ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Update S4507: Add kotlin code examples (SONARKT-580) (#4708)" (#4755)

Browse Source 
This reverts commit d63f01a9b137c9a010f1f81a29cf800fba5cf438.
This commit is contained in:
Pierre-Loup 2025-03-17 13:36:22 +01:00 committed by GitHub
parent 7c9aad50bf
commit d608b6dedb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 10 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
rules/S4507/kotlin/metadata.json
View File

@ -1,33 +1,3 @@
{ {
"tags": [
"cwe",
"error-handling",
"debug",
"android",
"user-experience"
],
"securityStandards": {
"CWE": [
489,
215
],
"OWASP Mobile": [
"M9",
"M10"
],
"OWASP Mobile Top 10 2024": [
"M7",
"M8"
],
"MASVS": [
"MSTG-CODE-2"
],
"OWASP": [
"A3"
],
"OWASP Top 10 2021": [
"A5"
]
},
"quickfix": "unknown" "quickfix": "unknown"
} }

32
rules/S4507/kotlin/rule.adoc
View File

@ -8,20 +8,7 @@ Do not enable debugging features on applications distributed to end users.
== Sensitive Code Example == Sensitive Code Example
The release build is debuggable: https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(true)] for Android enables debugging support:
[source,kotlin]
----
android {
buildTypes {
release {
isDebuggable = true // Sensitive
}
}
}
----
Webview debugging is enabled:
[source,kotlin] [source,kotlin]
---- ----
@ -32,16 +19,7 @@ WebView.setWebContentsDebuggingEnabled(true) // Sensitive
== Compliant Solution == Compliant Solution
[source,kotlin] https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(false)] for Android disables debugging support:
----
android {
buildTypes {
release {
isDebuggable = false
}
}
}
----
[source,kotlin] [source,kotlin]
---- ----
@ -50,11 +28,7 @@ import android.webkit.WebView
WebView.setWebContentsDebuggingEnabled(false) WebView.setWebContentsDebuggingEnabled(false)
---- ----
include::../see-mobile.adoc[] include::../see.adoc[]
* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release
* https://developer.android.com/privacy-and-security/risks/android-debuggable[developer.android.com] - android:debuggable
ifdef::env-github,rspecator-view[] ifdef::env-github,rspecator-view[]

11
rules/S4507/see-mobile.adoc
View File

@ -1,11 +0,0 @@
== See
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering[Mobile Top 10 2016 Category M9 - Reverse Engineering]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality]
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m7-insufficient-binary-protection[Mobile Top 10 2024 Category M7 - Insufficient Binary Protection]
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
* OWASP - https://mas.owasp.org/checklists/MASVS-CODE/[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements]
* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code]
* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information]

5
rules/S4507/xml/metadata.json
View File

@ -12,13 +12,8 @@
215 215
], ],
"OWASP Mobile": [ "OWASP Mobile": [
"M9",
"M10" "M10"
], ],
"OWASP Mobile Top 10 2024": [
"M7",
"M8"
],
"MASVS": [ "MASVS": [
"MSTG-CODE-2" "MSTG-CODE-2"
], ],

9
rules/S4507/xml/rule.adoc
View File

@ -74,10 +74,15 @@ In a `web.config` file, the `customErrors` element's `mode` attribute is set to
</configuration> </configuration>
---- ----
include::../see-mobile.adoc[] == See
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* OWASP - https://mas.owasp.org/checklists/MASVS-CODE/[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality]
* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code]
* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information]
* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release * https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release
* https://developer.android.com/privacy-and-security/risks/android-debuggable[developer.android.com] - android:debuggable
* https://learn.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/aspnet-error-handling[learn.microsoft.com] - ASP.NET Error Handling * https://learn.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/aspnet-error-handling[learn.microsoft.com] - ASP.NET Error Handling
ifdef::env-github,rspecator-view[] ifdef::env-github,rspecator-view[]