update coverage information (#4859)

Co-authored-by: SonarTech <sonartech@sonarsource.com>

docs/header_names/allowed_framework_names.adoc

@@ -44,6 +44,7 @@
 * Java JWT
 * Java SE
 * Java JDBC API
+* Java I/O API
 * Jdom2
 * JSP
 * Legacy Mongo Java API

frontend/public/covered_rules.json

@@ -587,7 +587,8 @@
     "S6330": "sonar-iac-enterprise 1.1.0.861",
     "S6332": "sonar-iac-enterprise 1.1.0.861",
     "S6333": "sonar-iac-enterprise 1.2.0.976",
-    "S6364": "sonar-iac-enterprise 1.4.0.1288"
+    "S6364": "sonar-iac-enterprise 1.4.0.1288",
+    "S7452": "sonar-iac-enterprise master"
   },
   "COBOL": {
     "S105": "sonar-cobol 4.0.1.2609",
@@ -5190,6 +5191,7 @@
     "S1940": "sonar-kotlin 2.0.0.29",
     "S2053": "sonar-kotlin 2.3.0.609",
     "S2068": "sonar-kotlin 2.0.0.29",
+    "S2083": "sonar-security master",
     "S2097": "sonar-kotlin 2.12.0.1956",
     "S2114": "sonar-kotlin 2.12.0.1956",
     "S2116": "sonar-kotlin 2.12.0.1956",
@@ -5221,6 +5223,7 @@
     "S5322": "sonar-kotlin 2.3.0.609",
     "S5324": "sonar-kotlin 2.2.0.499",
     "S5332": "sonar-kotlin 2.0.0.29",
+    "S5344": "sonar-kotlin master",
     "S5527": "sonar-kotlin 2.0.0.29",
     "S5542": "sonar-kotlin 2.0.0.29",
     "S5547": "sonar-kotlin 2.0.0.29",
@@ -5234,6 +5237,7 @@
     "S5867": "sonar-kotlin 2.6.0.862",
     "S5868": "sonar-kotlin 2.6.0.862",
     "S5869": "sonar-kotlin 2.6.0.862",
+    "S6096": "sonar-security master",
     "S6202": "sonar-kotlin 2.4.0.703",
     "S6207": "sonar-kotlin 2.15.0.2579",
     "S6218": "sonar-kotlin 2.4.0.703",
@@ -5256,6 +5260,7 @@
     "S6318": "sonar-kotlin 2.1.0.344",
     "S6362": "sonar-kotlin 2.5.0.754",
     "S6363": "sonar-kotlin 2.5.0.754",
+    "S6384": "sonar-security master",
     "S6432": "sonar-kotlin 2.11.0.1828",
     "S6474": "sonar-kotlin master",
     "S6508": "sonar-kotlin 2.14.0.2352",
@@ -5289,7 +5294,9 @@
     "S6634": "sonar-kotlin 2.16.0.2832",
     "S7204": "sonar-kotlin master",
     "S7409": "sonar-kotlin master",
+    "S7410": "sonar-kotlin master",
     "S7416": "sonar-kotlin master",
+    "S7435": "sonar-kotlin master",
     "S899": "sonar-kotlin 2.12.0.1956"
   },
   "KUBERNETES": {
@@ -6815,138 +6822,138 @@
     "S7171": "sonar-text-enterprise 2.18.0.4866",
     "S7174": "sonar-text-enterprise 2.21.0.5225",
     "S7175": "sonar-text-enterprise 2.21.0.5225",
-    "S7199": "sonar-text-enterprise master",
+    "S7199": "sonar-text-enterprise 2.22.0.5855",
-    "S7209": "sonar-text-enterprise master",
+    "S7209": "sonar-text-enterprise 2.22.0.5855",
-    "S7210": "sonar-text-enterprise master",
+    "S7210": "sonar-text-enterprise 2.22.0.5855",
-    "S7211": "sonar-text-enterprise master",
+    "S7211": "sonar-text-enterprise 2.22.0.5855",
-    "S7212": "sonar-text-enterprise master",
+    "S7212": "sonar-text-enterprise 2.22.0.5855",
-    "S7213": "sonar-text-enterprise master",
+    "S7213": "sonar-text-enterprise 2.22.0.5855",
-    "S7214": "sonar-text-enterprise master",
+    "S7214": "sonar-text-enterprise 2.22.0.5855",
-    "S7216": "sonar-text-enterprise master",
+    "S7216": "sonar-text-enterprise 2.22.0.5855",
-    "S7217": "sonar-text-enterprise master",
+    "S7217": "sonar-text-enterprise 2.22.0.5855",
-    "S7218": "sonar-text-enterprise master",
+    "S7218": "sonar-text-enterprise 2.22.0.5855",
-    "S7219": "sonar-text-enterprise master",
+    "S7219": "sonar-text-enterprise 2.22.0.5855",
-    "S7220": "sonar-text-enterprise master",
+    "S7220": "sonar-text-enterprise 2.22.0.5855",
-    "S7221": "sonar-text-enterprise master",
+    "S7221": "sonar-text-enterprise 2.22.0.5855",
-    "S7222": "sonar-text-enterprise master",
+    "S7222": "sonar-text-enterprise 2.22.0.5855",
-    "S7223": "sonar-text-enterprise master",
+    "S7223": "sonar-text-enterprise 2.22.0.5855",
-    "S7225": "sonar-text-enterprise master",
+    "S7225": "sonar-text-enterprise 2.22.0.5855",
