diff --git a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json index 18fceff5ee8..bf8c9df0190 100644 --- a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json +++ b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json @@ -156,6 +156,15 @@ }, "uniqueItems": true }, + "OWASP Mobile Top 10 2024": { + "type": "array", + "minItems": 0, + "items": { + "type": "string", + "pattern": "^M([1-9]|10)$" + }, + "uniqueItems": true + }, "PCI DSS 3.2": { "type": "array", "minItems": 0, diff --git a/rules/S2053/common/resources/standards-mobile.adoc b/rules/S2053/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..595876a5871 --- /dev/null +++ b/rules/S2053/common/resources/standards-mobile.adoc @@ -0,0 +1,9 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/759[CWE-759 - Use of a One-Way Hash without a Salt] +* CWE - https://cwe.mitre.org/data/definitions/760[CWE-760 - Use of a One-Way Hash with a Predictable Salt] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords. + diff --git a/rules/S2053/java/metadata.json b/rules/S2053/java/metadata.json index 17971333806..9a70551beaa 100644 --- a/rules/S2053/java/metadata.json +++ b/rules/S2053/java/metadata.json @@ -1,3 +1,26 @@ { - + "securityStandards": { + "CWE": [ + 759, + 760 + ], + "OWASP": [ + "A3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "STIG ASD_V5R3": [ + "V-222542" + ] + } } diff --git a/rules/S2053/java/rule.adoc b/rules/S2053/java/rule.adoc index 46dcfeb4624..4e731af0f9c 100644 --- a/rules/S2053/java/rule.adoc +++ b/rules/S2053/java/rule.adoc @@ -14,7 +14,7 @@ include::how-to-fix-it/java-se.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S2053/kotlin/metadata.json b/rules/S2053/kotlin/metadata.json index 17971333806..77eeae54ca8 100644 --- a/rules/S2053/kotlin/metadata.json +++ b/rules/S2053/kotlin/metadata.json @@ -1,3 +1,26 @@ { - + "securityStandards": { + "CWE": [ + 759, + 760 + ], + "OWASP": [ + "A3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "STIG ASD_V5R3": [ + "V-222542" + ] + } } diff --git a/rules/S2053/kotlin/rule.adoc b/rules/S2053/kotlin/rule.adoc index 942d6e4804a..91a840627df 100644 --- a/rules/S2053/kotlin/rule.adoc +++ b/rules/S2053/kotlin/rule.adoc @@ -14,7 +14,7 @@ include::how-to-fix-it/java-se.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S2076/common/resources/standards-mobile.adoc b/rules/S2076/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..9c78673f0cb --- /dev/null +++ b/rules/S2076/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/78[CWE-78 - Improper Neutralization of Special Elements used in an OS Command] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222604[Application Security and Development: V-222604] - The application must protect from command injection. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2076/java/metadata.json b/rules/S2076/java/metadata.json index 17971333806..1f3e1f3acf7 100644 --- a/rules/S2076/java/metadata.json +++ b/rules/S2076/java/metadata.json @@ -1,3 +1,33 @@ { - + "securityStandards": { + "CWE": [ + 20, + 78 + ], + "OWASP": [ + "A1" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "12.3.5", + "5.1.3", + "5.1.4", + "5.3.8" + ], + "STIG ASD_V5R3": [ + "V-222604", + "V-222609" + ] + } } diff --git a/rules/S2076/java/rule.adoc b/rules/S2076/java/rule.adoc index 2cb1888e69b..0c8bfd586e2 100644 --- a/rules/S2076/java/rule.adoc +++ b/rules/S2076/java/rule.adoc @@ -14,7 +14,7 @@ include::how-to-fix-it/java-se.adoc[] include::../common/resources/docs.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S2083/common/resources/standards-mobile.adoc b/rules/S2083/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..a2ed108caac --- /dev/null +++ b/rules/S2083/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2083/java/metadata.json b/rules/S2083/java/metadata.json index 17971333806..7b996c12715 100644 --- a/rules/S2083/java/metadata.json +++ b/rules/S2083/java/metadata.json @@ -1,3 +1,33 @@ { - + "securityStandards": { + "CWE": [ + 20, + 22 + ], + "OWASP": [ + "A5", + "A1" + ], + "OWASP Top 10 2021": [ + "A1", + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "12.3.1", + "5.1.3", + "5.1.4" + ], + "STIG ASD_V5R3": [ + "V-222609" + ] + } } diff --git a/rules/S2083/java/rule.adoc b/rules/S2083/java/rule.adoc index 39451c7fc95..3a6722bf87d 100644 --- a/rules/S2083/java/rule.adoc +++ b/rules/S2083/java/rule.adoc @@ -10,7 +10,7 @@ include::how-to-fix-it/java-se.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S2245/cfamily/metadata.json b/rules/S2245/cfamily/metadata.json index 40c51392294..9e7932cd15f 100644 --- a/rules/S2245/cfamily/metadata.json +++ b/rules/S2245/cfamily/metadata.json @@ -18,12 +18,6 @@ "OWASP": [ "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-6" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S2245/cfamily/rule.adoc b/rules/S2245/cfamily/rule.adoc index fc71c968cd7..0904d5af3d6 100644 --- a/rules/S2245/cfamily/rule.adoc +++ b/rules/S2245/cfamily/rule.adoc @@ -38,17 +38,8 @@ void f() { } ---- -== See - -* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet] -* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] -* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] -* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] -* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] +include::../see.adoc[] + * https://wiki.sei.cmu.edu/confluence/x/UNcxBQ[CERT, MSC30-C.] - Do not use the rand() function for generating pseudorandom numbers * https://wiki.sei.cmu.edu/confluence/x/2ns-BQ[CERT, MSC50-CPP.] - Do not use std::rand() for generating pseudorandom numbers * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator] diff --git a/rules/S2245/java/metadata.json b/rules/S2245/java/metadata.json