diff --git a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json index 18fceff5ee..bf8c9df019 100644 --- a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json +++ b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json @@ -156,6 +156,15 @@ }, "uniqueItems": true }, + "OWASP Mobile Top 10 2024": { + "type": "array", + "minItems": 0, + "items": { + "type": "string", + "pattern": "^M([1-9]|10)$" + }, + "uniqueItems": true + }, "PCI DSS 3.2": { "type": "array", "minItems": 0, diff --git a/rules/S2053/common/resources/standards-mobile.adoc b/rules/S2053/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..595876a587 --- /dev/null +++ b/rules/S2053/common/resources/standards-mobile.adoc @@ -0,0 +1,9 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/759[CWE-759 - Use of a One-Way Hash without a Salt] +* CWE - https://cwe.mitre.org/data/definitions/760[CWE-760 - Use of a One-Way Hash with a Predictable Salt] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords. + diff --git a/rules/S2053/java/metadata.json b/rules/S2053/java/metadata.json index 1797133380..9a70551bea 100644 --- a/rules/S2053/java/metadata.json +++ b/rules/S2053/java/metadata.json @@ -1,3 +1,26 @@ { - + "securityStandards": { + "CWE": [ + 759, + 760 + ], + "OWASP": [ + "A3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "STIG ASD_V5R3": [ + "V-222542" + ] + } } diff --git a/rules/S2053/java/rule.adoc b/rules/S2053/java/rule.adoc index 46dcfeb462..4e731af0f9 100644 --- a/rules/S2053/java/rule.adoc +++ b/rules/S2053/java/rule.adoc @@ -14,7 +14,7 @@ include::how-to-fix-it/java-se.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S2053/kotlin/metadata.json b/rules/S2053/kotlin/metadata.json index 1797133380..77eeae54ca 100644 --- a/rules/S2053/kotlin/metadata.json +++ b/rules/S2053/kotlin/metadata.json @@ -1,3 +1,26 @@ { - + "securityStandards": { + "CWE": [ + 759, + 760 + ], + "OWASP": [ + "A3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "STIG ASD_V5R3": [ + "V-222542" + ] + } } diff --git a/rules/S2053/kotlin/rule.adoc b/rules/S2053/kotlin/rule.adoc index 942d6e4804..91a840627d 100644 --- a/rules/S2053/kotlin/rule.adoc +++ b/rules/S2053/kotlin/rule.adoc @@ -14,7 +14,7 @@ include::how-to-fix-it/java-se.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S2076/common/resources/standards-mobile.adoc b/rules/S2076/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..9c78673f0c --- /dev/null +++ b/rules/S2076/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/78[CWE-78 - Improper Neutralization of Special Elements used in an OS Command] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222604[Application Security and Development: V-222604] - The application must protect from command injection. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2076/java/metadata.json b/rules/S2076/java/metadata.json index 1797133380..1f3e1f3acf 100644 --- a/rules/S2076/java/metadata.json +++ b/rules/S2076/java/metadata.json @@ -1,3 +1,33 @@ { - + "securityStandards": { + "CWE": [ + 20, + 78 + ], + "OWASP": [ + "A1" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "12.3.5", + "5.1.3", + "5.1.4", + "5.3.8" + ], + "STIG ASD_V5R3": [ + "V-222604", + "V-222609" + ] + } } diff --git a/rules/S2076/java/rule.adoc b/rules/S2076/java/rule.adoc index 2cb1888e69..0c8bfd586e 100644 --- a/rules/S2076/java/rule.adoc +++ b/rules/S2076/java/rule.adoc @@ -14,7 +14,7 @@ include::how-to-fix-it/java-se.adoc[] include::../common/resources/docs.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S2083/common/resources/standards-mobile.adoc b/rules/S2083/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..a2ed108caa --- /dev/null +++ b/rules/S2083/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2083/java/metadata.json b/rules/S2083/java/metadata.json index 1797133380..7b996c1271 100644 --- a/rules/S2083/java/metadata.json +++ b/rules/S2083/java/metadata.json @@ -1,3 +1,33 @@ { - + "securityStandards": { + "CWE": [ + 20, + 22 + ], + "OWASP": [ + "A5", + "A1" + ], + "OWASP Top 10 2021": [ + "A1", + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "12.3.1", + "5.1.3", + "5.1.4" + ], + "STIG ASD_V5R3": [ + "V-222609" + ] + } } diff --git a/rules/S2083/java/rule.adoc b/rules/S2083/java/rule.adoc index 39451c7fc9..3a6722bf87 100644 --- a/rules/S2083/java/rule.adoc +++ b/rules/S2083/java/rule.adoc @@ -10,7 +10,7 @@ include::how-to-fix-it/java-se.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S2245/cfamily/metadata.json b/rules/S2245/cfamily/metadata.json index 40c5139229..9e7932cd15 100644 --- a/rules/S2245/cfamily/metadata.json +++ b/rules/S2245/cfamily/metadata.json @@ -18,12 +18,6 @@ "OWASP": [ "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-6" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S2245/cfamily/rule.adoc b/rules/S2245/cfamily/rule.adoc index fc71c968cd..0904d5af3d 100644 --- a/rules/S2245/cfamily/rule.adoc +++ b/rules/S2245/cfamily/rule.adoc @@ -38,17 +38,8 @@ void f() { } ---- -== See +include::../see.adoc[] -* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet] -* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] -* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] -* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] -* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] * https://wiki.sei.cmu.edu/confluence/x/UNcxBQ[CERT, MSC30-C.] - Do not use the rand() function for generating pseudorandom numbers * https://wiki.sei.cmu.edu/confluence/x/2ns-BQ[CERT, MSC50-CPP.] - Do not use std::rand() for generating pseudorandom numbers * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator] diff --git a/rules/S2245/java/metadata.json b/rules/S2245/java/metadata.json index 42f220e0b0..c38b354832 100644 --- a/rules/S2245/java/metadata.json +++ b/rules/S2245/java/metadata.json @@ -17,6 +17,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-6" ], diff --git a/rules/S2245/java/rule.adoc b/rules/S2245/java/rule.adoc index 7f803eaa03..15b8663246 100644 --- a/rules/S2245/java/rule.adoc +++ b/rules/S2245/java/rule.adoc @@ -27,19 +27,12 @@ byte bytes[] = new byte[20]; random.nextBytes(bytes); ---- -== See +include::../see.adoc[] -* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet] -* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] -* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] -* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] -* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] * https://wiki.sei.cmu.edu/confluence/x/oTdGBQ[CERT, MSC02-J.] - Generate strong random numbers -* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator] ifdef::env-github,rspecator-view[] diff --git a/rules/S2245/kotlin/metadata.json b/rules/S2245/kotlin/metadata.json index 6afd55ee1c..0496ddd650 100644 --- a/rules/S2245/kotlin/metadata.json +++ b/rules/S2245/kotlin/metadata.json @@ -1,3 +1,29 @@ { + "securityStandards": { + "CWE": [ + 326, + 330, + 338, + 1241 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-6" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "ASVS 4.0": [ + "6.2.4" + ] + }, "quickfix": "unknown" } diff --git a/rules/S2245/kotlin/rule.adoc b/rules/S2245/kotlin/rule.adoc index 5ecb09225d..603c7548b9 100644 --- a/rules/S2245/kotlin/rule.adoc +++ b/rules/S2245/kotlin/rule.adoc @@ -23,6 +23,10 @@ random.nextBytes(bytes) include::../see.adoc[] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2245/metadata.json b/rules/S2245/metadata.json index 4b0925b6fc..5fb9f84c03 100644 --- a/rules/S2245/metadata.json +++ b/rules/S2245/metadata.json @@ -37,12 +37,6 @@ "OWASP": [ "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-6" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S2245/see.adoc b/rules/S2245/see.adoc index de5e28b4cc..50d0362e92 100644 --- a/rules/S2245/see.adoc +++ b/rules/S2245/see.adoc @@ -3,10 +3,7 @@ * OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] * CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] * CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] * CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] -* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] -* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator] +* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] \ No newline at end of file diff --git a/rules/S2755/common/resources/standards-mobile.adoc b/rules/S2755/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..844cdbff50 --- /dev/null +++ b/rules/S2755/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Information Exposure Through XML External Entity Reference] +* CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. + diff --git a/rules/S2755/java/metadata.json b/rules/S2755/java/metadata.json index 22d3a48777..6c95efca27 100644 --- a/rules/S2755/java/metadata.json +++ b/rules/S2755/java/metadata.json @@ -1,4 +1,32 @@ { + "securityStandards": { + "CWE": [ + 611, + 827 + ], + "OWASP": [ + "A4" + ], + "OWASP Top 10 2021": [ + "A5" + ], + "OWASP Mobile Top 10 2024": [ + "M4", + "M8" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.5.2" + ], + "STIG ASD_V5R3": [ + "V-222608" + ] + }, "quickfix": "infeasible", "tags": [ "cwe", diff --git a/rules/S2755/java/rule.adoc b/rules/S2755/java/rule.adoc index 05368bfb91..d2238a3734 100644 --- a/rules/S2755/java/rule.adoc +++ b/rules/S2755/java/rule.adoc @@ -18,7 +18,7 @@ include::how-to-fix-it/sax.