-    "S7226": "sonar-text-enterprise master",
+    "S7226": "sonar-text-enterprise 2.22.0.5855",
-    "S7227": "sonar-text-enterprise master",
+    "S7227": "sonar-text-enterprise 2.22.0.5855",
-    "S7228": "sonar-text-enterprise master",
+    "S7228": "sonar-text-enterprise 2.22.0.5855",
-    "S7229": "sonar-text-enterprise master",
+    "S7229": "sonar-text-enterprise 2.22.0.5855",
-    "S7231": "sonar-text-enterprise master",
+    "S7231": "sonar-text-enterprise 2.22.0.5855",
-    "S7232": "sonar-text-enterprise master",
+    "S7232": "sonar-text-enterprise 2.22.0.5855",
-    "S7235": "sonar-text-enterprise master",
+    "S7235": "sonar-text-enterprise 2.22.0.5855",
-    "S7236": "sonar-text-enterprise master",
+    "S7236": "sonar-text-enterprise 2.22.0.5855",
-    "S7237": "sonar-text-enterprise master",
+    "S7237": "sonar-text-enterprise 2.22.0.5855",
-    "S7238": "sonar-text-enterprise master",
+    "S7238": "sonar-text-enterprise 2.22.0.5855",
-    "S7240": "sonar-text-enterprise master",
+    "S7240": "sonar-text-enterprise 2.22.0.5855",
-    "S7243": "sonar-text-enterprise master",
+    "S7243": "sonar-text-enterprise 2.22.0.5855",
-    "S7246": "sonar-text-enterprise master",
+    "S7246": "sonar-text-enterprise 2.22.0.5855",
-    "S7248": "sonar-text-enterprise master",
+    "S7248": "sonar-text-enterprise 2.22.0.5855",
-    "S7249": "sonar-text-enterprise master",
+    "S7249": "sonar-text-enterprise 2.22.0.5855",
-    "S7250": "sonar-text-enterprise master",
+    "S7250": "sonar-text-enterprise 2.22.0.5855",
-    "S7251": "sonar-text-enterprise master",
+    "S7251": "sonar-text-enterprise 2.22.0.5855",
-    "S7252": "sonar-text-enterprise master",
+    "S7252": "sonar-text-enterprise 2.22.0.5855",
-    "S7256": "sonar-text-enterprise master",
+    "S7256": "sonar-text-enterprise 2.22.0.5855",
-    "S7258": "sonar-text-enterprise master",
+    "S7258": "sonar-text-enterprise 2.22.0.5855",
-    "S7259": "sonar-text-enterprise master",
+    "S7259": "sonar-text-enterprise 2.22.0.5855",
-    "S7260": "sonar-text-enterprise master",
+    "S7260": "sonar-text-enterprise 2.22.0.5855",
-    "S7261": "sonar-text-enterprise master",
+    "S7261": "sonar-text-enterprise 2.22.0.5855",
-    "S7262": "sonar-text-enterprise master",
+    "S7262": "sonar-text-enterprise 2.22.0.5855",
-    "S7263": "sonar-text-enterprise master",
+    "S7263": "sonar-text-enterprise 2.22.0.5855",
-    "S7264": "sonar-text-enterprise master",
+    "S7264": "sonar-text-enterprise 2.22.0.5855",
-    "S7268": "sonar-text-enterprise master",
+    "S7268": "sonar-text-enterprise 2.22.0.5855",
-    "S7269": "sonar-text-enterprise master",
+    "S7269": "sonar-text-enterprise 2.22.0.5855",
-    "S7270": "sonar-text-enterprise master",
+    "S7270": "sonar-text-enterprise 2.22.0.5855",
-    "S7271": "sonar-text-enterprise master",
+    "S7271": "sonar-text-enterprise 2.22.0.5855",
-    "S7272": "sonar-text-enterprise master",
+    "S7272": "sonar-text-enterprise 2.22.0.5855",
-    "S7273": "sonar-text-enterprise master",
+    "S7273": "sonar-text-enterprise 2.22.0.5855",
-    "S7275": "sonar-text-enterprise master",
+    "S7275": "sonar-text-enterprise 2.22.0.5855",
-    "S7276": "sonar-text-enterprise master",
+    "S7276": "sonar-text-enterprise 2.22.0.5855",
-    "S7277": "sonar-text-enterprise master",
+    "S7277": "sonar-text-enterprise 2.22.0.5855",
-    "S7278": "sonar-text-enterprise master",
+    "S7278": "sonar-text-enterprise 2.22.0.5855",
-    "S7279": "sonar-text-enterprise master",
+    "S7279": "sonar-text-enterprise 2.22.0.5855",
-    "S7280": "sonar-text-enterprise master",
+    "S7280": "sonar-text-enterprise 2.22.0.5855",
-    "S7282": "sonar-text-enterprise master",
+    "S7282": "sonar-text-enterprise 2.22.0.5855",
-    "S7283": "sonar-text-enterprise master",
+    "S7283": "sonar-text-enterprise 2.22.0.5855",
