Modify S1075: migrate to LayC (#3312)

2023-10-18 11:18:09 +02:00 · 2023-10-18 11:18:09 +02:00 · d7138f5ef4
commit d7138f5ef4
parent 63e5b7219b
11 changed files with 88 additions and 132 deletions
--- a/rules/S1075/cfamily/rule.adoc
+++ b/rules/S1075/cfamily/rule.adoc
@ -1,10 +1,6 @@
-== Why is this an issue?
-
 include::../description.adoc[]

-== Resources
-
-* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information
+include::../resources.adoc[]

 ifdef::env-github,rspecator-view[]

@ -15,9 +11,5 @@ ifdef::env-github,rspecator-view[]
 include::../message.adoc[]

 '''
-== Comments And Links
-(visible only on this page)
-
-include::../comments-and-links.adoc[]

 endif::env-github,rspecator-view[]
--- a/rules/S1075/comments-and-links.adoc
+++ b/rules/S1075/comments-and-links.adoc
@ -1,45 +0,0 @@
-=== is duplicated by: S2117
-
-=== relates to: S1829
-
-=== on 5 Jun 2013, 13:18:55 Fabrice Bellingard wrote:
-The strings that should be detected are any kind of absolute or OS-specific URI - but not relative ones. For instance:
-
-* should be detected:
-** Strings starting with an http://en.wikipedia.org/wiki/URI_scheme[URI scheme]:
-*** \http://www.mywebsite.com
-*** ftp://myserver.com
-*** file:/my/folder
-*** ...etc
-** //my-network-drive
-** C:/my/folder
-** /my/other/folder
-** ~/my/local/folder
-* should NOT be detected: 
-** my/folder
-** ./my/folder
-** ../my/folder
-
-=== on 2 Feb 2015, 20:47:46 Sébastien Gioria wrote:
-CERT MSC03-J
-
-=== on 3 Feb 2015, 20:34:01 Ann Campbell wrote:
-thanks [~sebastien.gioria]
-
-=== on 10 Apr 2015, 18:32:39 Ann Campbell wrote:
-I'm assigning this rule update to you for verification [~elena.vilchik], since you're the only one to have implemented it so far.
-
-
-Note that I've already entered SWIFT-108 to update Swift implementation.
-
-
-
-=== on 30 Jun 2017, 11:09:23 Amaury Levé wrote:
-There is no link to FxCop, could you add it?
-
-=== on 30 Jun 2017, 13:55:21 Jean-Christophe Collet wrote:
-Done
-
-=== on 28 Aug 2018, 17:11:04 Elena Vilchik wrote:
-I've set JS and TS as irrelevant for this rule, as it's common practice to hardcode urls (e.g. for API endpoints). Even if sometimes the rule might be relevant, still ROI is low (rule has low value and implementation is not super trivial)
-
--- a/rules/S1075/csharp/rule.adoc
+++ b/rules/S1075/csharp/rule.adoc
@ -1,21 +1,50 @@
-== Why is this an issue?
-
-Hardcoding a URI makes it difficult to test a program: path literals are not always portable across operating systems, a given absolute path may not exist on a specific test environment, a specified Internet URL may not be available when executing the tests, production environment filesystems usually differ from the development environment, ...etc. For all those reasons, a URI should never be hardcoded. Instead, it should be replaced by customizable parameter.
-
-
-Further even if the elements of a URI are obtained dynamically, portability can still be limited if the path-delimiters are hardcoded.
-
-
-This rule raises an issue when URI's or path delimiters are hardcoded.
+include::../description.adoc[]

 === Exceptions

 This rule does not raise an issue when an ASP.NET virtual path is passed as an argument to one of the following:

-* methods: ``++System.Web.HttpServerUtilityBase.MapPath()++``, ``++System.Web.HttpRequestBase.MapPath()++``, ``++System.Web.HttpResponseBase.ApplyAppPathModifier()++``, ``++System.Web.Mvc.UrlHelper.Content()++``
-* all methods of: ``++System.Web.VirtualPathUtility++``
-* constructors of: ``++Microsoft.AspNetCore.Mvc.VirtualFileResult++``, ``++Microsoft.AspNetCore.Routing.VirtualPathData++``
+* methods: `System.Web.HttpServerUtilityBase.MapPath()`, `System.Web.HttpRequestBase.MapPath()`, `System.Web.HttpResponseBase.ApplyAppPathModifier()`, `System.Web.Mvc.UrlHelper.Content()`
+* all methods of: `System.Web.VirtualPathUtility`
+* constructors of: `Microsoft.AspNetCore.Mvc.VirtualFileResult`, `Microsoft.AspNetCore.Routing.VirtualPathData`