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S3329/common/resources/standards-mobile.adoc b/rules/S3329/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..dd0d1dd74a --- /dev/null +++ b/rules/S3329/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/329[CWE-329 - Not Using an Unpredictable IV with CBC Mode] +* CWE - https://cwe.mitre.org/data/definitions/780[CWE-780 - Use of RSA Algorithm without OAEP] +* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation diff --git a/rules/S3329/java/metadata.json b/rules/S3329/java/metadata.json index cda14dd95f..482c55666a 100644 --- a/rules/S3329/java/metadata.json +++ b/rules/S3329/java/metadata.json @@ -31,6 +31,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-3" ] diff --git a/rules/S3329/java/rule.adoc b/rules/S3329/java/rule.adoc index 75fad5204d..adba8a6fe4 100644 --- a/rules/S3329/java/rule.adoc +++ b/rules/S3329/java/rule.adoc @@ -19,10 +19,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] - -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S3329/kotlin/metadata.json b/rules/S3329/kotlin/metadata.json index cda14dd95f..482c55666a 100644 --- a/rules/S3329/kotlin/metadata.json +++ b/rules/S3329/kotlin/metadata.json @@ -31,6 +31,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-3" ] diff --git a/rules/S3329/kotlin/rule.adoc b/rules/S3329/kotlin/rule.adoc index 75fad5204d..adba8a6fe4 100644 --- a/rules/S3329/kotlin/rule.adoc +++ b/rules/S3329/kotlin/rule.adoc @@ -19,10 +19,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] - -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S3649/common/resources/standards-mobile.adoc b/rules/S3649/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..6a10a4dc89 --- /dev/null +++ b/rules/S3649/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] +* https://wiki.sei.cmu.edu/confluence/x/ITdGBQ[CERT, IDS00-J.] - Prevent SQL injection +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222607[Application Security and Development: V-222607] - The application must not be vulnerable to SQL Injection. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S3649/java/metadata.json b/rules/S3649/java/metadata.json index ddd301d351..da27b1441f 100644 --- a/rules/S3649/java/metadata.json +++ b/rules/S3649/java/metadata.json @@ -1,7 +1,38 @@ { - "tags": [ - "cwe", - "sql", - "android" - ] + "securityStandards": { + "CWE": [ + 20, + 89 + ], + "OWASP": [ + "A1" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.1.3", + "5.1.4", + "5.3.4", + "5.3.5" + ], + "STIG ASD_V5R3": [ + "V-222607", + "V-222609" + ] + }, + "tags": [ + "cwe", + "sql", + "android" + ] } diff --git a/rules/S3649/java/rule.adoc b/rules/S3649/java/rule.adoc index b49ffcecb6..613af9b609 100644 --- a/rules/S3649/java/rule.adoc +++ b/rules/S3649/java/rule.adoc @@ -26,7 +26,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4347/common/resources/standards-mobile.adoc b/rules/S4347/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..30bc8c170c --- /dev/null +++ b/rules/S4347/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] +* CWE - https://cwe.mitre.org/data/definitions/332[CWE-332 - Insufficient Entropy in PRNG] +* CWE - https://cwe.mitre.org/data/definitions/336[CWE-336 - Same Seed in Pseudo-Random Number Generator (PRNG)] +* CWE - https://cwe.mitre.org/data/definitions/337[CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)] +* https://wiki.sei.cmu.edu/confluence/display/java/MSC63-J.+Ensure+that+SecureRandom+is+properly+seeded[CERT, MSC63J.] - Ensure that SecureRandom is properly seeded diff --git a/rules/S4347/java/metadata.json b/rules/S4347/java/metadata.json index 9e26dfeeb6..097d80f3dd 100644 --- a/rules/S4347/java/metadata.json +++ b/rules/S4347/java/metadata.json @@ -1 +1,24 @@ -{} \ No newline at end of file +{ + "securityStandards": { + "CWE": [ + 330, + 332, + 336, + 337 + ], + "OWASP": [ + "A6" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "ASVS 4.0": [ + "2.3.1", + "2.6.2", + "2.9.2" + ] + } +} \ No newline at end of file diff --git a/rules/S4347/java/rule.adoc b/rules/S4347/java/rule.adoc index 19179e79f3..7c984e79c3 100644 --- a/rules/S4347/java/rule.adoc +++ b/rules/S4347/java/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4347/kotlin/metadata.json b/rules/S4347/kotlin/metadata.json index 9e26dfeeb6..097d80f3dd 100644 --- a/rules/S4347/kotlin/metadata.json +++ b/rules/S4347/kotlin/metadata.json @@ -1 +1,24 @@ -{} \ No newline at end of file +{ + "securityStandards": { + "CWE": [ + 330, + 332, + 336, + 337 + ], + "OWASP": [ + "A6" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "ASVS 4.0": [ + "2.3.1", + "2.6.2", + "2.9.2" + ] + } +} \ No newline at end of file diff --git a/rules/S4347/kotlin/rule.adoc b/rules/S4347/kotlin/rule.adoc index 1f8b7b4fd5..c82d3e0c44 100644 --- a/rules/S4347/kotlin/rule.adoc +++ b/rules/S4347/kotlin/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/azureresourcemanager/metadata.json b/rules/S4423/azureresourcemanager/metadata.json index 03df4cf69d..398b18e359 100644 --- a/rules/S4423/azureresourcemanager/metadata.json +++ b/rules/S4423/azureresourcemanager/metadata.json @@ -10,14 +10,6 @@ 326, 295 ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", "6.5.4" @@ -27,6 +19,10 @@ "6.2.4" ], "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S4423/azureresourcemanager/rule.adoc b/rules/S4423/azureresourcemanager/rule.adoc index 0d74a4e717..b6891b5afb 100644 --- a/rules/S4423/azureresourcemanager/rule.adoc +++ b/rules/S4423/azureresourcemanager/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards_iac.adoc[] +include::../common/resources/standards-iac.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/cloudformation/metadata.json b/rules/S4423/cloudformation/metadata.json index c3dc2e9fd1..3e916066d3 100644 --- a/rules/S4423/cloudformation/metadata.json +++ b/rules/S4423/cloudformation/metadata.json @@ -10,14 +10,6 @@ 326, 295 ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", "6.5.4" @@ -27,6 +19,10 @@ "6.2.4" ], "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S4423/cloudformation/rule.adoc b/rules/S4423/cloudformation/rule.adoc index 8bde450721..85f54c8d7e 100644 --- a/rules/S4423/cloudformation/rule.adoc +++ b/rules/S4423/cloudformation/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards_iac.adoc[] +include::../common/resources/standards-iac.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/common/resources/standards_iac.adoc b/rules/S4423/common/resources/standards-iac.adoc similarity index 100% rename from rules/S4423/common/resources/standards_iac.adoc rename to rules/S4423/common/resources/standards-iac.adoc diff --git a/rules/S4423/common/resources/standards-mobile.adoc b/rules/S4423/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..bbc6115417 --- /dev/null +++ b/rules/S4423/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication[Mobile Top 10 2024 Category M5 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S4423/docker/metadata.json b/rules/S4423/docker/metadata.json index d904c7d105..1da2c818ea 100644 --- a/rules/S4423/docker/metadata.json +++ b/rules/S4423/docker/metadata.json @@ -1,30 +1,27 @@ { "tags": [ - "cwe", - "privacy" + "cwe", + "privacy" ], - "securityStandards": { - "CWE": [ - 327, - 326, - 295 - ], - "OWASP": [], - "OWASP Mobile": [], - "MASVS": [], - "OWASP Top 10 2021": [], - "PCI DSS 3.2": [ - "4.1", - "6.5.4" - ], - "PCI DSS 4.0": [ - "4.2.1", - "6.2.4" - ], - "ASVS 4.0": [ - "8.3.7", - "9.1.2", - "9.1.3" - ] - } -} \ No newline at end of file + "securityStandards": { + "CWE": [ + 327, + 326, + 295 + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ + ] + } +} diff --git a/rules/S4423/docker/rule.adoc b/rules/S4423/docker/rule.adoc index a6d9d457f3..a358ca281a 100644 --- a/rules/S4423/docker/rule.adoc +++ b/rules/S4423/docker/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards_iac.adoc[] +include::../common/resources/standards-iac.