Update rule.adoc

docs/header_names/allowed_framework_names.adoc

@@ -44,7 +44,6 @@
 * Java JWT
 * Java SE
 * Java JDBC API
-* Java I/O API
 * Jdom2
 * JSP
 * Legacy Mongo Java API

frontend/public/covered_rules.json

@@ -5191,7 +5191,6 @@
     "S1940": "sonar-kotlin 2.0.0.29",
     "S2053": "sonar-kotlin 2.3.0.609",
     "S2068": "sonar-kotlin 2.0.0.29",
-    "S2083": "sonar-security master",
     "S2097": "sonar-kotlin 2.12.0.1956",
     "S2114": "sonar-kotlin 2.12.0.1956",
     "S2116": "sonar-kotlin 2.12.0.1956",
@@ -5223,7 +5222,6 @@
     "S5322": "sonar-kotlin 2.3.0.609",
     "S5324": "sonar-kotlin 2.2.0.499",
     "S5332": "sonar-kotlin 2.0.0.29",
-    "S5344": "sonar-kotlin master",
     "S5527": "sonar-kotlin 2.0.0.29",
     "S5542": "sonar-kotlin 2.0.0.29",
     "S5547": "sonar-kotlin 2.0.0.29",
@@ -5237,7 +5235,6 @@
     "S5867": "sonar-kotlin 2.6.0.862",
     "S5868": "sonar-kotlin 2.6.0.862",
     "S5869": "sonar-kotlin 2.6.0.862",
-    "S6096": "sonar-security master",
     "S6202": "sonar-kotlin 2.4.0.703",
     "S6207": "sonar-kotlin 2.15.0.2579",
     "S6218": "sonar-kotlin 2.4.0.703",
@@ -5260,7 +5257,6 @@
     "S6318": "sonar-kotlin 2.1.0.344",
     "S6362": "sonar-kotlin 2.5.0.754",
     "S6363": "sonar-kotlin 2.5.0.754",
-    "S6384": "sonar-security master",
     "S6432": "sonar-kotlin 2.11.0.1828",
     "S6474": "sonar-kotlin master",
     "S6508": "sonar-kotlin 2.14.0.2352",
@@ -5296,7 +5292,6 @@
     "S7409": "sonar-kotlin master",
     "S7410": "sonar-kotlin master",
     "S7416": "sonar-kotlin master",
-    "S7435": "sonar-kotlin master",
     "S899": "sonar-kotlin 2.12.0.1956"
   },
   "KUBERNETES": {

rules/S2068/go/rule.adoc

@@ -4,10 +4,6 @@ include::../ask-yourself.adoc[]
 
 include::../recommended.adoc[]
 
-=== Exceptions
-
-* The rule ignores string literals that are used directly in Regexp methods.
-
 == Sensitive Code Example
 
 ----

rules/S2083/java/how-to-fix-it/java-se.adoc

@@ -1,4 +1,4 @@
-== How to fix it in Java I/O API
+== How to fix it in Java SE
 
 === Code examples
 
@@ -67,7 +67,7 @@ that the string `targetDirectory` does not end with a path separator:
 static private String targetDirectory = "/Users/John";
 
 @GetMapping(value = "/endpoint")
-public void endpoint(@RequestParam("folder") File fileName) throws IOException {
+public void endpoint(@RequestParam("folder") fileName) throws IOException {
 
     String canonicalizedFileName = fileName.getCanonicalPath();
 

rules/S2083/java/rule.adoc

@@ -6,7 +6,7 @@ include::../impact.adoc[]
 
 // How to fix it section
 
-include::how-to-fix-it/java-io-api.adoc[]
+include::how-to-fix-it/java-se.adoc[]
 