+== How to fix it
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=1,diff-type=noncompliant]
+----
+public class Foo {
+  public List<User> ListUsers() {
+    string userListPath = "/home/mylogin/Dev/users.txt"; // Noncompliant
+    return ParseUsers(userListPath);
+  }
+}
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=1,diff-type=compliant]
+----
+public class Foo {
+  // Configuration is a class that returns customizable properties: it can be mocked to be injected during tests. 
+  private Configuration config;
+  public Foo(Configuration myConfig) {
+    this.config = myConfig;
+  }
+  public List<User> ListUsers() {
+    // Find here the way to get the correct folder, in this case using the Configuration object
+    string listingFolder = config.GetProperty("myApplication.listingFolder");
+    // and use this parameter instead of the hard coded path
+    string userListPath = Path.Combine(listingFolder, "users.txt"); // Compliant
+    return ParseUsers(userListPath);
+  }
+}
+----
+
+include::../resources.adoc[]

 ifdef::env-github,rspecator-view[]

@ -27,15 +56,6 @@ ifdef::env-github,rspecator-view[]

 * Refactor your code not to use hardcoded absolute paths or URIs.
 * Remove this hardcoded path-delimiter.
-
-
 '''
-== Comments And Links
-(visible only on this page)
-
-=== on 13 Jul 2017, 10:49:59 Amaury Levé wrote:
-Test classes are ignored for C#.
-
-include::../comments-and-links.adoc[]

 endif::env-github,rspecator-view[]
--- a/rules/S1075/description.adoc
+++ b/rules/S1075/description.adoc
@ -1,7 +1,14 @@
-Hard coding a URI makes it difficult to test a program: path literals are not always portable across operating systems,  a given absolute path may not exist on a specific test environment, a specified Internet URL may not be available when executing the tests, production environment filesystems usually differ from the development environment, ...etc. For all those reasons, a URI should never be hard coded. Instead, it should be replaced by customizable parameter.
+== Why is this an issue?

+Hard-coding a URI makes it difficult to test a program for a variety of reasons:

-Further even if the elements of a URI are obtained dynamically, portability can still be limited if the path-delimiters are hard-coded.
+    * path literals are not always portable across operating systems
+    * a given absolute path may not exist in a specific test environment
+    * a specified Internet URL may not be available when executing the tests
+    * production environment filesystems usually differ from the development environment

+For all those reasons, a URI should never be hard coded. Instead, it should be replaced by a customizable parameter.

-This rule raises an issue when URI's or path delimiters are hard coded.
+Further, even if the elements of a URI are obtained dynamically, portability can still be limited if the path delimiters are hard-coded.
+
+This rule raises an issue when URIs or path delimiters are hard-coded.
--- a/rules/S1075/go/rule.adoc
+++ b/rules/S1075/go/rule.adoc
@ -1,10 +1,12 @@
-== Why is this an issue?
-
 include::../description.adoc[]

-=== Noncompliant code example
+== How to fix it

-[source,go]
+=== Code examples
+
+==== Noncompliant code example
+
+[source,go,diff-id=1,diff-type=noncompliant]
 ----
 file, err := os.Open("accounts.txt") // Noncompliant
 if err != nil {
@ -17,9 +19,9 @@ if err != nil {
 }
 ----

-=== Compliant solution
+==== Compliant solution

-[source,go]
+[source,go,diff-id=1,diff-type=compliant]
 ----
 var location string = prop.Read("myApplication.mySpecificFile")
 file, err := os.Open(location)
@ -28,6 +30,7 @@ if err != nil {
 }
 ----

+include::../resources.adoc[]

 ifdef::env-github,rspecator-view[]

@ -38,16 +41,5 @@ ifdef::env-github,rspecator-view[]
 include::../message.adoc[]