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/java/metadata.json b/rules/S4423/java/metadata.json index 1797133380..3a390b6bfb 100644 --- a/rules/S4423/java/metadata.json +++ b/rules/S4423/java/metadata.json @@ -1,3 +1,39 @@ { - + "securityStandards": { + "CWE": [ + 327, + 326, + 295 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-2" + ], + "OWASP Top 10 2021": [ + "A2", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "8.3.7", + "9.1.2", + "9.1.3" + ] + } } diff --git a/rules/S4423/java/rule.adoc b/rules/S4423/java/rule.adoc index 6f93dac3c7..2fbca0b153 100644 --- a/rules/S4423/java/rule.adoc +++ b/rules/S4423/java/rule.adoc @@ -21,11 +21,8 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/kotlin/metadata.json b/rules/S4423/kotlin/metadata.json index 1797133380..3a390b6bfb 100644 --- a/rules/S4423/kotlin/metadata.json +++ b/rules/S4423/kotlin/metadata.json @@ -1,3 +1,39 @@ { - + "securityStandards": { + "CWE": [ + 327, + 326, + 295 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-2" + ], + "OWASP Top 10 2021": [ + "A2", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "8.3.7", + "9.1.2", + "9.1.3" + ] + } } diff --git a/rules/S4423/kotlin/rule.adoc b/rules/S4423/kotlin/rule.adoc index 40f23d21b6..3e64c22a6f 100644 --- a/rules/S4423/kotlin/rule.adoc +++ b/rules/S4423/kotlin/rule.adoc @@ -21,11 +21,8 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/metadata.json b/rules/S4423/metadata.json index 0b62919ced..4fe66b4aed 100644 --- a/rules/S4423/metadata.json +++ b/rules/S4423/metadata.json @@ -38,12 +38,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-2" - ], "OWASP Top 10 2021": [ "A2", "A7" diff --git a/rules/S4423/terraform/metadata.json b/rules/S4423/terraform/metadata.json index 07ad8b769b..05019b990d 100644 --- a/rules/S4423/terraform/metadata.json +++ b/rules/S4423/terraform/metadata.json @@ -12,14 +12,6 @@ 326, 295 ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", "6.5.4" @@ -29,6 +21,10 @@ "6.2.4" ], "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S4423/terraform/rule.adoc b/rules/S4423/terraform/rule.adoc index 0ad75e022e..5c782cce80 100644 --- a/rules/S4423/terraform/rule.adoc +++ b/rules/S4423/terraform/rule.adoc @@ -27,7 +27,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards_iac.adoc[] +include::../common/resources/standards-iac.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4426/common/resources/standards-mobile.adoc b/rules/S4426/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..6d688d0595 --- /dev/null +++ b/rules/S4426/common/resources/standards-mobile.adoc @@ -0,0 +1,12 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf[NIST 800-131A] - Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] +* https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms diff --git a/rules/S4426/common/resources/standards.adoc b/rules/S4426/common/resources/standards.adoc index b20c8a93c6..c92153804d 100644 --- a/rules/S4426/common/resources/standards.adoc +++ b/rules/S4426/common/resources/standards.adoc @@ -3,8 +3,6 @@ * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf[NIST 800-131A] - Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths * CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] * CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S4426/java/metadata.json b/rules/S4426/java/metadata.json index ebf5d2648f..f4f707cb4d 100644 --- a/rules/S4426/java/metadata.json +++ b/rules/S4426/java/metadata.json @@ -1,4 +1,28 @@ { + "securityStandards": { + "CWE": [ + 326 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "ASVS 4.0": [ + "6.2.3" + ] + }, "tags": [ "cwe", "privacy", diff --git a/rules/S4426/java/rule.adoc b/rules/S4426/java/rule.adoc index c825a9e897..14055c69e0 100644 --- a/rules/S4426/java/rule.adoc +++ b/rules/S4426/java/rule.adoc @@ -18,7 +18,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] diff --git a/rules/S4426/kotlin/metadata.json b/rules/S4426/kotlin/metadata.json index 1797133380..8c44c78d84 100644 --- a/rules/S4426/kotlin/metadata.json +++ b/rules/S4426/kotlin/metadata.json @@ -1,3 +1,26 @@ { - + "securityStandards": { + "CWE": [ + 326 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "ASVS 4.0": [ + "6.2.3" + ] + } } diff --git a/rules/S4426/kotlin/rule.adoc b/rules/S4426/kotlin/rule.adoc index 9db4865910..fb8a1f42c7 100644 --- a/rules/S4426/kotlin/rule.adoc +++ b/rules/S4426/kotlin/rule.adoc @@ -18,7 +18,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4426/metadata.json b/rules/S4426/metadata.json index ebe2380d34..9613c80f08 100644 --- a/rules/S4426/metadata.json +++ b/rules/S4426/metadata.json @@ -36,12 +36,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S4790/java/metadata.json b/rules/S4790/java/metadata.json index 6afd55ee1c..462bec773f 100644 --- a/rules/S4790/java/metadata.json +++ b/rules/S4790/java/metadata.json @@ -1,3 +1,32 @@ { + "securityStandards": { + "CWE": [ + 1240 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-4" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "3.4", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "6.2.4" + ] + }, "quickfix": "unknown" } diff --git a/rules/S4790/java/rule.adoc b/rules/S4790/java/rule.adoc index 1bcb6b15ec..753fae8e1c 100644 --- a/rules/S4790/java/rule.adoc +++ b/rules/S4790/java/rule.adoc @@ -18,7 +18,7 @@ MessageDigest md2 = MessageDigest.getInstance("SHA1"); // Sensitive MessageDigest md1 = MessageDigest.getInstance("SHA-512"); // Compliant ---- -include::../see.adoc[] +include::../see-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4790/kotlin/metadata.json b/rules/S4790/kotlin/metadata.json index 6afd55ee1c..462bec773f 100644 --- a/rules/S4790/kotlin/metadata.json +++ b/rules/S4790/kotlin/metadata.json @@ -1,3 +1,32 @@ { + "securityStandards": { + "CWE": [ + 1240 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-4" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "3.4", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "6.2.4" + ] + }, "quickfix": "unknown" } diff --git a/rules/S4790/kotlin/rule.adoc b/rules/S4790/kotlin/rule.adoc index 45ac9fdd89..7d552a27a5 100644 --- a/rules/S4790/kotlin/rule.adoc +++ b/rules/S4790/kotlin/rule.adoc @@ -40,7 +40,7 @@ val md2: MessageDigest = MessageDigest.getInstance("SHA1"); // Sensitive val md1: MessageDigest = MessageDigest.getInstance("SHA-512"); // Compliant ---- -include::../see.adoc[] +include::../see-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4790/metadata.json b/rules/S4790/metadata.json index ddc2421bd2..69c5ef5f24 100644 --- a/rules/S4790/metadata.json +++ b/rules/S4790/metadata.json @@ -31,12 +31,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-4" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S4790/see-mobile.adoc b/rules/S4790/see-mobile.adoc new file mode 100644 index 0000000000..5f1a5eed2d --- /dev/null +++ b/rules/S4790/see-mobile.adoc @@ -0,0 +1,9 @@ +== See + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/1240[CWE-1240 - Use of a Risky Cryptographic Primitive] diff --git a/rules/S4790/see.adoc b/rules/S4790/see.adoc index eb87bf3d7a..7c229eb25f 100644 --- a/rules/S4790/see.adoc +++ b/rules/S4790/see.adoc @@ -3,6 +3,4 @@ * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] * CWE - https://cwe.mitre.org/data/definitions/1240[CWE-1240 - Use of a Risky Cryptographic Primitive] diff --git a/rules/S4790/swift/metadata.json b/rules/S4790/swift/metadata.json index 1797133380..08d1317e81 100644 --- a/rules/S4790/swift/metadata.json +++ b/rules/S4790/swift/metadata.json @@ -1,3 +1,31 @@ { - + "securityStandards": { + "CWE": [ + 1240 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-4" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "3.4", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "6.2.4" + ] + } } diff --git a/rules/S4790/swift/rule.adoc b/rules/S4790/swift/rule.adoc index fc15de4c0a..79847a6aa5 100644 --- a/rules/S4790/swift/rule.adoc +++ b/rules/S4790/swift/rule.adoc @@ -23,7 +23,7 @@ let