-    "S7285": "sonar-text-enterprise master",
+    "S7285": "sonar-text-enterprise 2.22.0.5855",
-    "S7286": "sonar-text-enterprise master",
+    "S7286": "sonar-text-enterprise 2.22.0.5855",
-    "S7287": "sonar-text-enterprise master",
+    "S7287": "sonar-text-enterprise 2.22.0.5855",
-    "S7288": "sonar-text-enterprise master",
+    "S7288": "sonar-text-enterprise 2.22.0.5855",
-    "S7289": "sonar-text-enterprise master",
+    "S7289": "sonar-text-enterprise 2.22.0.5855",
-    "S7291": "sonar-text-enterprise master",
+    "S7291": "sonar-text-enterprise 2.22.0.5855",
-    "S7292": "sonar-text-enterprise master",
+    "S7292": "sonar-text-enterprise 2.22.0.5855",
-    "S7294": "sonar-text-enterprise master",
+    "S7294": "sonar-text-enterprise 2.22.0.5855",
-    "S7295": "sonar-text-enterprise master",
+    "S7295": "sonar-text-enterprise 2.22.0.5855",
-    "S7296": "sonar-text-enterprise master",
+    "S7296": "sonar-text-enterprise 2.22.0.5855",
-    "S7301": "sonar-text-enterprise master",
+    "S7301": "sonar-text-enterprise 2.22.0.5855",
-    "S7302": "sonar-text-enterprise master",
+    "S7302": "sonar-text-enterprise 2.22.0.5855",
-    "S7306": "sonar-text-enterprise master",
+    "S7306": "sonar-text-enterprise 2.22.0.5855",
-    "S7307": "sonar-text-enterprise master",
+    "S7307": "sonar-text-enterprise 2.22.0.5855",
-    "S7308": "sonar-text-enterprise master",
+    "S7308": "sonar-text-enterprise 2.22.0.5855",
-    "S7309": "sonar-text-enterprise master",
+    "S7309": "sonar-text-enterprise 2.22.0.5855",
-    "S7312": "sonar-text-enterprise master",
+    "S7312": "sonar-text-enterprise 2.22.0.5855",
-    "S7317": "sonar-text-enterprise master",
+    "S7317": "sonar-text-enterprise 2.22.0.5855",
-    "S7319": "sonar-text-enterprise master",
+    "S7319": "sonar-text-enterprise 2.22.0.5855",
-    "S7322": "sonar-text-enterprise master",
+    "S7322": "sonar-text-enterprise 2.22.0.5855",
-    "S7323": "sonar-text-enterprise master",
+    "S7323": "sonar-text-enterprise 2.22.0.5855",
-    "S7324": "sonar-text-enterprise master",
+    "S7324": "sonar-text-enterprise 2.22.0.5855",
-    "S7325": "sonar-text-enterprise master",
+    "S7325": "sonar-text-enterprise 2.22.0.5855",
-    "S7327": "sonar-text-enterprise master",
+    "S7327": "sonar-text-enterprise 2.22.0.5855",
-    "S7328": "sonar-text-enterprise master",
+    "S7328": "sonar-text-enterprise 2.22.0.5855",
-    "S7329": "sonar-text-enterprise master",
+    "S7329": "sonar-text-enterprise 2.22.0.5855",
-    "S7330": "sonar-text-enterprise master",
+    "S7330": "sonar-text-enterprise 2.22.0.5855",
-    "S7331": "sonar-text-enterprise master",
+    "S7331": "sonar-text-enterprise 2.22.0.5855",
-    "S7332": "sonar-text-enterprise master",
+    "S7332": "sonar-text-enterprise 2.22.0.5855",
-    "S7333": "sonar-text-enterprise master",
+    "S7333": "sonar-text-enterprise 2.22.0.5855",
-    "S7334": "sonar-text-enterprise master",
+    "S7334": "sonar-text-enterprise 2.22.0.5855",
-    "S7335": "sonar-text-enterprise master",
+    "S7335": "sonar-text-enterprise 2.22.0.5855",
-    "S7338": "sonar-text-enterprise master",
+    "S7338": "sonar-text-enterprise 2.22.0.5855",
-    "S7340": "sonar-text-enterprise master",
+    "S7340": "sonar-text-enterprise 2.22.0.5855",
-    "S7343": "sonar-text-enterprise master",
+    "S7343": "sonar-text-enterprise 2.22.0.5855",
-    "S7344": "sonar-text-enterprise master",
+    "S7344": "sonar-text-enterprise 2.22.0.5855",
-    "S7346": "sonar-text-enterprise master",
+    "S7346": "sonar-text-enterprise 2.22.0.5855",
-    "S7348": "sonar-text-enterprise master",
+    "S7348": "sonar-text-enterprise 2.22.0.5855",
-    "S7349": "sonar-text-enterprise master",
+    "S7349": "sonar-text-enterprise 2.22.0.5855",
-    "S7350": "sonar-text-enterprise master",
+    "S7350": "sonar-text-enterprise 2.22.0.5855",
-    "S7351": "sonar-text-enterprise master",