 == Resources
 

rules/S2083/kotlin/how-to-fix-it/java-io-api.adoc

@@ -1,94 +0,0 @@
-== How to fix it in Java I/O API
-
-=== Code examples
-
-:code_impact: delete
-
-include::../../common/fix/code-rationale.adoc[]
-
-==== Noncompliant code example
-
-[source,kotlin,diff-id=1,diff-type=noncompliant]
-----
-@Controller
-class ExampleController {
-    companion object {
-        private const val TARGET_DIRECTORY = "/path/to/target/directory/"
-    }
-
-    @GetMapping("/delete")
-    fun delete(@RequestParam("filename") filename: String) {
-        val file = File(TARGET_DIRECTORY + filename)
-        file.delete()
-    }
-}
-----
-
-==== Compliant solution
-
-[source,kotlin,diff-id=1,diff-type=compliant]
-----
-@Controller
-class ExampleController {
-    companion object {
-        private const val TARGET_DIRECTORY = "/path/to/target/directory/"
-        private val TARGET_PATH = File(TARGET_DIRECTORY).toPath().normalize()
-    }
-
-    @GetMapping("/delete")
-    fun delete(@RequestParam("filename") filename: String) {
-        val file = File(TARGET_PATH.toString() + filename)
-        if (!file.toPath().normalize().startsWith(TARGET_PATH)) {
-            throw IOException("Entry is outside of the target directory")
-        }
-        file.delete()
-    }
-}
-----
-
-=== How does this work?
-
-:canonicalization_function: java.io.File.getCanonicalPath
-
-include::../../common/fix/self-validation.adoc[]
-
-=== Pitfalls
-
-include::../../common/pitfalls/partial-path-traversal.adoc[]
-
-For example, the following code is vulnerable to partial path injection. Note
-that the string `targetDirectory` does not end with a path separator:
-
-
-[source, kotlin]
-----
-companion object {
-    private val targetDirectory: String = "/Users/John"
-}
-
-@GetMapping("/endpoint")
-fun endpoint(@RequestParam("folder") file: File) {
-    val canonicalizedFileName = file.getCanonicalPath()
-    if (!canonicalizedFileName .startsWith(targetDirectory)) {
-        throw IOException("Entry is outside of the target directory");
-    }
-    file.delete()
-}
-----
-
-This check can be bypassed because `"/Users/Johnny".startsWith("/Users/John")`
-returns `true`. Thus, for validation, `"/Users/John"` should actually be
-`"/Users/John/"`.
-
-**Warning**: Some functions, such as `.getCanonicalPath`, remove the
-terminating path separator in their return value. +
-The validation code should be tested to ensure that it cannot be impacted by this
-issue.
-
-https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3[Here is a real-life example of this vulnerability.]
-
-
-:joining_docs: https://docs.oracle.com/javase/8/docs/api/java/nio/file/Path.html
-:joining_func: java.nio.file.Path.resolve
-
-include::../../common/pitfalls/oob-specific-path-joining.adoc[]

rules/S2083/kotlin/metadata.json

@@ -1,33 +0,0 @@
-{
-  "securityStandards": {
-    "CWE": [
-      20,
-      22
-    ],
-    "OWASP": [
-      "A5",
-      "A1"
-    ],
-    "OWASP Top 10 2021": [
-      "A1",
-      "A3"
-    ],
-    "OWASP Mobile Top 10 2024": [
-      "M4"
-    ],
-    "PCI DSS 3.2": [
-      "6.5.8"
-    ],
-    "PCI DSS 4.0": [
-      "6.2.4"
-    ],
-    "ASVS 4.0": [
-      "12.3.1",
-      "5.1.3",
-      "5.1.4"
-    ],
-    "STIG ASD_V5R3": [
-      "V-222609"
-    ]
-  }
-}

rules/S2083/kotlin/rule.adoc

@@ -1,29 +0,0 @@
-== Why is this an issue?
-
-include::../rationale.adoc[]
-
-include::../impact.adoc[]
-
-// How to fix it section
-
-include::how-to-fix-it/java-io-api.adoc[]
-
-== Resources
-
-include::../common/resources/standards-mobile.adoc[]
-
-ifdef::env-github,rspecator-view[]
-
-'''
-== Implementation Specification
-(visible only on this page)
-
-include::../message.adoc[]
-
-'''
-== Comments And Links
-(visible only on this page)
-
-include::../comments-and-links.adoc[]
-
-endif::env-github,rspecator-view[]

rules/S6096/java/how-to-fix-it/java-se.adoc

@@ -1,4 +1,4 @@
-== How to fix it in Java I/O API
+== How to fix it in Java SE
 
 === Code examples
 

rules/S6096/java/rule.adoc

@@ -4,7 +4,7 @@ include::../rationale.adoc[]
 
 include::../impact.adoc[]
 
-include::how-to-fix-it/java-io-api.adoc[]
+include::how-to-fix-it/java-se.adoc[]
 