bytes:Array = [0x01, 0x02, 0x03] let digest = input.sha512() // Compliant ---- -include::../see.adoc[] +include::../see-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4830/cfamily/metadata.json b/rules/S4830/cfamily/metadata.json index 143821015e..2b3e29c848 100644 --- a/rules/S4830/cfamily/metadata.json +++ b/rules/S4830/cfamily/metadata.json @@ -18,12 +18,6 @@ "A6", "A3" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-3" - ], "OWASP Top 10 2021": [ "A2", "A5", diff --git a/rules/S4830/common/resources/standards-mobile.adoc b/rules/S4830/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..7d23b4e9c7 --- /dev/null +++ b/rules/S4830/common/resources/standards-mobile.adoc @@ -0,0 +1,13 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication[Mobile Top 10 2024 Category M5 - Insecure Communication] +* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] +* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. + diff --git a/rules/S4830/common/resources/standards.adoc b/rules/S4830/common/resources/standards.adoc index 9dfbc5f780..e96dbb6dd3 100644 --- a/rules/S4830/common/resources/standards.adoc +++ b/rules/S4830/common/resources/standards.adoc @@ -5,8 +5,6 @@ * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] -* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] * CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. diff --git a/rules/S4830/java/metadata.json b/rules/S4830/java/metadata.json index fbfba21ad9..cce0c4ad4a 100644 --- a/rules/S4830/java/metadata.json +++ b/rules/S4830/java/metadata.json @@ -19,6 +19,9 @@ "OWASP Mobile": [ "M3" ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], "MASVS": [ "MSTG-NETWORK-3" ], diff --git a/rules/S4830/java/rule.adoc b/rules/S4830/java/rule.adoc index d92e67ca49..b0a0e191d5 100644 --- a/rules/S4830/java/rule.adoc +++ b/rules/S4830/java/rule.adoc @@ -12,7 +12,7 @@ include::how-to-fix-it/java-cryptography-extension.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] * https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms diff --git a/rules/S4830/kotlin/metadata.json b/rules/S4830/kotlin/metadata.json index 1797133380..e5e18dbfc5 100644 --- a/rules/S4830/kotlin/metadata.json +++ b/rules/S4830/kotlin/metadata.json @@ -1,3 +1,41 @@ { - + "securityStandards": { + "CWE": [ + 295 + ], + "OWASP": [ + "A6", + "A3" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-3" + ], + "OWASP Top 10 2021": [ + "A2", + "A5", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4", + "6.5.10" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "1.9.2", + "9.2.1" + ], + "STIG ASD_V5R3": [ + "V-222550" + ] + } } diff --git a/rules/S4830/kotlin/rule.adoc b/rules/S4830/kotlin/rule.adoc index d92e67ca49..b0a0e191d5 100644 --- a/rules/S4830/kotlin/rule.adoc +++ b/rules/S4830/kotlin/rule.adoc @@ -12,7 +12,7 @@ include::how-to-fix-it/java-cryptography-extension.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] * https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms diff --git a/rules/S4830/metadata.json b/rules/S4830/metadata.json index ed5df7ba49..dd25281f4c 100644 --- a/rules/S4830/metadata.json +++ b/rules/S4830/metadata.json @@ -37,12 +37,6 @@ "A6", "A3" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-3" - ], "OWASP Top 10 2021": [ "A2", "A5", diff --git a/rules/S5320/metadata.json b/rules/S5320/metadata.json index 002c09bc5d..d40744432f 100644 --- a/rules/S5320/metadata.json +++ b/rules/S5320/metadata.json @@ -31,6 +31,10 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M8" + ], "MASVS": [ "MSTG-PLATFORM-4" ], diff --git a/rules/S5320/see.adoc b/rules/S5320/see.adoc index 64ba054c5d..953c39c1eb 100644 --- a/rules/S5320/see.adoc +++ b/rules/S5320/see.adoc @@ -2,5 +2,7 @@ * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/927[CWE-927 - Use of Implicit Intent for Sensitive Communication] * https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions[Android documentation] - Broadcast Overview - Security considerations and best practices \ No newline at end of file diff --git a/rules/S5322/metadata.json b/rules/S5322/metadata.json index fcc9b48106..1c15f824df 100644 --- a/rules/S5322/metadata.json +++ b/rules/S5322/metadata.json @@ -32,6 +32,10 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M4" + ], "MASVS": [ "MSTG-PLATFORM-2" ] diff --git a/rules/S5322/see.adoc b/rules/S5322/see.adoc index 49b06ee7f3..e100c7d444 100644 --- a/rules/S5322/see.adoc +++ b/rules/S5322/see.adoc @@ -2,6 +2,8 @@ * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] * CWE - https://cwe.mitre.org/data/definitions/925[CWE-925 - Improper Verification of Intent by Broadcast Receiver] * CWE - https://cwe.mitre.org/data/definitions/926[CWE-926 - Improper Export of Android Application Components] * https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions[Android documentation] - Broadcast Overview - Security considerations and best practices diff --git a/rules/S5324/metadata.json b/rules/S5324/metadata.json index 72d7c16ca7..44870b79e0 100644 --- a/rules/S5324/metadata.json +++ b/rules/S5324/metadata.json @@ -31,6 +31,9 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M9" + ], "MASVS": [ "MSTG-STORAGE-1" ], diff --git a/rules/S5324/see.adoc b/rules/S5324/see.adoc index 48d8b28276..18fd6c747b 100644 --- a/rules/S5324/see.adoc +++ b/rules/S5324/see.adoc @@ -4,4 +4,5 @@ * https://developer.android.com/privacy-and-security/security-tips#ExternalStorage[Android Security tips on external file storage] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] * CWE - https://cwe.mitre.org/data/definitions/312[CWE-312 - Cleartext Storage of Sensitive Information] diff --git a/rules/S5332/ansible/metadata.json b/rules/S5332/ansible/metadata.json index b290eb96d5..93df390c27 100644 --- a/rules/S5332/ansible/metadata.json +++ b/rules/S5332/ansible/metadata.json @@ -3,18 +3,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -23,9 +11,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -37,6 +22,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } \ No newline at end of file diff --git a/rules/S5332/azureresourcemanager/metadata.json b/rules/S5332/azureresourcemanager/metadata.json index ede079338c..9e86558a63 100644 --- a/rules/S5332/azureresourcemanager/metadata.json +++ b/rules/S5332/azureresourcemanager/metadata.json @@ -6,18 +6,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -26,9 +14,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -40,6 +25,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/cloudformation/metadata.json b/rules/S5332/cloudformation/metadata.json index 8a14dd8d54..6eb9a007da 100644 --- a/rules/S5332/cloudformation/metadata.json +++ b/rules/S5332/cloudformation/metadata.json @@ -7,18 +7,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -27,9 +15,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -41,6 +26,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/common/resources/standards-mobile.adoc b/rules/S5332/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..e980c83fd4 --- /dev/null +++ b/rules/S5332/common/resources/standards-mobile.adoc @@ -0,0 +1,18 @@ +=== Standards + +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication[Mobile Top 10 2024 Category M5 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397[Application Security and Development: V-222397] - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222534[Application Security and Development: V-222534] - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562[Application Security and Development: V-222562] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563[Application Security and Development: V-222563] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222577[Application Security and Development: V-222577] - The application must not expose session IDs. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222596[Application Security and Development: V-222596] - The application must protect the confidentiality and integrity of transmitted information. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222597[Application Security and Development: V-222597] - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598[Application Security and Development: V-222598] - The application must maintain the confidentiality and integrity of information during preparation for transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599[Application Security and Development: V-222599] - The application must maintain the confidentiality and integrity of information during reception. diff --git a/rules/S5332/common/resources/standards.adoc b/rules/S5332/common/resources/standards.adoc index 47c10b53a1..419de525c3 100644 --- a/rules/S5332/common/resources/standards.adoc +++ b/rules/S5332/common/resources/standards.adoc @@ -2,8 +2,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] * CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] * CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397[Application Security and Development: V-222397] - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. diff --git a/rules/S5332/docker/metadata.json b/rules/S5332/docker/metadata.json index eea9e47220..bd2807ea22 100644 --- a/rules/S5332/docker/metadata.json +++ b/rules/S5332/docker/metadata.json @@ -7,18 +7,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -27,9 +15,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -41,6 +26,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/java/metadata.json b/rules/S5332/java/metadata.json index 765feecc84..4332cea175 100644 --- a/rules/S5332/java/metadata.json +++ b/rules/S5332/java/metadata.json @@ -1,4 +1,49 @@ { + "securityStandards": { + "CWE": [ + 200, + 319 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-1" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "1.9.1", + "9.1.1", + "9.2.2" + ], + "STIG ASD_V5R3": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + }, "quickfix": "unknown", "tags": [ "cwe", diff --git a/rules/S5332/java/rule.adoc b/rules/S5332/java/rule.adoc index 70e14c40c0..67a6b1a2ff 100644 --- a/rules/S5332/java/rule.adoc +++ b/rules/S5332/java/rule.adoc @@ -83,7 +83,13 @@ webView.getSettings().setMixedContentMode(MIXED_CONTENT_NEVER_ALLOW); include::../exceptions.adoc[] -include::../see.adoc[] +== See + +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/kotlin/metadata.json b/rules/S5332/kotlin/metadata.json index 765feecc84..4332cea175 100644 --- a/rules/S5332/kotlin/metadata.json +++ b/rules/S5332/kotlin/metadata.json @@ -1,4 +1,49 @@ { + "securityStandards": { + "CWE": [ + 200, + 319 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-1" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "1.9.1", + "9.1.1", + "9.2.2" + ], + "STIG ASD_V5R3": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + }, "quickfix": "unknown", "tags": [ "cwe", diff --git a/rules/S5332/kotlin/rule.adoc b/rules/S5332/kotlin/rule.adoc index b799c26804..6dd1196901 100644 --- a/rules/S5332/kotlin/rule.adoc +++ b/rules/S5332/kotlin/rule.adoc @@ -83,7 +83,13 @@ webView.getSettings().setMixedContentMode(MIXED_CONTENT_NEVER_ALLOW) include::../exceptions.adoc[] -include::../see.adoc[] +== See + +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/kubernetes/metadata.json b/rules/S5332/kubernetes/metadata.json index ede079338c..9e86558a63 100644 --- a/rules/S5332/kubernetes/metadata.json +++ b/rules/S5332/kubernetes/metadata.json @@ -6,18 +6,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -26,9 +14,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -40,6 +25,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/metadata.json b/rules/S5332/metadata.json index 1c4aa906db..15ea1af202 100644 --- a/rules/S5332/metadata.json +++ b/rules/S5332/metadata.json @@ -31,12 +31,6 @@ "OWASP": [ "A3" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-1" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5332/terraform/metadata.json b/rules/S5332/terraform/metadata.json index 87d4f17df2..5f5c8e80ed 100644 --- a/rules/S5332/terraform/metadata.json +++ b/rules/S5332/terraform/metadata.json @@ -9,18 +9,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -29,9 +17,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -43,6 +28,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/xml/metadata.json b/rules/S5332/xml/metadata.json index 765feecc84..4332cea175 100644 --- a/rules/S5332/xml/metadata.json +++ b/rules/S5332/xml/metadata.json @@ -1,4 +1,49 @@ { + "securityStandards": { + "CWE": [ + 200, + 319 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-1" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "1.9.1", + "9.1.1", + "9.2.2" + ], + "STIG ASD_V5R3": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + }, "quickfix": "unknown", "tags": [ "cwe", diff --git a/rules/S5344/common/resources/standards-mobile.adoc b/rules/S5344/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..bf9e0eefc4 --- /dev/null +++ b/rules/S5344/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/256[CWE-256 - Plaintext Storage of a Password] +* CWE - https://cwe.mitre.org/data/definitions/916[CWE-916 - Use of Password Hash With Insufficient Computational Effort] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords. + diff --git a/rules/S5344/java/metadata.json b/rules/S5344/java/metadata.json index 1797133380..eb184e5efa 100644 --- a/rules/S5344/java/metadata.json +++ b/rules/S5344/java/metadata.json @@ -1,3 +1,35 @@ { - + "securityStandards": { + "CWE": [ + 256, + 916 + ], + "OWASP": [ + "A3" + ], + "OWASP Top 10 2021": [ + "A2", + "A4" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "PCI DSS 3.2": [ + "6.5.3" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.3", + "2.4.1", + "2.4.2", + "2.4.3", + "2.4.4", + "2.4.5" + ], + "STIG ASD_V5R3": [ + "V-222542" + ] + } } diff --git a/rules/S5344/java/rule.adoc b/rules/S5344/java/rule.adoc index cd62d8fad2..fde30dc8bc 100644 --- a/rules/S5344/java/rule.adoc +++ b/rules/S5344/java/rule.adoc @@ -62,7 +62,7 @@ include::../common/pitfalls/pre-hashing.adoc[] * Spring Framework Security Documentation - https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html[Class BCryptPasswordEncoder] * OWASP CheatSheet - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html[Password Storage Cheat Sheet] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5527/common/resources/standards-mobile.adoc b/rules/S5527/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..d391db0987 --- /dev/null +++ b/rules/S5527/common/resources/standards-mobile.adoc @@ -0,0 +1,13 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication[Mobile Top 10 2024 Category M5 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/297[CWE-297 - Improper Validation of Certificate with Host Mismatch] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. + diff --git a/rules/S5527/common/resources/standards.adoc b/rules/S5527/common/resources/standards.adoc index 7505700e90..235efd95db 100644 --- a/rules/S5527/common/resources/standards.adoc +++ b/rules/S5527/common/resources/standards.adoc @@ -5,8 +5,6 @@ * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] -* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] * CWE - https://cwe.mitre.org/data/definitions/297[CWE-297 - Improper Validation of Certificate with Host Mismatch] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. diff --git a/rules/S5527/java/metadata.json b/rules/S5527/java/metadata.json index 2c63c08510..8ce582184d 100644 --- a/rules/S5527/java/metadata.json +++ b/rules/S5527/java/metadata.json @@ -1,2 +1,37 @@ { + "securityStandards": { + "CWE": [ + 297 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-3" + ], + "OWASP Top 10 2021": [ + "A2", + "A5", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4", + "6.5.10" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "STIG ASD_V5R3": [ + "V-222550" + ] + } } diff --git a/rules/S5527/java/rule.adoc b/rules/S5527/java/rule.adoc index 90fd094d79..5e55b067ca 100644 --- a/rules/S5527/java/rule.adoc +++ b/rules/S5527/java/rule.adoc @@ -16,7 +16,7 @@ include::how-to-fix-it/java-ee.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] * https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms diff --git a/rules/S5527/kotlin/metadata.json b/rules/S5527/kotlin/metadata.json index 1797133380..dd52e0789e 100644 --- a/rules/S5527/kotlin/metadata.json +++ b/rules/S5527/kotlin/metadata.json @@ -1,3 +1,37 @@ { - + "securityStandards": { + "CWE": [ + 297 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-3" + ], + "OWASP Top 10 2021": [ + "A2", + "A5", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4", + "6.5.10" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "STIG ASD_V5R3": [ + "V-222550" + ] + } } diff --git a/rules/S5527/kotlin/rule.adoc b/rules/S5527/kotlin/rule.adoc index 49ad80e5ef..4a239183bc 100644 --- a/rules/S5527/kotlin/rule.adoc +++ b/rules/S5527/kotlin/rule.adoc @@ -12,7 +12,7 @@ include::how-to-fix-it/ok-http.