+    "S7351": "sonar-text-enterprise 2.22.0.5855",
-    "S7352": "sonar-text-enterprise master",
+    "S7352": "sonar-text-enterprise 2.22.0.5855",
-    "S7353": "sonar-text-enterprise master",
+    "S7353": "sonar-text-enterprise 2.22.0.5855",
-    "S7354": "sonar-text-enterprise master",
+    "S7354": "sonar-text-enterprise 2.22.0.5855",
-    "S7355": "sonar-text-enterprise master",
+    "S7355": "sonar-text-enterprise 2.22.0.5855",
-    "S7356": "sonar-text-enterprise master",
+    "S7356": "sonar-text-enterprise 2.22.0.5855",
-    "S7357": "sonar-text-enterprise master",
+    "S7357": "sonar-text-enterprise 2.22.0.5855",
-    "S7360": "sonar-text-enterprise master",
+    "S7360": "sonar-text-enterprise 2.22.0.5855",
-    "S7361": "sonar-text-enterprise master",
+    "S7361": "sonar-text-enterprise 2.22.0.5855",
-    "S7362": "sonar-text-enterprise master",
+    "S7362": "sonar-text-enterprise 2.22.0.5855",
-    "S7364": "sonar-text-enterprise master",
+    "S7364": "sonar-text-enterprise 2.22.0.5855",
-    "S7365": "sonar-text-enterprise master",
+    "S7365": "sonar-text-enterprise 2.22.0.5855",
-    "S7366": "sonar-text-enterprise master",
+    "S7366": "sonar-text-enterprise 2.22.0.5855",
-    "S7367": "sonar-text-enterprise master",
+    "S7367": "sonar-text-enterprise 2.22.0.5855",
-    "S7368": "sonar-text-enterprise master",
+    "S7368": "sonar-text-enterprise 2.22.0.5855",
-    "S7369": "sonar-text-enterprise master",
+    "S7369": "sonar-text-enterprise 2.22.0.5855",
-    "S7374": "sonar-text-enterprise master",
+    "S7374": "sonar-text-enterprise 2.22.0.5855",
-    "S7375": "sonar-text-enterprise master",
+    "S7375": "sonar-text-enterprise 2.22.0.5855",
-    "S7376": "sonar-text-enterprise master",
+    "S7376": "sonar-text-enterprise 2.22.0.5855",
-    "S7378": "sonar-text-enterprise master",
+    "S7378": "sonar-text-enterprise 2.22.0.5855",
-    "S7383": "sonar-text-enterprise master",
+    "S7383": "sonar-text-enterprise 2.22.0.5855",
-    "S7386": "sonar-text-enterprise master",
+    "S7386": "sonar-text-enterprise 2.22.0.5855",
-    "S7387": "sonar-text-enterprise master",
+    "S7387": "sonar-text-enterprise 2.22.0.5855",
-    "S7389": "sonar-text-enterprise master",
+    "S7389": "sonar-text-enterprise 2.22.0.5855",
-    "S7390": "sonar-text-enterprise master",
+    "S7390": "sonar-text-enterprise 2.22.0.5855",
-    "S7391": "sonar-text-enterprise master",
+    "S7391": "sonar-text-enterprise 2.22.0.5855",
-    "S7392": "sonar-text-enterprise master",
+    "S7392": "sonar-text-enterprise 2.22.0.5855",
-    "S7393": "sonar-text-enterprise master",
+    "S7393": "sonar-text-enterprise 2.22.0.5855",
-    "S7394": "sonar-text-enterprise master",
+    "S7394": "sonar-text-enterprise 2.22.0.5855",
-    "S7395": "sonar-text-enterprise master",
+    "S7395": "sonar-text-enterprise 2.22.0.5855",
-    "S7396": "sonar-text-enterprise master",
+    "S7396": "sonar-text-enterprise 2.22.0.5855",
-    "S7397": "sonar-text-enterprise master",
+    "S7397": "sonar-text-enterprise 2.22.0.5855",
-    "S7398": "sonar-text-enterprise master",
+    "S7398": "sonar-text-enterprise 2.22.0.5855",
-    "S7400": "sonar-text-enterprise master",
+    "S7400": "sonar-text-enterprise 2.22.0.5855",
-    "S7401": "sonar-text-enterprise master",
+    "S7401": "sonar-text-enterprise 2.22.0.5855",
-    "S7402": "sonar-text-enterprise master"
+    "S7402": "sonar-text-enterprise 2.22.0.5855"
   },
   "SWIFT": {
     "S100": "sonar-swift 3.1.0.2067",
@@ -7120,7 +7127,8 @@
     "S6410": "sonar-iac-enterprise 1.6.0.1852",
     "S6412": "sonar-iac-enterprise 1.7.0.2012",
     "S6413": "sonar-iac-enterprise 1.7.0.2012",
-    "S6414": "sonar-iac-enterprise 1.7.0.2012"
+    "S6414": "sonar-iac-enterprise 1.7.0.2012",
+    "S7452": "sonar-iac-enterprise master"
   },
   "TEXT": {
     "S6389": "sonar-text-enterprise 2.6.1.1316",

