Update S4507: Add kotlin code examples (SONARKT-580) (#4708)

2025-02-27 14:09:15 +01:00 · 2025-02-27 14:09:15 +01:00 · d63f01a9b1
commit d63f01a9b1
parent 8b10fbcbb5
5 changed files with 77 additions and 10 deletions
--- a/rules/S4507/kotlin/metadata.json
+++ b/rules/S4507/kotlin/metadata.json
@ -1,3 +1,33 @@
 {
+  "tags": [
+    "cwe",
+    "error-handling",
+    "debug",
+    "android",
+    "user-experience"
+  ],
+  "securityStandards": {
+    "CWE": [
+      489,
+      215
+    ],
+    "OWASP Mobile": [
+      "M9",
+      "M10"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M7",
+      "M8"
+    ],
+    "MASVS": [
+      "MSTG-CODE-2"
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "OWASP Top 10 2021": [
+      "A5"
+    ]
+  },
  "quickfix": "unknown"
 }
--- a/rules/S4507/kotlin/rule.adoc
+++ b/rules/S4507/kotlin/rule.adoc
@ -8,7 +8,20 @@ Do not enable debugging features on applications distributed to end users.

 == Sensitive Code Example

-https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(true)] for Android enables debugging support:
+The release build is debuggable:
+
+[source,kotlin]
+----
+android {
+    buildTypes {
+        release {
+            isDebuggable = true // Sensitive
+        }
+    }
+}
+----
+
+Webview debugging is enabled:

 [source,kotlin]
 ----
@ -19,7 +32,16 @@ WebView.setWebContentsDebuggingEnabled(true) // Sensitive

 == Compliant Solution

-https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(false)] for Android disables debugging support:
+[source,kotlin]
+----
+android {
+    buildTypes {
+        release {
+            isDebuggable = false
+        }
+    }
+}
+----

 [source,kotlin]
 ----
@ -28,7 +50,11 @@ import android.webkit.WebView
 WebView.setWebContentsDebuggingEnabled(false)
 ----

-include::../see.adoc[]
+include::../see-mobile.adoc[]
+
+* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release
+* https://developer.android.com/privacy-and-security/risks/android-debuggable[developer.android.com] - android:debuggable
+

 ifdef::env-github,rspecator-view[]

--- a/rules/S4507/see-mobile.adoc
+++ b/rules/S4507/see-mobile.adoc
@ -0,0 +1,11 @@
+== See
+
+* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering[Mobile Top 10 2016 Category M9 - Reverse Engineering]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m7-insufficient-binary-protection[Mobile Top 10 2024 Category M7 - Insufficient Binary Protection]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
+* OWASP - https://mas.owasp.org/checklists/MASVS-CODE/[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements]
+* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code]
+* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information]
--- a/rules/S4507/xml/metadata.json
+++ b/rules/S4507/xml/metadata.json
@ -12,8 +12,13 @@
      215
    ],
    "OWASP Mobile": [
+      "M9",
      "M10"
    ],
+    "OWASP Mobile Top 10 2024": [
+      "M7",
+      "M8"
+    ],
    "MASVS": [
      "MSTG-CODE-2"
    ],
--- a/rules/S4507/xml/rule.adoc
+++ b/rules/S4507/xml/rule.adoc
@ -74,15 +74,10 @@ In a `web.config` file, the `customErrors` element's `mode` attribute is set to
 </configuration>
 ----

-== See
+include::../see-mobile.adoc[]

-* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
-* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://mas.owasp.org/checklists/MASVS-CODE/[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements]
-* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality]
-* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code]
-* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information]
 * https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release
+* https://developer.android.com/privacy-and-security/risks/android-debuggable[developer.android.com] - android:debuggable
 * https://learn.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/aspnet-error-handling[learn.microsoft.com] - ASP.NET Error Handling

 ifdef::env-github,rspecator-view[]