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] * https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms diff --git a/rules/S5527/metadata.json b/rules/S5527/metadata.json index 05cb6f6497..0cce5b25a9 100644 --- a/rules/S5527/metadata.json +++ b/rules/S5527/metadata.json @@ -37,12 +37,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-3" - ], "OWASP Top 10 2021": [ "A2", "A5", diff --git a/rules/S5542/cfamily/metadata.json b/rules/S5542/cfamily/metadata.json index 165f719b92..6acca40723 100644 --- a/rules/S5542/cfamily/metadata.json +++ b/rules/S5542/cfamily/metadata.json @@ -16,12 +16,6 @@ "A6", "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5542/common/resources/standards-mobile.adoc b/rules/S5542/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..b3ecdd1f96 --- /dev/null +++ b/rules/S5542/common/resources/standards-mobile.adoc @@ -0,0 +1,9 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S5542/java/metadata.json b/rules/S5542/java/metadata.json index 2ce2cae2a0..3ade256a00 100644 --- a/rules/S5542/java/metadata.json +++ b/rules/S5542/java/metadata.json @@ -14,6 +14,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-3" ], diff --git a/rules/S5542/java/rule.adoc b/rules/S5542/java/rule.adoc index 6201313b98..b3f8b45cc8 100644 --- a/rules/S5542/java/rule.adoc +++ b/rules/S5542/java/rule.adoc @@ -19,11 +19,8 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms diff --git a/rules/S5542/kotlin/metadata.json b/rules/S5542/kotlin/metadata.json index 544b7b4ddd..4be9cf7792 100644 --- a/rules/S5542/kotlin/metadata.json +++ b/rules/S5542/kotlin/metadata.json @@ -1,3 +1,38 @@ { - + "securityStandards": { + "CWE": [ + 327, + 780 + ], + "OWASP": [ + "A6", + "A3" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "2.9.3", + "6.2.2", + "8.3.7" + ] + } } \ No newline at end of file diff --git a/rules/S5542/kotlin/rule.adoc b/rules/S5542/kotlin/rule.adoc index 566ee2e0b8..5c956fdfcb 100644 --- a/rules/S5542/kotlin/rule.adoc +++ b/rules/S5542/kotlin/rule.adoc @@ -19,11 +19,8 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S5542/metadata.json b/rules/S5542/metadata.json index 6f7f96febd..e05eb14b40 100644 --- a/rules/S5542/metadata.json +++ b/rules/S5542/metadata.json @@ -37,12 +37,6 @@ "A6", "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5547/cfamily/metadata.json b/rules/S5547/cfamily/metadata.json index 2ddbf46c84..46de0819e5 100644 --- a/rules/S5547/cfamily/metadata.json +++ b/rules/S5547/cfamily/metadata.json @@ -16,12 +16,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5547/common/resources/standards-mobile.adoc b/rules/S5547/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..d9ca56e61b --- /dev/null +++ b/rules/S5547/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222396[Application Security and Development: V-222396] - The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. + diff --git a/rules/S5547/java/metadata.json b/rules/S5547/java/metadata.json index d5c11b387b..a1e53be6f9 100644 --- a/rules/S5547/java/metadata.json +++ b/rules/S5547/java/metadata.json @@ -14,6 +14,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-3" ], diff --git a/rules/S5547/java/rule.adoc b/rules/S5547/java/rule.adoc index 89ba5ff775..fe13213228 100644 --- a/rules/S5547/java/rule.adoc +++ b/rules/S5547/java/rule.adoc @@ -12,7 +12,7 @@ include::how-to-fix-it/java-cryptography-extension.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5547/kotlin/metadata.json b/rules/S5547/kotlin/metadata.json index 544b7b4ddd..cd04068a4f 100644 --- a/rules/S5547/kotlin/metadata.json +++ b/rules/S5547/kotlin/metadata.json @@ -1,3 +1,42 @@ { - + "securityStandards": { + "CWE": [ + 327, + 326 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "6.2.2", + "6.2.3", + "6.2.5", + "8.3.7" + ], + "STIG ASD_V5R3": [ + "V-222396" + ] + } } \ No newline at end of file diff --git a/rules/S5547/kotlin/rule.adoc b/rules/S5547/kotlin/rule.adoc index a6f24da4ff..fe13213228 100644 --- a/rules/S5547/kotlin/rule.adoc +++ b/rules/S5547/kotlin/rule.adoc @@ -12,10 +12,7 @@ include::how-to-fix-it/java-cryptography-extension.adoc[] == Resources -include::../common/resources/standards.adoc[] - -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5547/metadata.json b/rules/S5547/metadata.json index fae0e12d0f..5f5d83ede1 100644 --- a/rules/S5547/metadata.json +++ b/rules/S5547/metadata.json @@ -37,12 +37,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5547/swift/metadata.json b/rules/S5547/swift/metadata.json index 1797133380..ab7ec9021b 100644 --- a/rules/S5547/swift/metadata.json +++ b/rules/S5547/swift/metadata.json @@ -1,3 +1,42 @@ { - + "securityStandards": { + "CWE": [ + 327, + 326 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "6.2.2", + "6.2.3", + "6.2.5", + "8.3.7" + ], + "STIG ASD_V5R3": [ + "V-222396" + ] + } } diff --git a/rules/S5547/swift/rule.adoc b/rules/S5547/swift/rule.adoc index 8d2755a9a5..7510a1995f 100644 --- a/rules/S5547/swift/rule.adoc +++ b/rules/S5547/swift/rule.adoc @@ -16,7 +16,7 @@ include::how-to-fix-it/cryptoswift.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5594/xml/metadata.json b/rules/S5594/xml/metadata.json index ee467ccb58..c9997ec036 100644 --- a/rules/S5594/xml/metadata.json +++ b/rules/S5594/xml/metadata.json @@ -36,6 +36,9 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M8" + ], "MASVS": [ "MSTG-PLATFORM-1" ], diff --git a/rules/S5594/xml/rule.adoc b/rules/S5594/xml/rule.adoc index 88e8335982..583b2d384b 100644 --- a/rules/S5594/xml/rule.adoc +++ b/rules/S5594/xml/rule.adoc @@ -133,6 +133,8 @@ When targeting Android API versions lower than 12, intent filters will cause ``+ * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] + * CWE - https://cwe.mitre.org/data/definitions/926[CWE-926 - Improper Export of Android Application Components] diff --git a/rules/S5604/xml/metadata.json b/rules/S5604/xml/metadata.json index 9f73be0a56..58446be835 100644 --- a/rules/S5604/xml/metadata.json +++ b/rules/S5604/xml/metadata.json @@ -12,6 +12,10 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M6", + "M8" + ], "MASVS": [ "MSTG-PLATFORM-1" ], diff --git a/rules/S5604/xml/rule.adoc b/rules/S5604/xml/rule.adoc index 6aedda5305..3ae3da5875 100644 --- a/rules/S5604/xml/rule.adoc +++ b/rules/S5604/xml/rule.adoc @@ -33,6 +33,8 @@ In AndroidManifest.xml: * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m6-inadequate-privacy-controls[Mobile Top 10 2024 Category M6 - Inadequate Privacy Controls] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges] * https://developer.android.com/training/permissions/usage-notes[developer.android.com] - App permissions best practices * https://play.google.com/about/privacy-security-deception/permissions/[Google Play] - Privacy, Security, and Deception - Permissions diff --git a/rules/S5883/common/resources/standards-mobile.adoc b/rules/S5883/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..37c20fd013 --- /dev/null +++ b/rules/S5883/common/resources/standards-mobile.adoc @@ -0,0 +1,9 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/88[CWE-88 - Argument Injection or Modification] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5883/java/metadata.json b/rules/S5883/java/metadata.json index 1797133380..3137a603ed 100644 --- a/rules/S5883/java/metadata.json +++ b/rules/S5883/java/metadata.json @@ -1,3 +1,30 @@ { - + "securityStandards": { + "CWE": [ + 20, + 88 + ], + "OWASP": [ + "A1" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.1.3", + "5.1.4" + ], + "STIG ASD_V5R3": [ + "V-222609" + ] + } } diff --git a/rules/S5883/java/rule.adoc b/rules/S5883/java/rule.adoc index 88ce2ce3bd..9bd15e8d4b 100644 --- a/rules/S5883/java/rule.adoc +++ b/rules/S5883/java/rule.adoc @@ -15,7 +15,7 @@ include::how-to-fix-it/apache-commons.adoc[] include::../common/resources/docs.