rules/S2068/go/rule.adoc

@@ -4,6 +4,10 @@ include::../ask-yourself.adoc[]
 
 include::../recommended.adoc[]
 
+=== Exceptions
+
+* The rule ignores string literals that are used directly in Regexp methods.
+
 == Sensitive Code Example
 
 ----

rules/S2083/java/how-to-fix-it/java-io-api.adoc

@@ -1,4 +1,4 @@
-== How to fix it in Java SE
+== How to fix it in Java I/O API
 
 === Code examples
 
@@ -67,7 +67,7 @@ that the string `targetDirectory` does not end with a path separator:
 static private String targetDirectory = "/Users/John";
 
 @GetMapping(value = "/endpoint")
-public void endpoint(@RequestParam("folder") fileName) throws IOException {
+public void endpoint(@RequestParam("folder") File fileName) throws IOException {
 
     String canonicalizedFileName = fileName.getCanonicalPath();
 

rules/S2083/java/rule.adoc

@@ -6,7 +6,7 @@ include::../impact.adoc[]
 
 // How to fix it section
 
-include::how-to-fix-it/java-se.adoc[]
+include::how-to-fix-it/java-io-api.adoc[]
 
 == Resources
 

rules/S2083/kotlin/how-to-fix-it/java-io-api.adoc

@@ -0,0 +1,94 @@
+== How to fix it in Java I/O API
+
+=== Code examples
+
+:code_impact: delete
+
+include::../../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+[source,kotlin,diff-id=1,diff-type=noncompliant]
+----
+@Controller
+class ExampleController {
+    companion object {
+        private const val TARGET_DIRECTORY = "/path/to/target/directory/"
+    }
+
+    @GetMapping("/delete")
+    fun delete(@RequestParam("filename") filename: String) {
+        val file = File(TARGET_DIRECTORY + filename)
+        file.delete()
+    }
+}
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=1,diff-type=compliant]
+----
+@Controller
+class ExampleController {
+    companion object {
+        private const val TARGET_DIRECTORY = "/path/to/target/directory/"
+        private val TARGET_PATH = File(TARGET_DIRECTORY).toPath().normalize()
+    }
+
+    @GetMapping("/delete")
+    fun delete(@RequestParam("filename") filename: String) {
+        val file = File(TARGET_PATH.toString() + filename)
+        if (!file.toPath().normalize().startsWith(TARGET_PATH)) {
+            throw IOException("Entry is outside of the target directory")
+        }
+        file.delete()
+    }
+}
+----
+
+=== How does this work?
+
+:canonicalization_function: java.io.File.getCanonicalPath
+
+include::../../common/fix/self-validation.adoc[]
+
+=== Pitfalls
+
+include::../../common/pitfalls/partial-path-traversal.adoc[]
+
+For example, the following code is vulnerable to partial path injection. Note
+that the string `targetDirectory` does not end with a path separator:
+
+
+[source, kotlin]
+----
+companion object {
+    private val targetDirectory: String = "/Users/John"
+}
+
+@GetMapping("/endpoint")
+fun endpoint(@RequestParam("folder") file: File) {
+    val canonicalizedFileName = file.getCanonicalPath()
+    if (!canonicalizedFileName .startsWith(targetDirectory)) {
+        throw IOException("Entry is outside of the target directory");
+    }
+    file.delete()
+}
+----
+
+This check can be bypassed because `"/Users/Johnny".startsWith("/Users/John")`
+returns `true`. Thus, for validation, `"/Users/John"` should actually be
+`"/Users/John/"`.
+
+**Warning**: Some functions, such as `.getCanonicalPath`, remove the
+terminating path separator in their return value. +
+The validation code should be tested to ensure that it cannot be impacted by this
+issue.
+
+https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3[Here is a real-life example of this vulnerability.]
+
+
+:joining_docs: https://docs.oracle.com/javase/8/docs/api/java/nio/file/Path.html
+:joining_func: java.nio.file.Path.resolve
+
+include::../../common/pitfalls/oob-specific-path-joining.adoc[]

rules/S2083/kotlin/metadata.json

@@ -0,0 +1,33 @@
+{
+  "securityStandards": {
+    "CWE": [
+      20,
+      22
+    ],
+    "OWASP": [
+      "A5",
+      "A1"
+    ],
+    "OWASP Top 10 2021": [
+      "A1",
+      "A3"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M4"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.8"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "12.3.1",
+      "5.1.3",
+      "5.1.4"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222609"
+    ]
+  }
+}

rules/S2083/kotlin/rule.adoc

@@ -0,0 +1,29 @@
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+// How to fix it section
+
+include::how-to-fix-it/java-io-api.adoc[]
+
+== Resources
+
+include::../common/resources/standards-mobile.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]

rules/S3776/rust/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S3776/rust/rule.adoc

@@ -0,0 +1,13 @@
+include::../intro.adoc[]
+
+== Why is this an issue?
+
+include::../why.adoc[]
+
+=== What is the potential impact?
+
+include::../impact.adoc[]
+
+include::../resources.adoc[]
+
+include::../rspecator.adoc[]

rules/S5344/kotlin/highlighting.adoc

@@ -0,0 +1,6 @@
+=== Highlighting
+
+* Main location: The `iteration` argument of the PBEKeySpec constructor call
+* Secondary location
+** The location where the `iteration` argument value is assigned 
+** The location where the `algorithm` argument value of SecretKeyFactory.getInstance is assigned

rules/S5344/kotlin/message.adoc

@@ -0,0 +1,6 @@
+=== Message
+
+* For PBKDF2: "Use at least ``+{min_iterations}+`` PBKDF2 iterations"
+** If `algorithm` is `"PBKDF2withHmacSHA1"`, then min_iterations is 1,300,000
+** If `algorithm` is `"PBKDF2withHmacSHA256"`, then min_iterations is 600,000
+** If `algorithm` is `"PBKDF2withHmacSHA512"`, then min_iterations is 210,000

rules/S5344/kotlin/metadata.json

@@ -0,0 +1,35 @@
+{
+  "securityStandards": {
+    "CWE": [
+      256,
+      916
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "OWASP Top 10 2021": [
+      "A2",
+      "A4"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M10"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.3"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.3",
+      "2.4.1",
+      "2.4.2",
+      "2.4.3",
+      "2.4.4",
+      "2.4.5"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222542"
+    ]
+  }
+}

rules/S5344/kotlin/rule.adoc

@@ -0,0 +1,65 @@
+include::../summary.adoc[]
+
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+== How to fix it in Java Cryptography Extension
+
+=== Code examples
+
+==== Noncompliant code example
+
+The derived key is vulnerable because the cost factor (rounds) is too low for the chosen algorithm.
+
+[source,kotlin,diff-id=1,diff-type=noncompliant]
+----
+private fun deriveKey(password: String, salt: ByteArray): SecretKey? {
+  val keySpec = PBEKeySpec(password.toCharArray(), salt, 120000, 256) // Noncompliant
+  val secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2withHmacSHA512")
+  return secretKeyFactory.generateSecret(keySpec)
+}
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=1,diff-type=compliant]
+----
+private fun deriveKey(password: String, salt: ByteArray): SecretKey? {
+  val keySpec = PBEKeySpec(password.toCharArray(), salt, 210000, 256) 
+  val secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2withHmacSHA512")
+  return secretKeyFactory.generateSecret(keySpec)
+}
+----
+
+=== How does this work?
+
+include::../common/fix/pbkdf2-parameters.adoc[]
+
+=== Going the extra mile
+
+include::../common/extra-mile/peppering.adoc[]
+
+
+== Resources
+
+=== Documentation
+
+* OWASP CheatSheet - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html[Password Storage Cheat Sheet]
+
+include::../common/resources/standards-mobile.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::message.adoc[]
+
+include::highlighting.adoc[]
+
+endif::env-github,rspecator-view[]
+

rules/S5443/cfamily/rule.adoc

@@ -6,6 +6,7 @@ include::../recommended.adoc[]
 
 == Sensitive Code Example
 
+[source,cpp]
 ----
 #include <cstdio>
 // ...
@@ -15,6 +16,7 @@ void f() {
 }
 ----
 