index 42f220e0b05..c38b3548328 100644 --- a/rules/S2245/java/metadata.json +++ b/rules/S2245/java/metadata.json @@ -17,6 +17,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-6" ], diff --git a/rules/S2245/java/rule.adoc b/rules/S2245/java/rule.adoc index 7f803eaa030..15b86632463 100644 --- a/rules/S2245/java/rule.adoc +++ b/rules/S2245/java/rule.adoc @@ -27,19 +27,12 @@ byte bytes[] = new byte[20]; random.nextBytes(bytes); ---- -== See +include::../see.adoc[] -* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet] -* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] -* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] -* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] -* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] * https://wiki.sei.cmu.edu/confluence/x/oTdGBQ[CERT, MSC02-J.] - Generate strong random numbers -* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator] ifdef::env-github,rspecator-view[] diff --git a/rules/S2245/kotlin/metadata.json b/rules/S2245/kotlin/metadata.json index 6afd55ee1cb..0496ddd6502 100644 --- a/rules/S2245/kotlin/metadata.json +++ b/rules/S2245/kotlin/metadata.json @@ -1,3 +1,29 @@ { + "securityStandards": { + "CWE": [ + 326, + 330, + 338, + 1241 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-6" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "ASVS 4.0": [ + "6.2.4" + ] + }, "quickfix": "unknown" } diff --git a/rules/S2245/kotlin/rule.adoc b/rules/S2245/kotlin/rule.adoc index 5ecb09225d8..603c7548b93 100644 --- a/rules/S2245/kotlin/rule.adoc +++ b/rules/S2245/kotlin/rule.adoc @@ -23,6 +23,10 @@ random.nextBytes(bytes) include::../see.adoc[] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2245/metadata.json b/rules/S2245/metadata.json index 4b0925b6fc0..5fb9f84c034 100644 --- a/rules/S2245/metadata.json +++ b/rules/S2245/metadata.json @@ -37,12 +37,6 @@ "OWASP": [ "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-6" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S2245/see.adoc b/rules/S2245/see.adoc index de5e28b4ccb..50d0362e929 100644 --- a/rules/S2245/see.adoc +++ b/rules/S2245/see.adoc @@ -3,10 +3,7 @@ * OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] * CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] * CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] * CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] -* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] -* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator] +* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator] \ No newline at end of file diff --git a/rules/S2755/common/resources/standards-mobile.adoc b/rules/S2755/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..844cdbff509 --- /dev/null +++ b/rules/S2755/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] +* CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Information Exposure Through XML External Entity Reference] +* CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. + diff --git a/rules/S2755/java/metadata.json b/rules/S2755/java/metadata.json index 22d3a48777b..6c95efca272 100644 --- a/rules/S2755/java/metadata.json +++ b/rules/S2755/java/metadata.json @@ -1,4 +1,32 @@ { + "securityStandards": { + "CWE": [ + 611, + 827 + ], + "OWASP": [ + "A4" + ], + "OWASP Top 10 2021": [ + "A5" + ], + "OWASP Mobile Top 10 2024": [ + "M4", + "M8" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.5.2" + ], + "STIG ASD_V5R3": [ + "V-222608" + ] + }, "quickfix": "infeasible", "tags": [ "cwe", diff --git a/rules/S2755/java/rule.adoc b/rules/S2755/java/rule.adoc index 05368bfb912..d2238a37348 100644 --- a/rules/S2755/java/rule.adoc +++ b/rules/S2755/java/rule.adoc @@ -18,7 +18,7 @@ include::how-to-fix-it/sax.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S3329/common/resources/standards-mobile.adoc b/rules/S3329/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..dd0d1dd74a0 --- /dev/null +++ b/rules/S3329/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/329[CWE-329 - Not Using an Unpredictable IV with CBC Mode] +* CWE - https://cwe.mitre.org/data/definitions/780[CWE-780 - Use of RSA Algorithm without OAEP] +* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation diff --git a/rules/S3329/java/metadata.json b/rules/S3329/java/metadata.json index cda14dd95f5..482c55666ac 100644 --- a/rules/S3329/java/metadata.json +++ b/rules/S3329/java/metadata.json @@ -31,6 +31,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-3" ] diff --git a/rules/S3329/java/rule.adoc b/rules/S3329/java/rule.adoc index 75fad5204d9..adba8a6fe45 100644 --- a/rules/S3329/java/rule.adoc +++ b/rules/S3329/java/rule.adoc @@ -19,10 +19,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] - -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S3329/kotlin/metadata.json b/rules/S3329/kotlin/metadata.json index cda14dd95f5..482c55666ac 100644 --- a/rules/S3329/kotlin/metadata.json +++ b/rules/S3329/kotlin/metadata.json @@ -31,6 +31,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-3" ] diff --git a/rules/S3329/kotlin/rule.adoc b/rules/S3329/kotlin/rule.adoc index 75fad5204d9..adba8a6fe45 100644 --- a/rules/S3329/kotlin/rule.adoc +++ b/rules/S3329/kotlin/rule.adoc @@ -19,10 +19,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] - -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S3649/common/resources/standards-mobile.adoc b/rules/S3649/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..6a10a4dc893 --- /dev/null +++ b/rules/S3649/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] +* https://wiki.sei.cmu.edu/confluence/x/ITdGBQ[CERT, IDS00-J.] - Prevent SQL injection +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222607[Application Security and Development: V-222607] - The application must not be vulnerable to SQL Injection. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S3649/java/metadata.json b/rules/S3649/java/metadata.json index ddd301d3511..da27b1441f9 100644 --- a/rules/S3649/java/metadata.json +++ b/rules/S3649/java/metadata.json @@ -1,7 +1,38 @@ { - "tags": [ - "cwe", - "sql", - "android" - ] + "securityStandards": { + "CWE": [ + 20, + 89 + ], + "OWASP": [ + "A1" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.1.3", + "5.1.4", + "5.3.4", + "5.3.5" + ], + "STIG ASD_V5R3": [ + "V-222607", + "V-222609" + ] + }, + "tags": [ + "cwe", + "sql", + "android" + ] } diff --git a/rules/S3649/java/rule.adoc b/rules/S3649/java/rule.adoc index b49ffcecb6b..613af9b6095 100644 --- a/rules/S3649/java/rule.adoc +++ b/rules/S3649/java/rule.adoc @@ -26,7 +26,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4347/common/resources/standards-mobile.adoc b/rules/S4347/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..30bc8c170c9 --- /dev/null +++ b/rules/S4347/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values] +* CWE - https://cwe.mitre.org/data/definitions/332[CWE-332 - Insufficient Entropy in PRNG] +* CWE - https://cwe.mitre.org/data/definitions/336[CWE-336 - Same Seed in Pseudo-Random Number Generator (PRNG)] +* CWE - https://cwe.mitre.org/data/definitions/337[CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)] +* https://wiki.sei.cmu.edu/confluence/display/java/MSC63-J.+Ensure+that+SecureRandom+is+properly+seeded[CERT, MSC63J.] - Ensure that SecureRandom is properly seeded diff --git a/rules/S4347/java/metadata.json b/rules/S4347/java/metadata.json index 9e26dfeeb6e..097d80f3dd5 100644 --- a/rules/S4347/java/metadata.json +++ b/rules/S4347/java/metadata.json @@ -1 +1,24 @@ -{} \ No newline at end of file +{ + "securityStandards": { + "CWE": [ + 330, + 332, + 336, + 337 + ], + "OWASP": [ + "A6" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "ASVS 4.0": [ + "2.3.1", + "2.6.2", + "2.9.2" + ] + } +} \ No newline at end of file diff --git a/rules/S4347/java/rule.adoc b/rules/S4347/java/rule.adoc index 19179e79f3f..7c984e79c39 100644 --- a/rules/S4347/java/rule.adoc +++ b/rules/S4347/java/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4347/kotlin/metadata.json b/rules/S4347/kotlin/metadata.json index 9e26dfeeb6e..097d80f3dd5 100644 --- a/rules/S4347/kotlin/metadata.json +++ b/rules/S4347/kotlin/metadata.json @@ -1 +1,24 @@ -{} \ No newline at end of file +{ + "securityStandards": { + "CWE": [ + 330, + 332, + 336, + 337 + ], + "OWASP": [ + "A6" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "ASVS 4.0": [ + "2.3.1", + "2.6.2", + "2.9.2" + ] + } +} \ No newline at end of file diff --git a/rules/S4347/kotlin/rule.adoc b/rules/S4347/kotlin/rule.adoc index 1f8b7b4fd52..c82d3e0c447 100644 --- a/rules/S4347/kotlin/rule.adoc +++ b/rules/S4347/kotlin/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/azureresourcemanager/metadata.json b/rules/S4423/azureresourcemanager/metadata.json index 03df4cf69d7..398b18e3591 100644 --- a/rules/S4423/azureresourcemanager/metadata.json +++ b/rules/S4423/azureresourcemanager/metadata.json @@ -10,14 +10,6 @@ 326, 295 ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", "6.5.4" @@ -27,6 +19,10 @@ "6.2.4" ], "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S4423/azureresourcemanager/rule.adoc b/rules/S4423/azureresourcemanager/rule.adoc index 0d74a4e717c..b6891b5afbf 100644 --- a/rules/S4423/azureresourcemanager/rule.adoc +++ b/rules/S4423/azureresourcemanager/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards_iac.adoc[] +include::../common/resources/standards-iac.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/cloudformation/metadata.json b/rules/S4423/cloudformation/metadata.json index c3dc2e9fd13..3e916066d34 100644 --- a/rules/S4423/cloudformation/metadata.json +++ b/rules/S4423/cloudformation/metadata.json @@ -10,14 +10,6 @@ 326, 295 ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", "6.5.4" @@ -27,6 +19,10 @@ "6.2.4" ], "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S4423/cloudformation/rule.adoc b/rules/S4423/cloudformation/rule.adoc index 8bde4507213..85f54c8d7ec 100644 --- a/rules/S4423/cloudformation/rule.adoc +++ b/rules/S4423/cloudformation/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards_iac.adoc[] +include::../common/resources/standards-iac.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/common/resources/standards_iac.adoc b/rules/S4423/common/resources/standards-iac.adoc similarity index 100% rename from rules/S4423/common/resources/standards_iac.adoc rename to rules/S4423/common/resources/standards-iac.adoc diff --git a/rules/S4423/common/resources/standards-mobile.adoc b/rules/S4423/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..bbc61154178 --- /dev/null +++ b/rules/S4423/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication[Mobile Top 10 2024 Category M5 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S4423/docker/metadata.json b/rules/S4423/docker/metadata.json index d904c7d105e..1da2c818ea6 100644 --- a/rules/S4423/docker/metadata.json +++ b/rules/S4423/docker/metadata.json @@ -1,30 +1,27 @@ { "tags": [ - "cwe", - "privacy" + "cwe", + "privacy" ], - "securityStandards": { - "CWE": [ - 327, - 326, - 295 - ], - "OWASP": [], - "OWASP Mobile": [], - "MASVS": [], - "OWASP Top 10 2021": [], - "PCI DSS 3.2": [ - "4.1", - "6.5.4" - ], - "PCI DSS 4.0": [ - "4.2.1", - "6.2.4" - ], - "ASVS 4.0": [ - "8.3.7", - "9.1.2", - "9.1.3" - ] - } -} \ No newline at end of file + "securityStandards": { + "CWE": [ + 327, + 326, + 295 + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ + ] + } +} diff --git a/rules/S4423/docker/rule.adoc b/rules/S4423/docker/rule.adoc index a6d9d457f3c..a358ca281ac 100644 --- a/rules/S4423/docker/rule.adoc +++ b/rules/S4423/docker/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards_iac.adoc[] +include::../common/resources/standards-iac.