 == Resources
 

rules/S6096/kotlin/how-to-fix-it/java-io-api.adoc

@@ -1,90 +0,0 @@
-== How to fix it in Java I/O API
-
-=== Code examples
-
-:canonicalization_function1: java.io.File.getCanonicalFile
-:canonicalization_function2: java.io.File.getCanonicalPath
-
-include::../../common/fix/code-rationale.adoc[]
-
-==== Noncompliant code example
-
-[source,kotlin,diff-id=1,diff-type=noncompliant]
-----
-class Example {
-    companion object {
-        private const val TARGET_DIRECTORY = "/example/directory/"
-    }
-    fun extractEntry(zipFile: ZipFile) {
-        val entries = zipFile.entries()
-        val entry = entries.nextElement()
-        val inputStream = zipFile.getInputStream(entry)
-        val file = File(TARGET_DIRECTORY + entry.name)
-        inputStream.copyTo(file.outputStream())
-    }
-}
-----
-
-==== Compliant solution
-
-[source,kotlin,diff-id=1,diff-type=compliant]
-----
-class Example {
-    companion object {
-        private const val TARGET_DIRECTORY = "/example/directory/"
-    }
-    fun extractEntry(zipFile: ZipFile) {
-        val entries = zipFile.entries()
-        val entry = entries.nextElement()
-        val inputStream = zipFile.getInputStream(entry)
-        val file = File(TARGET_DIRECTORY + entry.name)
-        val canonicalDestinationPath = file.canonicalPath
-        if (canonicalDestinationPath.startsWith(TARGET_DIRECTORY)) {
-            inputStream.copyTo(file.outputStream())
-        }
-    }
-}
-----
-
-=== How does this work?
-
-include::../../common/fix/how-does-this-work.adoc[]
-
-=== Pitfalls
-
-include::../../common/pitfalls/partial-path-traversal.adoc[]
-
-For example, the following code is vulnerable to partial path injection. Note
-that the string `targetDirectory` does not end with a path separator:
-
-
-[source, kotlin]
-----
-companion object {
-    private const val targetDirectory = "/Users/John"
-}
-
-fun ExtractEntry(zipFile: ZipFile) {
-    val entries = zipFile.entries()
-    val entry = entries.nextElement()
-    val inputStream = zipFile.getInputStream(entry)
-
-    val file = File(entry.name)
-
-    val canonicalDestinationPath = file.canonicalPath
-    if (canonicalDestinationPath.startsWith(targetDirectory)) {
-        Files.copy(inputStream, file.toPath(), StandardCopyOption.REPLACE_EXISTING, LinkOption.NOFOLLOW_LINKS)
-    }
-}
-----
-
-This check can be bypassed because `"/Users/Johnny".startsWith("/Users/John")`
-returns `true`. Thus, for validation, `"/Users/John"` should actually be
-`"/Users/John/"`.
-
-**Warning**: Some functions, such as `.getCanonicalPath`, remove the
-terminating path separator in their return value. +
-The validation code should be tested to ensure that it cannot be impacted by this
-issue.
-
-https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3[Here is a real-life example of this vulnerability.]

rules/S6096/kotlin/metadata.json

@@ -1,34 +0,0 @@
-{
-  "securityStandards": {
-    "CWE": [
-      20,
-      22
-    ],
-    "OWASP": [
-      "A5",
-      "A1"
-    ],
-    "OWASP Top 10 2021": [
-      "A1",
-      "A3"
-    ],
-    "OWASP Mobile Top 10 2024": [
-      "M4"
-    ],
-    "PCI DSS 3.2": [
-      "6.5.1",
-      "6.5.8"
-    ],
-    "PCI DSS 4.0": [
-      "6.2.4"
-    ],
-    "ASVS 4.0": [
-      "12.3.4",
-      "5.1.3",
-      "5.1.4"
-    ],
-    "STIG ASD_V5R3": [
-      "V-222609"
-    ]
-  }
-}

rules/S6096/kotlin/rule.adoc

@@ -1,23 +0,0 @@
-== Why is this an issue?
-
-include::../rationale.adoc[]
-
-include::../impact.adoc[]
-
-include::how-to-fix-it/java-io-api.adoc[]
-
-== Resources
-
-include::../common/resources/articles.adoc[]
-
-include::../common/resources/standards-mobile.adoc[]
-
-ifdef::env-github,rspecator-view[]
-
-'''
-== Implementation Specification
-(visible only on this page)
-
-include::../message.adoc[]
-
-endif::env-github,rspecator-view[]

rules/S6362/see.adoc

@@ -5,6 +5,3 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
-
-=== Related rules
-* S7409 - Exposing Java objects through JavaScript interfaces is security-sensitive

rules/S7409/kotlin/metadata.json

@@ -1,5 +1,5 @@
 {
-  "title": "Exposing Java objects through JavaScript interfaces is security-sensitive",
+  "title": "Exposing Java interfaces in WebViews is security-sensitive",
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
   "remediation": {

rules/S7409/kotlin/rule.adoc

@@ -1,15 +1,15 @@
-Using JavaScript interfaces in WebViews to expose Java objects is unsafe. Doing so allows JavaScript
-to invoke Java methods, potentially giving attackers access to data or sensitive app functionality.
-WebViews might include untrusted sources such as third-party iframes, making this functionality
-particularly risky. As JavaScript interfaces are passed to every frame in the WebView, those iframes
-are also able to access the exposed Java object.
+Using Javascript interfaces in WebViews is unsafe as it allows JavaScript to invoke Java methods,
+potentially giving attackers access to data or sensitive app functionality. WebViews might include
+untrusted sources such as third-party iframes, making this functionality particularly risky. As
+Javascript interfaces are passed to every frame in the WebView, those iframes are also able to
+access the exposed Java methods.
 