+[source,cpp]
 ----
 #include <cstdio>
 #include <cstdlib>

rules/S6096/java/how-to-fix-it/java-io-api.adoc

@@ -1,4 +1,4 @@
-== How to fix it in Java SE
+== How to fix it in Java I/O API
 
 === Code examples
 

rules/S6096/java/rule.adoc

@@ -4,7 +4,7 @@ include::../rationale.adoc[]
 
 include::../impact.adoc[]
 
-include::how-to-fix-it/java-se.adoc[]
+include::how-to-fix-it/java-io-api.adoc[]
 
 == Resources
 

rules/S6096/kotlin/how-to-fix-it/java-io-api.adoc

@@ -0,0 +1,90 @@
+== How to fix it in Java I/O API
+
+=== Code examples
+
+:canonicalization_function1: java.io.File.getCanonicalFile
+:canonicalization_function2: java.io.File.getCanonicalPath
+
+include::../../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+[source,kotlin,diff-id=1,diff-type=noncompliant]
+----
+class Example {
+    companion object {
+        private const val TARGET_DIRECTORY = "/example/directory/"
+    }
+    fun extractEntry(zipFile: ZipFile) {
+        val entries = zipFile.entries()
+        val entry = entries.nextElement()
+        val inputStream = zipFile.getInputStream(entry)
+        val file = File(TARGET_DIRECTORY + entry.name)
+        inputStream.copyTo(file.outputStream())
+    }
+}
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=1,diff-type=compliant]
+----
+class Example {
+    companion object {
+        private const val TARGET_DIRECTORY = "/example/directory/"
+    }
+    fun extractEntry(zipFile: ZipFile) {
+        val entries = zipFile.entries()
+        val entry = entries.nextElement()
+        val inputStream = zipFile.getInputStream(entry)
+        val file = File(TARGET_DIRECTORY + entry.name)
+        val canonicalDestinationPath = file.canonicalPath
+        if (canonicalDestinationPath.startsWith(TARGET_DIRECTORY)) {
+            inputStream.copyTo(file.outputStream())
+        }
+    }
+}
+----
+
+=== How does this work?
+
+include::../../common/fix/how-does-this-work.adoc[]
+
+=== Pitfalls
+
+include::../../common/pitfalls/partial-path-traversal.adoc[]
+
+For example, the following code is vulnerable to partial path injection. Note
+that the string `targetDirectory` does not end with a path separator:
+
+
+[source, kotlin]
+----
+companion object {
+    private const val targetDirectory = "/Users/John"
+}
+
+fun ExtractEntry(zipFile: ZipFile) {
+    val entries = zipFile.entries()
+    val entry = entries.nextElement()
+    val inputStream = zipFile.getInputStream(entry)
+
+    val file = File(entry.name)
+
+    val canonicalDestinationPath = file.canonicalPath
+    if (canonicalDestinationPath.startsWith(targetDirectory)) {
+        Files.copy(inputStream, file.toPath(), StandardCopyOption.REPLACE_EXISTING, LinkOption.NOFOLLOW_LINKS)
+    }
+}
+----
+
+This check can be bypassed because `"/Users/Johnny".startsWith("/Users/John")`
+returns `true`. Thus, for validation, `"/Users/John"` should actually be
+`"/Users/John/"`.
+
+**Warning**: Some functions, such as `.getCanonicalPath`, remove the
+terminating path separator in their return value. +
+The validation code should be tested to ensure that it cannot be impacted by this
+issue.
+
+https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3[Here is a real-life example of this vulnerability.]

rules/S6096/kotlin/metadata.json

@@ -0,0 +1,34 @@
+{
+  "securityStandards": {
+    "CWE": [
+      20,
+      22
+    ],
+    "OWASP": [
+      "A5",
+      "A1"
+    ],
+    "OWASP Top 10 2021": [
+      "A1",
+      "A3"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M4"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.1",
+      "6.5.8"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "12.3.4",
+      "5.1.3",
+      "5.1.4"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222609"
+    ]
+  }
+}

rules/S6096/kotlin/rule.adoc

@@ -0,0 +1,23 @@
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+include::how-to-fix-it/java-io-api.adoc[]
+
+== Resources
+
+include::../common/resources/articles.adoc[]
+
+include::../common/resources/standards-mobile.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+endif::env-github,rspecator-view[]

rules/S6273/metadata.json

@@ -28,8 +28,6 @@
   "ruleSpecification": "RSPEC-6273",
   "sqKey": "S6273",
   "scope": "Main",
-  "defaultQualityProfiles": [
+  "defaultQualityProfiles": [],
-    "Sonar way"
-  ],
   "quickfix": "unknown"
 }

rules/S6362/see.adoc

@@ -5,3 +5,6 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
+
+=== Related rules
+* S7409 - Exposing Java objects through JavaScript interfaces is security-sensitive

rules/S6363/ask-yourself.adoc

@@ -1,6 +1,6 @@
 == Ask Yourself Whether
 
-* No local files have to be accessed by the Webview.
+* You open files that may be created or altered by external sources.
-* The WebView contains untrusted data that could cause harm when rendered.
+* You open arbitrary URLs from external sources.
 
-There is a risk if you answered yes to any of those questions.
+There is a risk if you answered yes to any of these questions.

rules/S6363/description.adoc

@@ -1,7 +1,7 @@
-WebViews can be used to display web content as part of a mobile application. A
+Exposing the Android file system to WebViews is security-sensitive.
-browser engine is used to render and display the content. Like a web
-application, a mobile application that uses WebViews can be vulnerable to
-Cross-Site Scripting if untrusted code is rendered.
 