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6096/common/resources/standards-mobile.adoc b/rules/S6096/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..a2ed108caa --- /dev/null +++ b/rules/S6096/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6096/java/metadata.json b/rules/S6096/java/metadata.json index 1797133380..b9dd331230 100644 --- a/rules/S6096/java/metadata.json +++ b/rules/S6096/java/metadata.json @@ -1,3 +1,34 @@ { - + "securityStandards": { + "CWE": [ + 20, + 22 + ], + "OWASP": [ + "A5", + "A1" + ], + "OWASP Top 10 2021": [ + "A1", + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.1", + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "12.3.4", + "5.1.3", + "5.1.4" + ], + "STIG ASD_V5R3": [ + "V-222609" + ] + } } diff --git a/rules/S6096/java/rule.adoc b/rules/S6096/java/rule.adoc index 5a96d91ce5..b9ecb7a904 100644 --- a/rules/S6096/java/rule.adoc +++ b/rules/S6096/java/rule.adoc @@ -10,7 +10,7 @@ include::how-to-fix-it/java-se.adoc[] include::../common/resources/articles.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6288/java/metadata.json b/rules/S6288/java/metadata.json index 1797133380..6b813edbae 100644 --- a/rules/S6288/java/metadata.json +++ b/rules/S6288/java/metadata.json @@ -1,3 +1,29 @@ { - + "securityStandards": { + "CWE": [ + 522 + ], + "OWASP Mobile": [ + "M4" + ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M10" + ], + "MASVS": [ + "MSTG-AUTH-1" + ], + "OWASP Top 10 2021": [ + "A4" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.3" + ] + } } diff --git a/rules/S6288/kotlin/metadata.json b/rules/S6288/kotlin/metadata.json index 1797133380..c74b1beace 100644 --- a/rules/S6288/kotlin/metadata.json +++ b/rules/S6288/kotlin/metadata.json @@ -1,3 +1,29 @@ { - + "securityStandards": { + "CWE": [ + 522 + ], + "OWASP Mobile": [ + "M4" + ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M10" + ], + "MASVS": [ + "MSTG-AUTH-1" + ], + "OWASP Top 10 2021": [ + "A4" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.3" + ] + } } diff --git a/rules/S6288/metadata.json b/rules/S6288/metadata.json index 969baad1bd..96fa158173 100644 --- a/rules/S6288/metadata.json +++ b/rules/S6288/metadata.json @@ -32,12 +32,6 @@ "CWE": [ 522 ], - "OWASP Mobile": [ - "M4" - ], - "MASVS": [ - "MSTG-AUTH-1" - ], "OWASP Top 10 2021": [ "A4" ], diff --git a/rules/S6288/see.adoc b/rules/S6288/see.adoc index 099a84ccab..785c17fc33 100644 --- a/rules/S6288/see.adoc +++ b/rules/S6288/see.adoc @@ -1,8 +1,10 @@ == See * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] -* https://developer.android.com/privacy-and-security/keystore[developer.android.com] - Android keystore system -* https://developer.android.com/privacy-and-security/keystore#UserAuthentication[developer.android.com] - Require user authentication for key use * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Authentication and Session Management Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication[Mobile Top 10 2016 Category M4 - Insecure Authentication] -* CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] \ No newline at end of file +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] +* https://developer.android.com/privacy-and-security/keystore[developer.android.com] - Android keystore system +* https://developer.android.com/privacy-and-security/keystore#UserAuthentication[developer.android.com] - Require user authentication for key use \ No newline at end of file diff --git a/rules/S6291/metadata.json b/rules/S6291/metadata.json index 4bfd7869cb..77c3209776 100644 --- a/rules/S6291/metadata.json +++ b/rules/S6291/metadata.json @@ -39,6 +39,9 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M9" + ], "MASVS": [ "MSTG-STORAGE-14" ], diff --git a/rules/S6291/see.adoc b/rules/S6291/see.adoc index f18fce10f6..3dc6832e21 100644 --- a/rules/S6291/see.adoc +++ b/rules/S6291/see.adoc @@ -1,10 +1,11 @@ == See +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard] - Data Storage and Privacy Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2] - Insecure Data Storage -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6293/metadata.json b/rules/S6293/metadata.json index d5ca7afeea..7e77ec8153 100644 --- a/rules/S6293/metadata.json +++ b/rules/S6293/metadata.json @@ -35,6 +35,9 @@ "OWASP Mobile": [ "M4" ], + "OWASP Mobile Top 10 2024": [ + "M3" + ], "MASVS": [ "MSTG-AUTH-8" ], diff --git a/rules/S6293/see.adoc b/rules/S6293/see.adoc index 88f5278c17..c1e30e1a3f 100644 --- a/rules/S6293/see.adoc +++ b/rules/S6293/see.adoc @@ -1,7 +1,8 @@ == See * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] -* https://developer.android.com/training/sign-in/biometric-auth[developer.android.com] - Use a cryptographic solution that depends on authentication * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication[Mobile Top 10 2016 Category M4 - Insecure Authentication] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] * OWASP - https://mas.owasp.org/checklists/MASVS-AUTH/[Mobile AppSec Verification Standard - Authentication and Session Management Requirements] -* CWE - https://cwe.mitre.org/data/definitions/287[CWE-287 - Improper Authentication] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/287[CWE-287 - Improper Authentication] +* https://developer.android.com/training/sign-in/biometric-auth[developer.android.com] - Use a cryptographic solution that depends on authentication \ No newline at end of file diff --git a/rules/S6300/metadata.json b/rules/S6300/metadata.json index 50d46bf878..b58a83675a 100644 --- a/rules/S6300/metadata.json +++ b/rules/S6300/metadata.json @@ -39,6 +39,9 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M9" + ], "MASVS": [ "MSTG-STORAGE-14" ], diff --git a/rules/S6300/see.adoc b/rules/S6300/see.adoc index d223601a67..829b5f8c76 100644 --- a/rules/S6300/see.adoc +++ b/rules/S6300/see.adoc @@ -1,8 +1,9 @@ == See +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6301/common/resources/standards.adoc b/rules/S6301/common/resources/standards.adoc index abe88d58f0..6ec2a433b6 100644 --- a/rules/S6301/common/resources/standards.adoc +++ b/rules/S6301/common/resources/standards.adoc @@ -1,10 +1,13 @@ === Standards +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage[Mobile Top 10 2024 Category M1 - Improper Credential Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] * CWE - https://cwe.mitre.org/data/definitions/321[CWE-321 - Use of Hard-coded Cryptographic Key] diff --git a/rules/S6301/metadata.json b/rules/S6301/metadata.json index 69b233fd95..02f1ead010 100644 --- a/rules/S6301/metadata.json +++ b/rules/S6301/metadata.json @@ -37,6 +37,11 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M1", + "M9", + "M10" + ], "MASVS": [ "MSTG-STORAGE-14" ], diff --git a/rules/S6358/xml/metadata.json b/rules/S6358/xml/metadata.json index 8d7409987d..bece45d2b9 100644 --- a/rules/S6358/xml/metadata.json +++ b/rules/S6358/xml/metadata.json @@ -40,6 +40,9 @@ "M1", "M2" ], + "OWASP Mobile Top 10 2024": [ + "M9" + ], "MASVS": [ "MSTG-STORAGE-8" ], diff --git a/rules/S6358/xml/rule.adoc b/rules/S6358/xml/rule.adoc index 9105646464..d3c750fb01 100644 --- a/rules/S6358/xml/rule.adoc +++ b/rules/S6358/xml/rule.adoc @@ -67,14 +67,16 @@ If targeting Android 6.0 or above (API level 23), define files to include/exclud == See + +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] -* https://developer.android.com/guide/topics/data/autobackup[Back up user data with Auto Backup] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] * CWE - https://cwe.mitre.org/data/definitions/312[CWE-922 - Insecure Storage of Sensitive Information] +* https://developer.android.com/guide/topics/data/autobackup[Back up user data with Auto Backup] ifdef::env-github,rspecator-view[] diff --git a/rules/S6359/metadata.json b/rules/S6359/metadata.json index 539f47182c..a70a027f99 100644 --- a/rules/S6359/metadata.json +++ b/rules/S6359/metadata.json @@ -38,6 +38,10 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M8" + ], "MASVS": [ "MSTG-PLATFORM-1" ], diff --git a/rules/S6359/xml/rule.adoc b/rules/S6359/xml/rule.adoc index f65b6742d3..eef08c93d8 100644 --- a/rules/S6359/xml/rule.adoc +++ b/rules/S6359/xml/rule.adoc @@ -68,6 +68,8 @@ It is common practice to use the application package name as part of the namespa * Mobile AppSec Verification Standard - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/265[CWE-265 - Privilege Issues] * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] diff --git a/rules/S6361/xml/metadata.json b/rules/S6361/xml/metadata.json index da580fcfc5..ec82d22126 100644 --- a/rules/S6361/xml/metadata.json +++ b/rules/S6361/xml/metadata.json @@ -36,6 +36,10 @@ "M1", "M6" ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M8" + ], "MASVS": [ "MSTG-PLATFORM-1" ] diff --git a/rules/S6361/xml/rule.adoc b/rules/S6361/xml/rule.adoc index dc92cb2cea..6c2aa4f164 