.mitre.org/data/definitions/835[MITRE, CWE-835] - Loop with Unreachable Exit Condition ('Infinite Loop') +* CWE - https://cwe.mitre.org/data/definitions/835[CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')] * https://wiki.sei.cmu.edu/confluence/x/x9YxBQ[CERT, MSC21-C.] - Use robust loop termination conditions ifdef::env-github,rspecator-view[] diff --git a/rules/S888/javascript/rule.adoc b/rules/S888/javascript/rule.adoc index fcfff36aa7..ea25dfabda 100644 --- a/rules/S888/javascript/rule.adoc +++ b/rules/S888/javascript/rule.adoc @@ -44,7 +44,7 @@ for (var i = 0; (item = arr[i]) != null; i++) { == Resources -* https://cwe.mitre.org/data/definitions/835[MITRE, CWE-835] - Loop with Unreachable Exit Condition ('Infinite Loop') +* CWE - https://cwe.mitre.org/data/definitions/835[CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')] ifdef::env-github,rspecator-view[] diff --git a/rules/S899/java/rule.adoc b/rules/S899/java/rule.adoc index e2d56aacd8..742d05ff48 100644 --- a/rules/S899/java/rule.adoc +++ b/rules/S899/java/rule.adoc @@ -32,7 +32,7 @@ public void doSomething(File file, Lock lock) { * https://wiki.sei.cmu.edu/confluence/x/xzdGBQ[CERT, EXP00-J.] - Do not ignore values returned by methods * https://wiki.sei.cmu.edu/confluence/x/TTZGBQ[CERT, FIO02-J.] - Detect and handle file-related errors -* https://cwe.mitre.org/data/definitions/754[MITRE, CWE-754] - Improper Check for Unusual Exceptional Conditions +* CWE - https://cwe.mitre.org/data/definitions/754[CWE-754 - Improper Check for Unusual Exceptional Conditions] ifdef::env-github,rspecator-view[] diff --git a/rules/S899/kotlin/rule.adoc b/rules/S899/kotlin/rule.adoc index fd302b416f..91a6fc14f6 100644 --- a/rules/S899/kotlin/rule.adoc +++ b/rules/S899/kotlin/rule.adoc @@ -34,7 +34,7 @@ Although these resources talk about Java, the underlying information concerning * https://wiki.sei.cmu.edu/confluence/x/xzdGBQ[CERT, EXP00-J.] - Do not ignore values returned by methods * https://wiki.sei.cmu.edu/confluence/x/TTZGBQ[CERT, FIO02-J.] - Detect and handle file-related errors -* https://cwe.mitre.org/data/definitions/754[MITRE, CWE-754] - Improper Check for Unusual Exceptional Conditions +* CWE - https://cwe.mitre.org/data/definitions/754[CWE-754 - Improper Check for Unusual Exceptional Conditions] ifdef::env-github,rspecator-view[] diff --git a/rules/S905/cfamily/rule.adoc b/rules/S905/cfamily/rule.adoc index d6b9f69942..caf3eafe5e 100644 --- a/rules/S905/cfamily/rule.adoc +++ b/rules/S905/cfamily/rule.adoc @@ -77,7 +77,7 @@ int sub(int a, int b) { === Standards -* CWE - https://cwe.mitre.org/data/definitions/482[482 Comparing instead of Assigning] +* CWE - https://cwe.mitre.org/data/definitions/482[CWE-482 Comparing instead of Assigning] * CERT - https://wiki.sei.cmu.edu/confluence/x/5dUxBQ[MSC12-C. Detect and remove code that has no effect or is never executed] === External coding guidelines diff --git a/rules/S905/see.adoc b/rules/S905/see.adoc index 63a40dceb2..a8f313d1ac 100644 --- a/rules/S905/see.adoc +++ b/rules/S905/see.adoc @@ -2,4 +2,4 @@ === Standards -* CWE - https://cwe.mitre.org/data/definitions/482[482 Comparing instead of Assigning] +* CWE - https://cwe.mitre.org/data/definitions/482[CWE-482 Comparing instead of Assigning] diff --git a/rules/S930/cfamily/rule.adoc b/rules/S930/cfamily/rule.adoc index 7f4032ecbe..df375122da 100644 --- a/rules/S930/cfamily/rule.adoc +++ b/rules/S930/cfamily/rule.adoc @@ -6,7 +6,7 @@ This problem is completely avoided by the use of function prototypes. See MISRA == Resources * MISRA C:2004, 16.6 - The number of arguments passed to a function shall match the number of parameters. -* https://cwe.mitre.org/data/definitions/628[MITRE, CWE-628] - Function Call with Incorrectly Specified Arguments +* CWE - https://cwe.mitre.org/data/definitions/628[CWE-628 - Function Call with Incorrectly Specified Arguments] * https://wiki.sei.cmu.edu/confluence/x/7NYxBQ[CERT, DCL07-C.] - Include the appropriate type information in function declarators * https://wiki.sei.cmu.edu/confluence/x/49UxBQ[CERT, EXP37-C.] - Call functions with the correct number and type of arguments