-If malicious JavaScript code in a WebView is executed this can leak the contents
+Granting file access to WebViews, particularly through the `file://` scheme, introduces a risk of local file inclusion
-of sensitive files when access to local files is enabled.
+vulnerabilities. The severity of this risk depends heavily on the specific `WebSettings` configured.  Overly permissive
+settings can allow malicious scripts to access a wide range of local files, potentially exposing sensitive data such as
+Personally Identifiable Information (PII) or private application data, leading to data breaches and other security
+compromises.

rules/S6363/kotlin/rule.adoc

@@ -8,26 +8,66 @@ include::../recommended.adoc[]
 
 [source,kotlin]
 ----
-import android.webkit.WebView
+AndroidView(
-
+    factory = { context ->
-val webView: WebView = findViewById(R.id.webview)
+        WebView(context).apply {
-webView.getSettings().setAllowContentAccess(true) // Sensitive
+            webViewClient = WebViewClient()
-webView.getSettings().setAllowFileAccess(true) // Sensitive
+            settings.apply {
+                allowFileAccess = true  // Sensitive
+                allowFileAccessFromFileURLs = true  // Sensitive
+                allowUniversalAccessFromFileURLs = true  // Sensitive
+                allowContentAccess = true  // Sensitive
+            }
+            loadUrl("file:///android_asset/example.html")
+        }
+   }
+)
 ----
 
 == Compliant Solution
 
 [source,kotlin]
 ----
-import android.webkit.WebView
+AndroidView(
+    factory = { context ->
+        val webView = WebView(context)
+        val assetLoader = WebViewAssetLoader.Builder()
+            .addPathHandler("/assets/", WebViewAssetLoader.AssetsPathHandler(context))
+            .build()
 
-val webView: WebView = findViewById(R.id.webview)
+        webView.webViewClient = object : WebViewClient() {
-webView.getSettings().setAllowContentAccess(false)
+            @RequiresApi(Build.VERSION_CODES.LOLLIPOP)
-webView.getSettings().setAllowFileAccess(false)
+            override fun shouldInterceptRequest(view: WebView?, request: WebResourceRequest): WebResourceResponse? {
+                return assetLoader.shouldInterceptRequest(request.url)
+            }
+
+            @Suppress("deprecation")
+            override fun shouldInterceptRequest(view: WebView?, url: String?): WebResourceResponse? {
+                return assetLoader.shouldInterceptRequest(Uri.parse(url))
+            }
+        }
+
+        webView.settings.apply {
+            allowFileAccess = false
+            allowFileAccessFromFileURLs = false
+            allowUniversalAccessFromFileURLs = false
+            allowContentAccess = false
+        }
+
+        webView.loadUrl("https://appassets.androidplatform.net/assets/example.html")
+        webView
+    }
+)
 ----
 
-include::../see.adoc[]
+The compliant solution uses `WebViewAssetLoader` to load local files instead of directly accessing them via `file://`
+URLs. This approach serves assets over a secure `https://appassets.androidplatform.net` URL, effectively isolating the
+WebView from the local file system.
 
+The file access settings are disabled by default in modern Android versions. To prevent possible security issues in
+`Build.VERSION_CODES.Q` and earlier, it is still recommended to explicitly set those values to false.
+
+include::../see.adoc[]
 
 ifdef::env-github,rspecator-view[]
 

rules/S6363/metadata.json

@@ -26,8 +26,8 @@
       79
     ],
     "OWASP": [
-      "A6",
+      "A3",
-      "A7"
+      "A6"
     ],
     "MASVS": [
       "MSTG-PLATFORM-2"
@@ -36,7 +36,7 @@
       "M8"
     ],
     "OWASP Top 10 2021": [
-      "A3"
+      "A1"
     ],
     "PCI DSS 3.2": [
       "6.5.1",

rules/S6363/recommended.adoc

@@ -1,6 +1,7 @@
 == Recommended Secure Coding Practices
 
-It is recommended to disable access to local files for WebViews unless it is
+Avoid opening `file://` URLs from external sources in WebView components. If your application accepts arbitrary URLs
-necessary. In the case of a successful attack through a Cross-Site Scripting
+from external sources, do not enable this functionality. Instead, utilize `androidx.webkit.WebViewAssetLoader` to access
-vulnerability the attackers attack surface decreases drastically if no files
+files, including assets and resources, via `http(s)://` schemes.
-can be read out.
+
+For enhanced security, ensure that the options to load `file://` URLs are explicitly set to false.

rules/S6363/see.adoc

@@ -1,7 +1,9 @@
 == See
 
-* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
+* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
+* OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements]
 * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
+* Android Documentation - https://developer.android.com/privacy-and-security/risks/webview-unsafe-file-inclusion[WebViews - Unsafe File Inclusion]

rules/S7201/kotlin/metadata.json

@@ -7,7 +7,7 @@
     },
     "attribute": "COMPLETE"
   },
-  "status": "ready",
+  "status": "closed",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "30min"

rules/S7201/metadata.json

@@ -1,2 +1,3 @@
 {
+    "status": "closed"
 }

rules/S7409/kotlin/metadata.json

@@ -1,5 +1,5 @@
 {
-  "title": "Exposing Java interfaces in WebViews is security-sensitive",
+  "title": "Exposing Java objects through JavaScript interfaces is security-sensitive",
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
   "remediation": {

rules/S7409/kotlin/rule.adoc

@@ -1,15 +1,15 @@
-Using Javascript interfaces in WebViews is unsafe as it allows JavaScript to invoke Java methods,
+Using JavaScript interfaces in WebViews to expose Java objects is unsafe. Doing so allows JavaScript
-potentially giving attackers access to data or sensitive app functionality. WebViews might include
+to invoke Java methods, potentially giving attackers access to data or sensitive app functionality.
-untrusted sources such as third-party iframes, making this functionality particularly risky. As
+WebViews might include untrusted sources such as third-party iframes, making this functionality
-Javascript interfaces are passed to every frame in the WebView, those iframes are also able to
+particularly risky. As JavaScript interfaces are passed to every frame in the WebView, those iframes
-access the exposed Java methods.
+are also able to access the exposed Java object.
 
