diff --git a/rules/S4507/kotlin/metadata.json b/rules/S4507/kotlin/metadata.json index d3abb8c450..6afd55ee1c 100644 --- a/rules/S4507/kotlin/metadata.json +++ b/rules/S4507/kotlin/metadata.json @@ -1,33 +1,3 @@ { - "tags": [ - "cwe", - "error-handling", - "debug", - "android", - "user-experience" - ], - "securityStandards": { - "CWE": [ - 489, - 215 - ], - "OWASP Mobile": [ - "M9", - "M10" - ], - "OWASP Mobile Top 10 2024": [ - "M7", - "M8" - ], - "MASVS": [ - "MSTG-CODE-2" - ], - "OWASP": [ - "A3" - ], - "OWASP Top 10 2021": [ - "A5" - ] - }, "quickfix": "unknown" } diff --git a/rules/S4507/kotlin/rule.adoc b/rules/S4507/kotlin/rule.adoc index d9987bf0a4..5a7d8d6e69 100644 --- a/rules/S4507/kotlin/rule.adoc +++ b/rules/S4507/kotlin/rule.adoc @@ -8,20 +8,7 @@ Do not enable debugging features on applications distributed to end users. == Sensitive Code Example -The release build is debuggable: - -[source,kotlin] ----- -android { - buildTypes { - release { - isDebuggable = true // Sensitive - } - } -} ----- - -Webview debugging is enabled: +https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(true)] for Android enables debugging support: [source,kotlin] ---- @@ -32,16 +19,7 @@ WebView.setWebContentsDebuggingEnabled(true) // Sensitive == Compliant Solution -[source,kotlin] ----- -android { - buildTypes { - release { - isDebuggable = false - } - } -} ----- +https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(false)] for Android disables debugging support: [source,kotlin] ---- @@ -50,11 +28,7 @@ import android.webkit.WebView WebView.setWebContentsDebuggingEnabled(false) ---- -include::../see-mobile.adoc[] - -* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release -* https://developer.android.com/privacy-and-security/risks/android-debuggable[developer.android.com] - android:debuggable - +include::../see.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4507/see-mobile.adoc b/rules/S4507/see-mobile.adoc deleted file mode 100644 index e49ec3aec5..0000000000 --- a/rules/S4507/see-mobile.adoc +++ /dev/null @@ -1,11 +0,0 @@ -== See - -* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering[Mobile Top 10 2016 Category M9 - Reverse Engineering] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality] -* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m7-insufficient-binary-protection[Mobile Top 10 2024 Category M7 - Insufficient Binary Protection] -* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] -* OWASP - https://mas.owasp.org/checklists/MASVS-CODE/[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements] -* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] -* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information] \ No newline at end of file diff --git a/rules/S4507/xml/metadata.json b/rules/S4507/xml/metadata.json index d3abb8c450..8a9496384b 100644 --- a/rules/S4507/xml/metadata.json +++ b/rules/S4507/xml/metadata.json @@ -12,13 +12,8 @@ 215 ], "OWASP Mobile": [ - "M9", "M10" ], - "OWASP Mobile Top 10 2024": [ - "M7", - "M8" - ], "MASVS": [ "MSTG-CODE-2" ], diff --git a/rules/S4507/xml/rule.adoc b/rules/S4507/xml/rule.adoc index 31be55be39..1e36ff2cf4 100644 --- a/rules/S4507/xml/rule.adoc +++ b/rules/S4507/xml/rule.adoc @@ -74,10 +74,15 @@ In a `web.config` file, the `customErrors` element's `mode` attribute is set to ---- -include::../see-mobile.adoc[] +== See +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://mas.owasp.org/checklists/MASVS-CODE/[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] +* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information] * https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release -* https://developer.android.com/privacy-and-security/risks/android-debuggable[developer.android.com] - android:debuggable * https://learn.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/aspnet-error-handling[learn.microsoft.com] - ASP.NET Error Handling ifdef::env-github,rspecator-view[]