 == Ask Yourself Whether
 
 * The content in the WebView is fully trusted and secure.
 * Potentially untrusted iframes could be loaded in the WebView.
-* The JavaScript interface has to be exposed for the entire lifecycle of the WebView.
-* The exposed Java object might be called by untrusted sources.
+* The Javascript interface has to be exposed for the entire lifecycle of the WebView.
+* The exposed Java methods will accept input from potentially untrusted sources.
 
 There is a risk if you answered yes to any of these questions.
 
@@ -18,9 +18,9 @@ There is a risk if you answered yes to any of these questions.
 === Disable JavaScript
 
 If it is possible to disable JavaScript in the WebView, this is the most secure option. By default,
-JavaScript is disabled in a WebView, so ``webSettings.setJavaScriptEnabled(false)`` does not need to
-be explicitly called. Of course, sometimes it is necessary to enable JavaScript, in which case the
-following recommendations should be considered.
+JavaScript is disabled in a WebView, so you do not need to explicitly call
+``webSettings.setJavaScriptEnabled(true)`` in your ``WebSettings`` configuration. Of course, sometimes
+it is necessary to enable JavaScript, in which case the following recommendations should be considered.
 
 === Remove JavaScript interface when loading untrusted content
 
@@ -63,8 +63,7 @@ class ExampleActivity : AppCompatActivity() {
 
 == Compliant Solution
 
-The most secure option is to disable JavaScript entirely. S6362 further explains why it should not be enabled
-unless absolutely necessary.
+The most secure option is to disable JavaScript entirely.
 
 [source,kotlin]
 ----
@@ -97,8 +96,7 @@ class ExampleActivity : AppCompatActivity() {
 }
 ----
 
-If a JavaScript bridge must be used, consider using ``WebViewCompat.addWebMessageListener`` instead. This allows you to restrict
-the origins that can send messages to the JavaScript bridge.
+If a JavaScript bridge must be used, consider using ``WebViewCompat.addWebMessageListener`` instead. This allows you to restrict the origins that can send messages to the JavaScript bridge.
 
 [source,kotlin]
 ----
@@ -137,6 +135,3 @@ class ExampleActivity : AppCompatActivity() {
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation.html[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration.html[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation]
-
-=== Related rules
-* S6362 - Enabling JavaScript support for WebViews is security-sensitive

rules/S7461/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S7461/rust/metadata.json

@@ -0,0 +1,24 @@
+{
+  "title": "Conflicting `Borrow` and `Hash` implementations should be avoided",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "clippy"
+  ],
+  "defaultSeverity": "Critical",
+  "ruleSpecification": "RSPEC-7461",
+  "sqKey": "S7461",
+  "scope": "All",
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "HIGH"
+    },
+    "attribute": "LOGICAL"
+  }
+}

rules/S7461/rust/rule.adoc

@@ -0,0 +1,41 @@
+
+== Why is this an issue?
+
+When a type implements `Borrow<T>`, it should provide consistent behavior between the borrowed and owned values, especially regarding `Eq`, `Ord`, and `Hash`. However, `str` and `[u8]` have different Hash implementations, leading to inconsistent hash values for the same underlying data when accessed through different Borrow implementations. This violates the principle that `hash(x) == hash((x as Borrow<[u8]>).borrow()) == hash((x as Borrow<str>).borrow())` must hold, and can cause issues with hash-based collections and comparisons.
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,rust]
+----
+use std::borrow::Borrow;
+use std::hash::{Hash, Hasher};
+
+struct ExampleType {
+    data: String,
+}
+
+impl Hash for ExampleType {
+    fn hash<H: Hasher>(&self, state: &mut H) {
+        self.data.hash(state); // Noncompliant: Inconsistent Hash
+    }
+}
+
+impl Borrow<str> for ExampleType {
+    fn borrow(&self) -> &str {
+        &self.data
+    }
+}
+
+impl Borrow<[u8]> for ExampleType {
+    fn borrow(&self) -> &[u8] {
+        self.data.as_bytes()
+    }
+}
+----
+
+== Resources
+=== Documentation
+
+* Clippy Lints - https://rust-lang.github.io/rust-clippy/master/index.html#impl_hash_borrow_with_str_and_bytes