 == Ask Yourself Whether
 
 * The content in the WebView is fully trusted and secure.
 * Potentially untrusted iframes could be loaded in the WebView.
-* The Javascript interface has to be exposed for the entire lifecycle of the WebView.
+* The JavaScript interface has to be exposed for the entire lifecycle of the WebView.
-* The exposed Java methods will accept input from potentially untrusted sources.
+* The exposed Java object might be called by untrusted sources.
 
 There is a risk if you answered yes to any of these questions.
 
@@ -18,9 +18,9 @@ There is a risk if you answered yes to any of these questions.
 === Disable JavaScript
 
 If it is possible to disable JavaScript in the WebView, this is the most secure option. By default,
-JavaScript is disabled in a WebView, so you do not need to explicitly call
+JavaScript is disabled in a WebView, so ``webSettings.setJavaScriptEnabled(false)`` does not need to
-``webSettings.setJavaScriptEnabled(true)`` in your ``WebSettings`` configuration. Of course, sometimes
+be explicitly called. Of course, sometimes it is necessary to enable JavaScript, in which case the
-it is necessary to enable JavaScript, in which case the following recommendations should be considered.
+following recommendations should be considered.
 
 === Remove JavaScript interface when loading untrusted content
 
@@ -63,7 +63,8 @@ class ExampleActivity : AppCompatActivity() {
 
 == Compliant Solution
 
-The most secure option is to disable JavaScript entirely.
+The most secure option is to disable JavaScript entirely. S6362 further explains why it should not be enabled
+unless absolutely necessary.
 
 [source,kotlin]
 ----
@@ -96,7 +97,8 @@ class ExampleActivity : AppCompatActivity() {
 }
 ----
 
-If a JavaScript bridge must be used, consider using ``WebViewCompat.addWebMessageListener`` instead. This allows you to restrict the origins that can send messages to the JavaScript bridge.
+If a JavaScript bridge must be used, consider using ``WebViewCompat.addWebMessageListener`` instead. This allows you to restrict
+the origins that can send messages to the JavaScript bridge.
 
 [source,kotlin]
 ----
@@ -135,3 +137,6 @@ class ExampleActivity : AppCompatActivity() {
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation.html[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration.html[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation]
+
+=== Related rules
+* S6362 - Enabling JavaScript support for WebViews is security-sensitive

rules/S7452/cloudformation/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S7452/cloudformation/rule.adoc

@@ -0,0 +1,51 @@
+include::../description.adoc[]
+
+== How to fix it
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,yaml,diff-id=1,diff-type=noncompliant]
+----
+AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: "mybucketname"
+      Tags:
+        - Key: "anycompany;cost-center" # Noncompliant, semicolon is not allowed
+          Value: "Accounting"
+        - Key: "anycompany:~EnvironmentType~" # Noncompliant, tilde is not allowed
+          Value: "PROD"
+----
+
+==== Compliant solution
+
+[source,yaml,diff-id=1,diff-type=compliant]
+----
+AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: "mybucketname"
+      Tags:
+        - Key: "anycompany:cost-center"
+          Value: "Accounting"
+        - Key: "anycompany:EnvironmentType"
+          Value: "PROD"
+----
+
+include::../see.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+endif::env-github,rspecator-view[]

rules/S7452/description.adoc

@@ -0,0 +1,11 @@
+Amazon Web Services (AWS) resources tags are metadata labels with keys and optional values used to categorize and manage resources.
+
+== Why is this an issue?
+
+Proper tagging enhances resource discovery, lifecycle management, and overall productivity within the AWS environment. If tags do not comply with the AWS format, it can lead to confusion and inefficiency in managing resources, as well as unexpected behavior of the system.
+
+AWS resource tags should comply with the format stated in AWS documentation. That is, tag keys should:
+
+* Be between 1 and 128 characters long
+* Consist of Unicode letters, digits, white spaces, and the following characters: `_ . : / = + - @ "`
+* Not start with `aws:`

rules/S7452/message.adoc

@@ -0,0 +1,7 @@
+=== Message
+
+Rename tag key "XXX" to comply with required format.
+
+=== Highlighting
+
+Highlight the key of the tag that has incorrect format.

rules/S7452/metadata.json

@@ -0,0 +1,25 @@
+{
+  "title": "AWS resource tags should have valid format",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+  ],
+  "extra": {
+  },
+  "defaultSeverity": "Minor",
+  "ruleSpecification": "RSPEC-7452",
+  "sqKey": "S7452",
+  "scope": "All",
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "FORMATTED"
+  }
+}

rules/S7452/see.adoc

@@ -0,0 +1,3 @@
+== Resources
+=== Documentation
+* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html[AWS resource tags]

rules/S7452/terraform/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S7452/terraform/rule.adoc

@@ -0,0 +1,43 @@
+include::../description.adoc[]
+
+== How to fix it
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,terraform,diff-id=1,diff-type=noncompliant]
+----
+resource "aws_s3_bucket" "examplebucket" {
+  bucket = "mybucketname"
+
+  tags = {
+    "anycompany:~cost-center~" = "Accounting"
+  }
+}
+----
+
+==== Compliant solution
+
+[source,terraform,diff-id=1,diff-type=compliant]
+----
+resource "aws_s3_bucket" "examplebucket" {
+  bucket = "mybucketname"
+
+  tags = {
+    "anycompany:cost-center" = "Accounting"
+  }
+}
+----
+
+include::../see.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+endif::env-github,rspecator-view[]