diff --git a/rules/S4507/kotlin/metadata.json b/rules/S4507/kotlin/metadata.json index 6afd55ee1c..d3abb8c450 100644 --- a/rules/S4507/kotlin/metadata.json +++ b/rules/S4507/kotlin/metadata.json @@ -1,3 +1,33 @@ { + "tags": [ + "cwe", + "error-handling", + "debug", + "android", + "user-experience" + ], + "securityStandards": { + "CWE": [ + 489, + 215 + ], + "OWASP Mobile": [ + "M9", + "M10" + ], + "OWASP Mobile Top 10 2024": [ + "M7", + "M8" + ], + "MASVS": [ + "MSTG-CODE-2" + ], + "OWASP": [ + "A3" + ], + "OWASP Top 10 2021": [ + "A5" + ] + }, "quickfix": "unknown" } diff --git a/rules/S4507/kotlin/rule.adoc b/rules/S4507/kotlin/rule.adoc index 5a7d8d6e69..d9987bf0a4 100644 --- a/rules/S4507/kotlin/rule.adoc +++ b/rules/S4507/kotlin/rule.adoc @@ -8,7 +8,20 @@ Do not enable debugging features on applications distributed to end users. == Sensitive Code Example -https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(true)] for Android enables debugging support: +The release build is debuggable: + +[source,kotlin] +---- +android { + buildTypes { + release { + isDebuggable = true // Sensitive + } + } +} +---- + +Webview debugging is enabled: [source,kotlin] ---- @@ -19,7 +32,16 @@ WebView.setWebContentsDebuggingEnabled(true) // Sensitive == Compliant Solution -https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(false)] for Android disables debugging support: +[source,kotlin] +---- +android { + buildTypes { + release { + isDebuggable = false + } + } +} +---- [source,kotlin] ---- @@ -28,7 +50,11 @@ import android.webkit.WebView WebView.setWebContentsDebuggingEnabled(false) ---- -include::../see.adoc[] +include::../see-mobile.adoc[] + +* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release +* https://developer.android.com/privacy-and-security/risks/android-debuggable[developer.android.com] - android:debuggable + ifdef::env-github,rspecator-view[] diff --git a/rules/S4507/see-mobile.adoc b/rules/S4507/see-mobile.adoc new file mode 100644 index 0000000000..e49ec3aec5 --- /dev/null +++ b/rules/S4507/see-mobile.adoc @@ -0,0 +1,11 @@ +== See + +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering[Mobile Top 10 2016 Category M9 - Reverse Engineering] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m7-insufficient-binary-protection[Mobile Top 10 2024 Category M7 - Insufficient Binary Protection] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CODE/[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements] +* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] +* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information] \ No newline at end of file diff --git a/rules/S4507/xml/metadata.json b/rules/S4507/xml/metadata.json index 8a9496384b..d3abb8c450 100644 --- a/rules/S4507/xml/metadata.json +++ b/rules/S4507/xml/metadata.json @@ -12,8 +12,13 @@ 215 ], "OWASP Mobile": [ + "M9", "M10" ], + "OWASP Mobile Top 10 2024": [ + "M7", + "M8" + ], "MASVS": [ "MSTG-CODE-2" ], diff --git a/rules/S4507/xml/rule.adoc b/rules/S4507/xml/rule.adoc index 1e36ff2cf4..31be55be39 100644 --- a/rules/S4507/xml/rule.adoc +++ b/rules/S4507/xml/rule.adoc @@ -74,15 +74,10 @@ In a `web.config` file, the `customErrors` element's `mode` attribute is set to ---- -== See +include::../see-mobile.adoc[] -* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] -* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://mas.owasp.org/checklists/MASVS-CODE/[Mobile AppSec Verification Standard - Code Quality and Build Setting Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[Mobile Top 10 2016 Category M10 - Extraneous Functionality] -* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] -* CWE - https://cwe.mitre.org/data/definitions/215[CWE-215 - Information Exposure Through Debug Information] * https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release +* https://developer.android.com/privacy-and-security/risks/android-debuggable[developer.android.com] - android:debuggable * https://learn.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/aspnet-error-handling[learn.microsoft.com] - ASP.NET Error Handling ifdef::env-github,rspecator-view[]