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/java/metadata.json b/rules/S4423/java/metadata.json index 17971333806..3a390b6bfbf 100644 --- a/rules/S4423/java/metadata.json +++ b/rules/S4423/java/metadata.json @@ -1,3 +1,39 @@ { - + "securityStandards": { + "CWE": [ + 327, + 326, + 295 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-2" + ], + "OWASP Top 10 2021": [ + "A2", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "8.3.7", + "9.1.2", + "9.1.3" + ] + } } diff --git a/rules/S4423/java/rule.adoc b/rules/S4423/java/rule.adoc index 6f93dac3c73..2fbca0b153b 100644 --- a/rules/S4423/java/rule.adoc +++ b/rules/S4423/java/rule.adoc @@ -21,11 +21,8 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/kotlin/metadata.json b/rules/S4423/kotlin/metadata.json index 17971333806..3a390b6bfbf 100644 --- a/rules/S4423/kotlin/metadata.json +++ b/rules/S4423/kotlin/metadata.json @@ -1,3 +1,39 @@ { - + "securityStandards": { + "CWE": [ + 327, + 326, + 295 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-2" + ], + "OWASP Top 10 2021": [ + "A2", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "8.3.7", + "9.1.2", + "9.1.3" + ] + } } diff --git a/rules/S4423/kotlin/rule.adoc b/rules/S4423/kotlin/rule.adoc index 40f23d21b6c..3e64c22a6f4 100644 --- a/rules/S4423/kotlin/rule.adoc +++ b/rules/S4423/kotlin/rule.adoc @@ -21,11 +21,8 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S4423/metadata.json b/rules/S4423/metadata.json index 0b62919ced5..4fe66b4aed4 100644 --- a/rules/S4423/metadata.json +++ b/rules/S4423/metadata.json @@ -38,12 +38,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-2" - ], "OWASP Top 10 2021": [ "A2", "A7" diff --git a/rules/S4423/terraform/metadata.json b/rules/S4423/terraform/metadata.json index 07ad8b769ba..05019b990d2 100644 --- a/rules/S4423/terraform/metadata.json +++ b/rules/S4423/terraform/metadata.json @@ -12,14 +12,6 @@ 326, 295 ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", "6.5.4" @@ -29,6 +21,10 @@ "6.2.4" ], "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S4423/terraform/rule.adoc b/rules/S4423/terraform/rule.adoc index 0ad75e022e7..5c782cce808 100644 --- a/rules/S4423/terraform/rule.adoc +++ b/rules/S4423/terraform/rule.adoc @@ -27,7 +27,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards_iac.adoc[] +include::../common/resources/standards-iac.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4426/common/resources/standards-mobile.adoc b/rules/S4426/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..6d688d05957 --- /dev/null +++ b/rules/S4426/common/resources/standards-mobile.adoc @@ -0,0 +1,12 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf[NIST 800-131A] - Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths +* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] +* https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms diff --git a/rules/S4426/common/resources/standards.adoc b/rules/S4426/common/resources/standards.adoc index b20c8a93c61..c92153804d8 100644 --- a/rules/S4426/common/resources/standards.adoc +++ b/rules/S4426/common/resources/standards.adoc @@ -3,8 +3,6 @@ * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf[NIST 800-131A] - Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths * CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength] * CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S4426/java/metadata.json b/rules/S4426/java/metadata.json index ebf5d2648f4..f4f707cb4d5 100644 --- a/rules/S4426/java/metadata.json +++ b/rules/S4426/java/metadata.json @@ -1,4 +1,28 @@ { + "securityStandards": { + "CWE": [ + 326 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "ASVS 4.0": [ + "6.2.3" + ] + }, "tags": [ "cwe", "privacy", diff --git a/rules/S4426/java/rule.adoc b/rules/S4426/java/rule.adoc index c825a9e8976..14055c69e0e 100644 --- a/rules/S4426/java/rule.adoc +++ b/rules/S4426/java/rule.adoc @@ -18,7 +18,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] diff --git a/rules/S4426/kotlin/metadata.json b/rules/S4426/kotlin/metadata.json index 17971333806..8c44c78d840 100644 --- a/rules/S4426/kotlin/metadata.json +++ b/rules/S4426/kotlin/metadata.json @@ -1,3 +1,26 @@ { - + "securityStandards": { + "CWE": [ + 326 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "ASVS 4.0": [ + "6.2.3" + ] + } } diff --git a/rules/S4426/kotlin/rule.adoc b/rules/S4426/kotlin/rule.adoc index 9db48659106..fb8a1f42c72 100644 --- a/rules/S4426/kotlin/rule.adoc +++ b/rules/S4426/kotlin/rule.adoc @@ -18,7 +18,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4426/metadata.json b/rules/S4426/metadata.json index ebe2380d349..9613c80f082 100644 --- a/rules/S4426/metadata.json +++ b/rules/S4426/metadata.json @@ -36,12 +36,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S4790/java/metadata.json b/rules/S4790/java/metadata.json index 6afd55ee1cb..462bec773f2 100644 --- a/rules/S4790/java/metadata.json +++ b/rules/S4790/java/metadata.json @@ -1,3 +1,32 @@ { + "securityStandards": { + "CWE": [ + 1240 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-4" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "3.4", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "6.2.4" + ] + }, "quickfix": "unknown" } diff --git a/rules/S4790/java/rule.adoc b/rules/S4790/java/rule.adoc index 1bcb6b15ecb..753fae8e1c7 100644 --- a/rules/S4790/java/rule.adoc +++ b/rules/S4790/java/rule.adoc @@ -18,7 +18,7 @@ MessageDigest md2 = MessageDigest.getInstance("SHA1"); // Sensitive MessageDigest md1 = MessageDigest.getInstance("SHA-512"); // Compliant ---- -include::../see.adoc[] +include::../see-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4790/kotlin/metadata.json b/rules/S4790/kotlin/metadata.json index 6afd55ee1cb..462bec773f2 100644 --- a/rules/S4790/kotlin/metadata.json +++ b/rules/S4790/kotlin/metadata.json @@ -1,3 +1,32 @@ { + "securityStandards": { + "CWE": [ + 1240 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-4" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "3.4", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "6.2.4" + ] + }, "quickfix": "unknown" } diff --git a/rules/S4790/kotlin/rule.adoc b/rules/S4790/kotlin/rule.adoc index 45ac9fdd89a..7d552a27a53 100644 --- a/rules/S4790/kotlin/rule.adoc +++ b/rules/S4790/kotlin/rule.adoc @@ -40,7 +40,7 @@ val md2: MessageDigest = MessageDigest.getInstance("SHA1"); // Sensitive val md1: MessageDigest = MessageDigest.getInstance("SHA-512"); // Compliant ---- -include::../see.adoc[] +include::../see-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4790/metadata.json b/rules/S4790/metadata.json index ddc2421bd2c..69c5ef5f24b 100644 --- a/rules/S4790/metadata.json +++ b/rules/S4790/metadata.json @@ -31,12 +31,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-4" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S4790/see-mobile.adoc b/rules/S4790/see-mobile.adoc new file mode 100644 index 00000000000..5f1a5eed2de --- /dev/null +++ b/rules/S4790/see-mobile.adoc @@ -0,0 +1,9 @@ +== See + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/1240[CWE-1240 - Use of a Risky Cryptographic Primitive] diff --git a/rules/S4790/see.adoc b/rules/S4790/see.adoc index eb87bf3d7ac..7c229eb25fb 100644 --- a/rules/S4790/see.adoc +++ b/rules/S4790/see.adoc @@ -3,6 +3,4 @@ * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] * CWE - https://cwe.mitre.org/data/definitions/1240[CWE-1240 - Use of a Risky Cryptographic Primitive] diff --git a/rules/S4790/swift/metadata.json b/rules/S4790/swift/metadata.json index 17971333806..08d1317e810 100644 --- a/rules/S4790/swift/metadata.json +++ b/rules/S4790/swift/metadata.json @@ -1,3 +1,31 @@ { - + "securityStandards": { + "CWE": [ + 1240 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-4" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "3.4", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "6.2.4" + ] + } } diff --git a/rules/S4790/swift/rule.adoc b/rules/S4790/swift/rule.adoc index fc15de4c0a0..79847a6aa5e 100644 --- a/rules/S4790/swift/rule.adoc +++ b/rules/S4790/swift/rule.adoc @@ -23,7 +23,7 @@ let bytes:Array = [0x01, 0x02, 0x03] let digest = input.sha512() // Compliant ---- -include::../see.adoc[] +include::../see-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S4830/cfamily/metadata.json b/rules/S4830/cfamily/metadata.json index 143821015e1..2b3e29c848e 100644 --- a/rules/S4830/cfamily/metadata.json +++ b/rules/S4830/cfamily/metadata.json @@ -18,12 +18,6 @@ "A6", "A3" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-3" - ], "OWASP Top 10 2021": [ "A2", "A5", diff --git a/rules/S4830/common/resources/standards-mobile.adoc b/rules/S4830/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..7d23b4e9c7a --- /dev/null +++ b/rules/S4830/common/resources/standards-mobile.adoc @@ -0,0 +1,13 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication[Mobile Top 10 2024 Category M5 - Insecure Communication] +* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] +* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. + diff --git a/rules/S4830/common/resources/standards.adoc b/rules/S4830/common/resources/standards.adoc index 9dfbc5f780b..e96dbb6dd33 100644 --- a/rules/S4830/common/resources/standards.adoc +++ b/rules/S4830/common/resources/standards.adoc @@ -5,8 +5,6 @@ * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] -* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] * CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. diff --git a/rules/S4830/java/metadata.json b/rules/S4830/java/metadata.json index fbfba21ad94..cce0c4ad4af 100644 --- a/rules/S4830/java/metadata.json +++ b/rules/S4830/java/metadata.json @@ -19,6 +19,9 @@ "OWASP Mobile": [ "M3" ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], "MASVS": [ "MSTG-NETWORK-3" ], diff --git a/rules/S4830/java/rule.adoc b/rules/S4830/java/rule.adoc index d92e67ca49d..b0a0e191d54 100644 --- a/rules/S4830/java/rule.adoc +++ b/rules/S4830/java/rule.adoc @@ -12,7 +12,7 @@ include::how-to-fix-it/java-cryptography-extension.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] * https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms diff --git a/rules/S4830/kotlin/metadata.json b/rules/S4830/kotlin/metadata.json index 17971333806..e5e18dbfc58 100644 --- a/rules/S4830/kotlin/metadata.json +++ b/rules/S4830/kotlin/metadata.json @@ -1,3 +1,41 @@ { - + "securityStandards": { + "CWE": [ + 295 + ], + "OWASP": [ + "A6", + "A3" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-3" + ], + "OWASP Top 10 2021": [ + "A2", + "A5", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4", + "6.5.10" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "1.9.2", + "9.2.1" + ], + "STIG ASD_V5R3": [ + "V-222550" + ] + } } diff --git a/rules/S4830/kotlin/rule.adoc b/rules/S4830/kotlin/rule.adoc index d92e67ca49d..b0a0e191d54 100644 --- a/rules/S4830/kotlin/rule.adoc +++ b/rules/S4830/kotlin/rule.adoc @@ -12,7 +12,7 @@ include::how-to-fix-it/java-cryptography-extension.