JAVASE-9 Update rule metadata (#27)

github-actions[bot] · dorian-burihabwa-sonarsource · web-flow · commit 8594aa6dfb87 · 2025-06-18T15:51:00.000+02:00
Co-authored-by: dorian-burihabwa-sonarsource &lt;dorian-burihabwa-sonarsource@users.noreply.github.com&gt;
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2095.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2095.json
@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2189.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2189.json
@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2689.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2689.json
@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2755.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2755.html
@@ -170,9 +170,13 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)">Top 10 2017 Category A4 - XML External
   Entities (XXE)</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation">Mobile Top 10 2024 Category M4
+  - Insufficient Input/Output Validation</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration">Mobile Top 10 2024 Category M8 - Security
+  Misconfiguration</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/611">CWE-611 - Information Exposure Through XML External Entity Reference</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/827">CWE-827 - Improper Control of Document Type Definition</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222608">Application Security and
   Development: V-222608</a> - The application must not be vulnerable to XML-oriented attacks. </li>
 </ul>
 
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2755.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2755.json
@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },
@@ -31,6 +31,10 @@
     "OWASP Top 10 2021": [
       "A5"
     ],
+    "OWASP Mobile Top 10 2024": [
+      "M4",
+      "M8"
+    ],
     "PCI DSS 3.2": [
       "6.5.1"
     ],
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3516.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3516.json
@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html
@@ -52,7 +52,7 @@ <h3>Standards</h3>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/369">CWE-369 - Divide by zero</a> </li>
   <li> <a href="https://wiki.sei.cmu.edu/confluence/x/CTZGBQ">CERT, NUM02-J.</a> - Ensure that division and remainder operations do not result in
   divide-by-zero errors </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222612">Application Security and
   Development: V-222612</a> - The application must not be vulnerable to overflow attacks. </li>
 </ul>
 
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3546.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3546.json
@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6373.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6373.html
@@ -96,9 +96,13 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)">Top 10 2017 - Category A4 - XML External
   Entities (XXE)</a> </li>
   <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 - Category A5 - Security Misconfiguration</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation">Mobile Top 10 2024 Category M4
+  - Insufficient Input/Output Validation</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration">Mobile Top 10 2024 Category M8 - Security
+  Misconfiguration</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/611">CWE-611 - Improper Restriction of XML External Entity Reference</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/827">CWE-827 - Improper Control of Document Type Definition</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222608">Application Security and
   Development: V-222608</a> - The application must not be vulnerable to XML-oriented attacks. </li>
 </ul>
 
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6373.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6373.json
@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },
@@ -30,6 +30,10 @@
     "OWASP Top 10 2021": [
       "A5"
     ],
+    "OWASP Mobile Top 10 2024": [
+      "M4",
+      "M8"
+    ],
     "PCI DSS 3.2": [
       "6.5.1"
     ],
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6376.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6376.html
@@ -84,13 +84,17 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)">Top 10 2017 Category A4 - XML External
   Entities (XXE)</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation">Mobile Top 10 2024 Category M4
+  - Insufficient Input/Output Validation</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration">Mobile Top 10 2024 Category M8 - Security
+  Misconfiguration</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/776">CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity
   Expansion')</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222593">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222593">Application Security and
   Development: V-222593</a> - XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222667">Application Security and
   Development: V-222667</a> - Protections against DoS attacks must be implemented. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222608">Application Security and
   Development: V-222608</a> - The application must not be vulnerable to XML-oriented attacks. </li>
 </ul>
 
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6376.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6376.json
@@ -21,18 +21,30 @@
   "scope": "Main",
   "securityStandards": {
     "CWE": [
-      776
+      611,
+      827
     ],
     "OWASP": [
       "A4"
     ],
     "OWASP Top 10 2021": [
       "A5"
     ],
+    "OWASP Mobile Top 10 2024": [
+      "M4",
+      "M8"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.1"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "5.5.2"
+    ],
     "STIG ASD_V5R3": [
-      "V-222593",
-      "V-222608",
-      "V-222667"
+      "V-222608"
     ]
   },
   "quickfix": "infeasible"
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6377.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S6377.html
@@ -3,7 +3,7 @@
 <h2>Why is this an issue?</h2>
 <p>Before Java 17, XML Digital Signature API does not apply restrictions on XML signature validation unless the application runs with a security
 manager, which is rare.</p>
-<h2>What is the potential impact</h2>
+<h3>What is the potential impact</h3>
 <p>By not enforcing secure validation, the XML Digital Signature API is more susceptible to attacks such as signature spoofing and injections.</p>
 <h3>Increased Vulnerability to Signature Spoofing</h3>
 <p>By disabling secure validation, the application becomes more susceptible to signature spoofing attacks. Attackers can potentially manipulate the
@@ -59,7 +59,7 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
   Exposure</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/347">CWE-347 - Improper Verification of Cryptographic Signature</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222608">Application Security and
   Development: V-222608</a> - The application must not be vulnerable to XML-oriented attacks. </li>
 </ul>
 
diff --git a/java-symbolic-execution/sonarpedia.json b/java-symbolic-execution/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2024-09-09T13:33:21.851483206Z",
+  "latest-update": "2025-06-18T13:41:37.466638401Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false