100644 --- a/rules/S6361/xml/rule.adoc +++ b/rules/S6361/xml/rule.adoc @@ -56,6 +56,8 @@ There is a risk if you answered yes to this question. * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization[Mobile Top 10 2016 Category M6 - Insecure Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/1220[CWE-1220 - Insufficient Granularity of Access Control] diff --git a/rules/S6362/metadata.json b/rules/S6362/metadata.json index bdf9ebe3d1..444e61e1d4 100644 --- a/rules/S6362/metadata.json +++ b/rules/S6362/metadata.json @@ -32,6 +32,9 @@ "MASVS": [ "MSTG-PLATFORM-2" ], + "OWASP Mobile Top 10 2024": [ + "M8" + ], "OWASP Top 10 2021": [ "A3" ], diff --git a/rules/S6362/see.adoc b/rules/S6362/see.adoc index 53c7c2eb15..fa0c2e2d66 100644 --- a/rules/S6362/see.adoc +++ b/rules/S6362/see.adoc @@ -3,4 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] diff --git a/rules/S6363/metadata.json b/rules/S6363/metadata.json index 8b9493e0d5..4f906b677f 100644 --- a/rules/S6363/metadata.json +++ b/rules/S6363/metadata.json @@ -32,6 +32,9 @@ "MASVS": [ "MSTG-PLATFORM-2" ], + "OWASP Mobile Top 10 2024": [ + "M8" + ], "OWASP Top 10 2021": [ "A3" ], diff --git a/rules/S6363/see.adoc b/rules/S6363/see.adoc index 53c7c2eb15..fa0c2e2d66 100644 --- a/rules/S6363/see.adoc +++ b/rules/S6363/see.adoc @@ -3,4 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] diff --git a/rules/S6373/java/metadata.json b/rules/S6373/java/metadata.json index d72e842293..8fd3f8bb52 100644 --- a/rules/S6373/java/metadata.json +++ b/rules/S6373/java/metadata.json @@ -1,4 +1,32 @@ { + "securityStandards": { + "CWE": [ + 611, + 827 + ], + "OWASP": [ + "A4" + ], + "OWASP Top 10 2021": [ + "A5" + ], + "OWASP Mobile Top 10 2024": [ + "M4", + "M8" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.5.2" + ], + "STIG ASD_V5R3": [ + "V-222608" + ] + }, "quickfix": "infeasible", "tags": [ "symbolic-execution" diff --git a/rules/S6373/java/rule.adoc b/rules/S6373/java/rule.adoc index a7bf04128f..8a98fbc86b 100644 --- a/rules/S6373/java/rule.adoc +++ b/rules/S6373/java/rule.adoc @@ -73,6 +73,8 @@ property to `false`. * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 - Category A4 - XML External Entities (XXE)] * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 - Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Improper Restriction of XML External Entity Reference] * CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. diff --git a/rules/S6376/java/metadata.json b/rules/S6376/java/metadata.json index ca1da9aca7..c3f108808d 100644 --- a/rules/S6376/java/metadata.json +++ b/rules/S6376/java/metadata.json @@ -1,4 +1,32 @@ { + "securityStandards": { + "CWE": [ + 611, + 827 + ], + "OWASP": [ + "A4" + ], + "OWASP Top 10 2021": [ + "A5" + ], + "OWASP Mobile Top 10 2024": [ + "M4", + "M8" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.5.2" + ], + "STIG ASD_V5R3": [ + "V-222608" + ] + }, "quickfix": "infeasible", "tags": [ "symbolic-execution" diff --git a/rules/S6376/java/rule.adoc b/rules/S6376/java/rule.adoc index 8568596421..7ccfbc5f81 100644 --- a/rules/S6376/java/rule.adoc +++ b/rules/S6376/java/rule.adoc @@ -39,6 +39,8 @@ include::how-to-fix-it/jdom2.adoc[] * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/776[CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222593[Application Security and Development: V-222593] - XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. diff --git a/rules/S6384/common/resources/standards.adoc b/rules/S6384/common/resources/standards.adoc index 08cbac28ed..437907ead6 100644 --- a/rules/S6384/common/resources/standards.adoc +++ b/rules/S6384/common/resources/standards.adoc @@ -2,5 +2,6 @@ * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6384/metadata.json b/rules/S6384/metadata.json index 118b8185d2..cc2b014b45 100644 --- a/rules/S6384/metadata.json +++ b/rules/S6384/metadata.json @@ -34,6 +34,9 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], "MASVS": [ "MSTG-PLATFORM-2" ], diff --git a/rules/S6432/common/resources/standards-mobile.adoc b/rules/S6432/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..a73798d92a --- /dev/null +++ b/rules/S6432/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/323[CWE-323 - Reusing a Nonce, Key Pair in Encryption] +* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation +* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf[NIST, SP-800-38C] - Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality +* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf[NIST, SP-800-38D] - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC diff --git a/rules/S6432/common/resources/standards.adoc b/rules/S6432/common/resources/standards.adoc index 85130396ce..7a0bbcf23d 100644 --- a/rules/S6432/common/resources/standards.adoc +++ b/rules/S6432/common/resources/standards.adoc @@ -2,8 +2,6 @@ * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] * CWE - https://cwe.mitre.org/data/definitions/323[CWE-323 - Reusing a Nonce, Key Pair in Encryption] * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf[NIST, SP-800-38C] - Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality diff --git a/rules/S6432/java/metadata.json b/rules/S6432/java/metadata.json index 7a73a41bfd..b0ee4b67f4 100644 --- a/rules/S6432/java/metadata.json +++ b/rules/S6432/java/metadata.json @@ -1,2 +1,22 @@ { + "securityStandards": { + "CWE": [ + 323 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-6" + ], + "OWASP Top 10 2021": [ + "A2" + ] + } } \ No newline at end of file diff --git a/rules/S6432/java/rule.adoc b/rules/S6432/java/rule.adoc index 7cd0c5c497..0796c593c8 100644 --- a/rules/S6432/java/rule.adoc +++ b/rules/S6432/java/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6432/kotlin/metadata.json b/rules/S6432/kotlin/metadata.json index 7a73a41bfd..b0ee4b67f4 100644 --- a/rules/S6432/kotlin/metadata.json +++ b/rules/S6432/kotlin/metadata.json @@ -1,2 +1,22 @@ { + "securityStandards": { + "CWE": [ + 323 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-6" + ], + "OWASP Top 10 2021": [ + "A2" + ] + } } \ No newline at end of file diff --git a/rules/S6432/kotlin/rule.adoc b/rules/S6432/kotlin/rule.adoc index 942dcc2924..9cabd5c5b9 100644 --- a/rules/S6432/kotlin/rule.adoc +++ b/rules/S6432/kotlin/rule.adoc @@ -18,7 +18,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6432/metadata.json b/rules/S6432/metadata.json index b5af9b55d3..197002391f 100644 --- a/rules/S6432/metadata.json +++ b/rules/S6432/metadata.json @@ -28,12 +28,6 @@ "OWASP": [ "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-6" - ], "OWASP Top 10 2021": [ "A2" ] diff --git a/rules/S6549/common/resources/standards-mobile.adoc b/rules/S6549/common/resources/standards-mobile.adoc new file mode 100644 index 0000000000..a2ed108caa --- /dev/null +++ b/rules/S6549/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6549/java/metadata.json b/rules/S6549/java/metadata.json index 0db3279e44..97202b93c7 100644 --- a/rules/S6549/java/metadata.json +++ b/rules/S6549/java/metadata.json @@ -1,3 +1,33 @@ { - + "securityStandards": { + "CWE": [ + 20, + 22 + ], + "OWASP": [ + "A5", + "A1" + ], + "OWASP Top 10 2021": [ + "A1", + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "12.3.1", + "5.1.3", + "5.1.4" + ], + "STIG ASD_V5R3": [ + "V-222609" + ] + } } diff --git a/rules/S6549/java/rule.adoc b/rules/S6549/java/rule.adoc index 61fcf6b2d8..2ce00fa841 100644 --- a/rules/S6549/java/rule.adoc +++ b/rules/S6549/java/rule.adoc @@ -10,7 +10,7 @@ include::how-to-fix-it/java-se.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6706/secrets/metadata.json b/rules/S6706/secrets/metadata.json index 4fb94bcec5..07f9a006c5 100644 --- a/rules/S6706/secrets/metadata.json +++ b/rules/S6706/secrets/metadata.json @@ -37,6 +37,10 @@ "OWASP Top 10 2021": [ "A7" ], + "OWASP Mobile Top 10 2024": [ + "M1", + "M10" + ], "PCI DSS 3.2": [ "6.5.10" ], diff --git a/rules/S6706/secrets/rule.adoc b/rules/S6706/secrets/rule.adoc index 490ba76022..260e7d9b43 100644 --- a/rules/S6706/secrets/rule.adoc +++ b/rules/S6706/secrets/rule.adoc @@ -76,4 +76,7 @@ with open("/path/to/private.key","r") as key_file: include::../../../shared_content/secrets/resources/standards.adoc[] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage[Mobile Top 10 2024 Category M1 - Improper Credential Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] + //=== Benchmarks