diff --git a/rules/S930/see.adoc b/rules/S930/see.adoc index ca526f59ed..701cec88b8 100644 --- a/rules/S930/see.adoc +++ b/rules/S930/see.adoc @@ -1,3 +1,3 @@ == Resources -* https://cwe.mitre.org/data/definitions/628[MITRE, CWE-628] - Function Call with Incorrectly Specified Arguments +* CWE - https://cwe.mitre.org/data/definitions/628[CWE-628 - Function Call with Incorrectly Specified Arguments] diff --git a/rules/S935/cfamily/rule.adoc b/rules/S935/cfamily/rule.adoc index 89c714913d..af1ad242d4 100644 --- a/rules/S935/cfamily/rule.adoc +++ b/rules/S935/cfamily/rule.adoc @@ -62,7 +62,7 @@ int my_func(int a) { * MISRA C:2004, 16.8 - All exit paths from a function with non-void return type shall have an explicit return statement with an expression * MISRA {cpp}:2008, 8-4-3 - All exit paths from a function with non-void return type shall have an explicit return statement with an expression * MISRA C:2012, 17.4 - All exit paths from a function with non-void return type shall have an explicit return statement with an expression -* https://cwe.mitre.org/data/definitions/394[MITRE, CWE-394] - Unexpected Status Code or Return Value +* CWE - https://cwe.mitre.org/data/definitions/394[CWE-394 - Unexpected Status Code or Return Value] * https://wiki.sei.cmu.edu/confluence/x/m9YxBQ[CERT, MSC37-C.] - Ensure that control never reaches the end of a non-void function * https://wiki.sei.cmu.edu/confluence/x/EXs-BQ[CERT, MSC52-CPP.] - Value-returning functions must return a value from all exit paths * https://wiki.sei.cmu.edu/confluence/x/Cns-BQ[CERT, MSC53-CPP.] - Do not return from a function declared \[[noreturn]] diff --git a/rules/S935/javascript/rule.adoc b/rules/S935/javascript/rule.adoc index ccc8bfbf1d..a8d2750025 100644 --- a/rules/S935/javascript/rule.adoc +++ b/rules/S935/javascript/rule.adoc @@ -33,7 +33,7 @@ function voidFunction(): void { == Resources -* https://cwe.mitre.org/data/definitions/394[MITRE, CWE-394] - Unexpected Status Code or Return Value +* CWE - https://cwe.mitre.org/data/definitions/394[CWE-394 - Unexpected Status Code or Return Value] ifdef::env-github,rspecator-view[] diff --git a/rules/S939/cfamily/rule.adoc b/rules/S939/cfamily/rule.adoc index 37774c1912..8835bcdf1a 100644 --- a/rules/S939/cfamily/rule.adoc +++ b/rules/S939/cfamily/rule.adoc @@ -54,7 +54,7 @@ void g(int val){ * MISRA C:2004, 17.2 * MISRA {cpp}:2008, 5-0-17 -* https://cwe.mitre.org/data/definitions/469[MITRE, CWE-469] - Use of Pointer Subtraction to Determine Size +* CWE - https://cwe.mitre.org/data/definitions/469[CWE-469 - Use of Pointer Subtraction to Determine Size] * https://wiki.sei.cmu.edu/confluence/x/1dYxBQ[CERT, ARR36-C.] - Do not subtract or compare two pointers that do not refer to the same array diff --git a/rules/S961/cfamily/rule.adoc b/rules/S961/cfamily/rule.adoc index 7559d62a7d..32d5859b4e 100644 --- a/rules/S961/cfamily/rule.adoc +++ b/rules/S961/cfamily/rule.adoc @@ -7,7 +7,7 @@ Before compilation, the preprocessor replaces macros with the code they expand t * {cpp} reference - https://en.cppreference.com/w/cpp/preprocessor/replace[Replacing text macros] * {cpp} reference - https://en.cppreference.com/w/cpp/language/translation_phases#Phase_3[Phases of translation: Phase 3] * MISRA C:2004, 19.8 - A function-like macro shall not be invoked without all of its arguments. -* https://cwe.mitre.org/data/definitions/628[CWE] - CWE-628: Function Call with Incorrectly Specified Arguments +* CWE - https://cwe.mitre.org/data/definitions/628[CWE-628 - Function Call with Incorrectly Specified Arguments] ifdef::env-github,rspecator-view[] diff --git a/shared_content/secrets/resources/standards.adoc b/shared_content/secrets/resources/standards.adoc index 94d03f84b8..93e9c4d1ff 100644 --- a/shared_content/secrets/resources/standards.adoc +++ b/shared_content/secrets/resources/standards.adoc @@ -1,4 +1,4 @@ === Standards -* MITRE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] -* MITRE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password] +* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] +* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password]