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] * https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms diff --git a/rules/S4830/metadata.json b/rules/S4830/metadata.json index ed5df7ba49b..dd25281f4cc 100644 --- a/rules/S4830/metadata.json +++ b/rules/S4830/metadata.json @@ -37,12 +37,6 @@ "A6", "A3" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-3" - ], "OWASP Top 10 2021": [ "A2", "A5", diff --git a/rules/S5320/metadata.json b/rules/S5320/metadata.json index 002c09bc5d1..d40744432fc 100644 --- a/rules/S5320/metadata.json +++ b/rules/S5320/metadata.json @@ -31,6 +31,10 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M8" + ], "MASVS": [ "MSTG-PLATFORM-4" ], diff --git a/rules/S5320/see.adoc b/rules/S5320/see.adoc index 64ba054c5d7..953c39c1ebc 100644 --- a/rules/S5320/see.adoc +++ b/rules/S5320/see.adoc @@ -2,5 +2,7 @@ * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/927[CWE-927 - Use of Implicit Intent for Sensitive Communication] * https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions[Android documentation] - Broadcast Overview - Security considerations and best practices \ No newline at end of file diff --git a/rules/S5322/metadata.json b/rules/S5322/metadata.json index fcc9b48106c..1c15f824dfa 100644 --- a/rules/S5322/metadata.json +++ b/rules/S5322/metadata.json @@ -32,6 +32,10 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M4" + ], "MASVS": [ "MSTG-PLATFORM-2" ] diff --git a/rules/S5322/see.adoc b/rules/S5322/see.adoc index 49b06ee7f36..e100c7d444b 100644 --- a/rules/S5322/see.adoc +++ b/rules/S5322/see.adoc @@ -2,6 +2,8 @@ * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] * CWE - https://cwe.mitre.org/data/definitions/925[CWE-925 - Improper Verification of Intent by Broadcast Receiver] * CWE - https://cwe.mitre.org/data/definitions/926[CWE-926 - Improper Export of Android Application Components] * https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions[Android documentation] - Broadcast Overview - Security considerations and best practices diff --git a/rules/S5324/metadata.json b/rules/S5324/metadata.json index 72d7c16ca74..44870b79e00 100644 --- a/rules/S5324/metadata.json +++ b/rules/S5324/metadata.json @@ -31,6 +31,9 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M9" + ], "MASVS": [ "MSTG-STORAGE-1" ], diff --git a/rules/S5324/see.adoc b/rules/S5324/see.adoc index 48d8b28276a..18fd6c747b9 100644 --- a/rules/S5324/see.adoc +++ b/rules/S5324/see.adoc @@ -4,4 +4,5 @@ * https://developer.android.com/privacy-and-security/security-tips#ExternalStorage[Android Security tips on external file storage] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] * CWE - https://cwe.mitre.org/data/definitions/312[CWE-312 - Cleartext Storage of Sensitive Information] diff --git a/rules/S5332/ansible/metadata.json b/rules/S5332/ansible/metadata.json index b290eb96d5b..93df390c272 100644 --- a/rules/S5332/ansible/metadata.json +++ b/rules/S5332/ansible/metadata.json @@ -3,18 +3,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -23,9 +11,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -37,6 +22,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } \ No newline at end of file diff --git a/rules/S5332/azureresourcemanager/metadata.json b/rules/S5332/azureresourcemanager/metadata.json index ede079338cd..9e86558a636 100644 --- a/rules/S5332/azureresourcemanager/metadata.json +++ b/rules/S5332/azureresourcemanager/metadata.json @@ -6,18 +6,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -26,9 +14,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -40,6 +25,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/cloudformation/metadata.json b/rules/S5332/cloudformation/metadata.json index 8a14dd8d540..6eb9a007da6 100644 --- a/rules/S5332/cloudformation/metadata.json +++ b/rules/S5332/cloudformation/metadata.json @@ -7,18 +7,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -27,9 +15,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -41,6 +26,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/common/resources/standards-mobile.adoc b/rules/S5332/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..e980c83fd46 --- /dev/null +++ b/rules/S5332/common/resources/standards-mobile.adoc @@ -0,0 +1,18 @@ +=== Standards + +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication[Mobile Top 10 2024 Category M5 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397[Application Security and Development: V-222397] - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222534[Application Security and Development: V-222534] - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562[Application Security and Development: V-222562] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563[Application Security and Development: V-222563] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222577[Application Security and Development: V-222577] - The application must not expose session IDs. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222596[Application Security and Development: V-222596] - The application must protect the confidentiality and integrity of transmitted information. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222597[Application Security and Development: V-222597] - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598[Application Security and Development: V-222598] - The application must maintain the confidentiality and integrity of information during preparation for transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599[Application Security and Development: V-222599] - The application must maintain the confidentiality and integrity of information during reception. diff --git a/rules/S5332/common/resources/standards.adoc b/rules/S5332/common/resources/standards.adoc index 47c10b53a17..419de525c3a 100644 --- a/rules/S5332/common/resources/standards.adoc +++ b/rules/S5332/common/resources/standards.adoc @@ -2,8 +2,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] * CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] * CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397[Application Security and Development: V-222397] - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. diff --git a/rules/S5332/docker/metadata.json b/rules/S5332/docker/metadata.json index eea9e472203..bd2807ea227 100644 --- a/rules/S5332/docker/metadata.json +++ b/rules/S5332/docker/metadata.json @@ -7,18 +7,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -27,9 +15,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -41,6 +26,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/java/metadata.json b/rules/S5332/java/metadata.json index 765feecc849..4332cea175d 100644 --- a/rules/S5332/java/metadata.json +++ b/rules/S5332/java/metadata.json @@ -1,4 +1,49 @@ { + "securityStandards": { + "CWE": [ + 200, + 319 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-1" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "1.9.1", + "9.1.1", + "9.2.2" + ], + "STIG ASD_V5R3": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + }, "quickfix": "unknown", "tags": [ "cwe", diff --git a/rules/S5332/java/rule.adoc b/rules/S5332/java/rule.adoc index 70e14c40c01..67a6b1a2ffa 100644 --- a/rules/S5332/java/rule.adoc +++ b/rules/S5332/java/rule.adoc @@ -83,7 +83,13 @@ webView.getSettings().setMixedContentMode(MIXED_CONTENT_NEVER_ALLOW); include::../exceptions.adoc[] -include::../see.adoc[] +== See + +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/kotlin/metadata.json b/rules/S5332/kotlin/metadata.json index 765feecc849..4332cea175d 100644 --- a/rules/S5332/kotlin/metadata.json +++ b/rules/S5332/kotlin/metadata.json @@ -1,4 +1,49 @@ { + "securityStandards": { + "CWE": [ + 200, + 319 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-1" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "1.9.1", + "9.1.1", + "9.2.2" + ], + "STIG ASD_V5R3": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + }, "quickfix": "unknown", "tags": [ "cwe", diff --git a/rules/S5332/kotlin/rule.adoc b/rules/S5332/kotlin/rule.adoc index b799c268041..6dd11969015 100644 --- a/rules/S5332/kotlin/rule.adoc +++ b/rules/S5332/kotlin/rule.adoc @@ -83,7 +83,13 @@ webView.getSettings().setMixedContentMode(MIXED_CONTENT_NEVER_ALLOW) include::../exceptions.adoc[] -include::../see.adoc[] +== See + +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/kubernetes/metadata.json b/rules/S5332/kubernetes/metadata.json index ede079338cd..9e86558a636 100644 --- a/rules/S5332/kubernetes/metadata.json +++ b/rules/S5332/kubernetes/metadata.json @@ -6,18 +6,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -26,9 +14,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -40,6 +25,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/metadata.json b/rules/S5332/metadata.json index 1c4aa906db2..15ea1af202e 100644 --- a/rules/S5332/metadata.json +++ b/rules/S5332/metadata.json @@ -31,12 +31,6 @@ "OWASP": [ "A3" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-1" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5332/terraform/metadata.json b/rules/S5332/terraform/metadata.json index 87d4f17df23..5f5c8e80edc 100644 --- a/rules/S5332/terraform/metadata.json +++ b/rules/S5332/terraform/metadata.json @@ -9,18 +9,6 @@ "CWE": [ 200, 319 - ], - "OWASP": [ - - ], - "OWASP Mobile": [ - - ], - "MASVS": [ - - ], - "OWASP Top 10 2021": [ - ], "PCI DSS 3.2": [ "4.1", @@ -29,9 +17,6 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" - ], - "ASVS 4.0": [ - ], "STIG ASD_V5R3": [ "V-222397", @@ -43,6 +28,12 @@ "V-222597", "V-222598", "V-222599" + ], + "ASVS 4.0": [ + ], + "OWASP": [ + ], + "OWASP Top 10 2021": [ ] } } diff --git a/rules/S5332/xml/metadata.json b/rules/S5332/xml/metadata.json index 765feecc849..4332cea175d 100644 --- a/rules/S5332/xml/metadata.json +++ b/rules/S5332/xml/metadata.json @@ -1,4 +1,49 @@ { + "securityStandards": { + "CWE": [ + 200, + 319 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-1" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "1.9.1", + "9.1.1", + "9.2.2" + ], + "STIG ASD_V5R3": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + }, "quickfix": "unknown", "tags": [ "cwe", diff --git a/rules/S5344/common/resources/standards-mobile.adoc b/rules/S5344/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..bf9e0eefc46 --- /dev/null +++ b/rules/S5344/common/resources/standards-mobile.adoc @@ -0,0 +1,10 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/256[CWE-256 - Plaintext Storage of a Password] +* CWE - https://cwe.mitre.org/data/definitions/916[CWE-916 - Use of Password Hash With Insufficient Computational Effort] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords. + diff --git a/rules/S5344/java/metadata.json b/rules/S5344/java/metadata.json index 17971333806..eb184e5efaa 100644 --- a/rules/S5344/java/metadata.json +++ b/rules/S5344/java/metadata.json @@ -1,3 +1,35 @@ { - + "securityStandards": { + "CWE": [ + 256, + 916 + ], + "OWASP": [ + "A3" + ], + "OWASP Top 10 2021": [ + "A2", + "A4" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "PCI DSS 3.2": [ + "6.5.3" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.3", + "2.4.1", + "2.4.2", + "2.4.3", + "2.4.4", + "2.4.5" + ], + "STIG ASD_V5R3": [ + "V-222542" + ] + } } diff --git a/rules/S5344/java/rule.adoc b/rules/S5344/java/rule.adoc index cd62d8fad25..fde30dc8bcb 100644 --- a/rules/S5344/java/rule.adoc +++ b/rules/S5344/java/rule.adoc @@ -62,7 +62,7 @@ include::../common/pitfalls/pre-hashing.adoc[] * Spring Framework Security Documentation - https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html[Class