 '''
-== Comments And Links
-(visible only on this page)
-
-=== on 18 Apr 2018, 15:25:24 Alexandre Gigleux wrote:
-This rule raises an issue when a string literal is used as a parameter of:
-
-* os.Open(...) from "os" package
-* ioutil.ReadFile(...) from "ioutil" package
-* url.Parse("https://example.org") from "net/url" package if it contains http or https
-
-include::../comments-and-links.adoc[]

 endif::env-github,rspecator-view[]
--- a/rules/S1075/java/rule.adoc
+++ b/rules/S1075/java/rule.adoc
@ -1,10 +1,12 @@
-== Why is this an issue?
-
 include::../description.adoc[]

-=== Noncompliant code example
+== How to fix it

-[source,java]
+=== Code examples
+
+==== Noncompliant code example
+
+[source,java,diff-id=1,diff-type=noncompliant]
 ----
 public class Foo {
  public Collection<User> listUsers() {
@ -15,9 +17,9 @@ public class Foo {
 }
 ----

-=== Compliant solution
+==== Compliant solution

-[source,java]
+[source,java,diff-id=1,diff-type=compliant]
 ----
 public class Foo {
  // Configuration is a class that returns customizable properties: it can be mocked to be injected during tests. 
@ -36,9 +38,7 @@ public class Foo {
 }
 ----

-== Resources
-
-* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information
+include::../resources.adoc[]

 ifdef::env-github,rspecator-view[]

@ -49,9 +49,5 @@ ifdef::env-github,rspecator-view[]
 include::../message.adoc[]

 '''
-== Comments And Links
-(visible only on this page)
-
-include::../comments-and-links.adoc[]

 endif::env-github,rspecator-view[]
--- a/rules/S1075/php/rule.adoc
+++ b/rules/S1075/php/rule.adoc
@ -1,4 +1,6 @@
-include::../rule.adoc[]
+include::../description.adoc[]
+
+include::../resources.adoc[]

 ifdef::env-github,rspecator-view[]

@ -9,9 +11,5 @@ ifdef::env-github,rspecator-view[]
 include::../message.adoc[]

 '''
-== Comments And Links
-(visible only on this page)
-
-include::../comments-and-links.adoc[]

 endif::env-github,rspecator-view[]
--- a/rules/S1075/resources.adoc
+++ b/rules/S1075/resources.adoc
@ -0,0 +1,3 @@
+== Resources
+
+* Carnegie Mellon University - https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J. Never hard code sensitive information]
--- a/rules/S1075/rule.adoc
+++ b/rules/S1075/rule.adoc
@ -1,4 +0,0 @@
-== Why is this an issue?
-
-include::description.adoc[]
-
--- a/rules/S1075/swift/rule.adoc
+++ b/rules/S1075/swift/rule.adoc
@ -1,10 +1,12 @@
-== Why is this an issue?
-
 include::../description.adoc[]

-=== Noncompliant code example
+== How to fix it

-[source,swift]
+=== Code examples
+
+==== Noncompliant code example
+
+[source,swift,diff-id=1,diff-type=noncompliant]
 ----
 public class Foo {
    public func listUsers() -> [User] {
@ -17,9 +19,9 @@ public class Foo {
 }
 ----

-=== Compliant solution
+==== Compliant solution

-[source,swift]
+[source,swift,diff-id=1,diff-type=compliant]
 ----
 public class Foo {
    // Configuration is a class that returns customizable properties: it can be mocked to be injected during tests. 
@ -39,6 +41,7 @@ public class Foo {
 }
 ----

+include::../resources.adoc[]

 ifdef::env-github,rspecator-view[]

@ -49,9 +52,5 @@ ifdef::env-github,rspecator-view[]
 include::../message.adoc[]

 '''
-== Comments And Links
-(visible only on this page)
-
-include::../comments-and-links.adoc[]

 endif::env-github,rspecator-view[]
--- a/rules/S1075/vbnet/rule.adoc
+++ b/rules/S1075/vbnet/rule.adoc
@ -1,4 +1,6 @@
-include::../rule.adoc[]
+include::../description.adoc[]
+
+include::../resources.adoc[]

 ifdef::env-github,rspecator-view[]

@ -9,9 +11,5 @@ ifdef::env-github,rspecator-view[]
 include::../message.adoc[]

 '''
-== Comments And Links
-(visible only on this page)
-
-include::../comments-and-links.adoc[]

 endif::env-github,rspecator-view[]