BCryptPasswordEncoder] * OWASP CheatSheet - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html[Password Storage Cheat Sheet] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5527/common/resources/standards-mobile.adoc b/rules/S5527/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..d391db09871 --- /dev/null +++ b/rules/S5527/common/resources/standards-mobile.adoc @@ -0,0 +1,13 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication[Mobile Top 10 2024 Category M5 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/297[CWE-297 - Improper Validation of Certificate with Host Mismatch] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. + diff --git a/rules/S5527/common/resources/standards.adoc b/rules/S5527/common/resources/standards.adoc index 7505700e900..235efd95db8 100644 --- a/rules/S5527/common/resources/standards.adoc +++ b/rules/S5527/common/resources/standards.adoc @@ -5,8 +5,6 @@ * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] -* OWASP - https://mas.owasp.org/checklists/MASVS-NETWORK/[Mobile AppSec Verification Standard - Network Communication Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] * CWE - https://cwe.mitre.org/data/definitions/297[CWE-297 - Improper Validation of Certificate with Host Mismatch] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. diff --git a/rules/S5527/java/metadata.json b/rules/S5527/java/metadata.json index 2c63c085104..8ce582184d2 100644 --- a/rules/S5527/java/metadata.json +++ b/rules/S5527/java/metadata.json @@ -1,2 +1,37 @@ { + "securityStandards": { + "CWE": [ + 297 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-3" + ], + "OWASP Top 10 2021": [ + "A2", + "A5", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4", + "6.5.10" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "STIG ASD_V5R3": [ + "V-222550" + ] + } } diff --git a/rules/S5527/java/rule.adoc b/rules/S5527/java/rule.adoc index 90fd094d79a..5e55b067ca3 100644 --- a/rules/S5527/java/rule.adoc +++ b/rules/S5527/java/rule.adoc @@ -16,7 +16,7 @@ include::how-to-fix-it/java-ee.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] * https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms diff --git a/rules/S5527/kotlin/metadata.json b/rules/S5527/kotlin/metadata.json index 17971333806..dd52e0789e3 100644 --- a/rules/S5527/kotlin/metadata.json +++ b/rules/S5527/kotlin/metadata.json @@ -1,3 +1,37 @@ { - + "securityStandards": { + "CWE": [ + 297 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M3" + ], + "OWASP Mobile Top 10 2024": [ + "M5" + ], + "MASVS": [ + "MSTG-NETWORK-3" + ], + "OWASP Top 10 2021": [ + "A2", + "A5", + "A7" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4", + "6.5.10" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "STIG ASD_V5R3": [ + "V-222550" + ] + } } diff --git a/rules/S5527/kotlin/rule.adoc b/rules/S5527/kotlin/rule.adoc index 49ad80e5ef3..4a239183bc3 100644 --- a/rules/S5527/kotlin/rule.adoc +++ b/rules/S5527/kotlin/rule.adoc @@ -12,7 +12,7 @@ include::how-to-fix-it/ok-http.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] * https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms diff --git a/rules/S5527/metadata.json b/rules/S5527/metadata.json index 05cb6f6497c..0cce5b25a95 100644 --- a/rules/S5527/metadata.json +++ b/rules/S5527/metadata.json @@ -37,12 +37,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-3" - ], "OWASP Top 10 2021": [ "A2", "A5", diff --git a/rules/S5542/cfamily/metadata.json b/rules/S5542/cfamily/metadata.json index 165f719b92d..6acca407236 100644 --- a/rules/S5542/cfamily/metadata.json +++ b/rules/S5542/cfamily/metadata.json @@ -16,12 +16,6 @@ "A6", "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5542/common/resources/standards-mobile.adoc b/rules/S5542/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..b3ecdd1f967 --- /dev/null +++ b/rules/S5542/common/resources/standards-mobile.adoc @@ -0,0 +1,9 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] diff --git a/rules/S5542/java/metadata.json b/rules/S5542/java/metadata.json index 2ce2cae2a0e..3ade256a00e 100644 --- a/rules/S5542/java/metadata.json +++ b/rules/S5542/java/metadata.json @@ -14,6 +14,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-3" ], diff --git a/rules/S5542/java/rule.adoc b/rules/S5542/java/rule.adoc index 6201313b98f..b3f8b45cc89 100644 --- a/rules/S5542/java/rule.adoc +++ b/rules/S5542/java/rule.adoc @@ -19,11 +19,8 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms diff --git a/rules/S5542/kotlin/metadata.json b/rules/S5542/kotlin/metadata.json index 544b7b4ddde..4be9cf77921 100644 --- a/rules/S5542/kotlin/metadata.json +++ b/rules/S5542/kotlin/metadata.json @@ -1,3 +1,38 @@ { - + "securityStandards": { + "CWE": [ + 327, + 780 + ], + "OWASP": [ + "A6", + "A3" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "2.9.3", + "6.2.2", + "8.3.7" + ] + } } \ No newline at end of file diff --git a/rules/S5542/kotlin/rule.adoc b/rules/S5542/kotlin/rule.adoc index 566ee2e0b81..5c956fdfcb5 100644 --- a/rules/S5542/kotlin/rule.adoc +++ b/rules/S5542/kotlin/rule.adoc @@ -19,11 +19,8 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] -* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms ifdef::env-github,rspecator-view[] diff --git a/rules/S5542/metadata.json b/rules/S5542/metadata.json index 6f7f96febdb..e05eb14b401 100644 --- a/rules/S5542/metadata.json +++ b/rules/S5542/metadata.json @@ -37,12 +37,6 @@ "A6", "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5547/cfamily/metadata.json b/rules/S5547/cfamily/metadata.json index 2ddbf46c844..46de0819e5c 100644 --- a/rules/S5547/cfamily/metadata.json +++ b/rules/S5547/cfamily/metadata.json @@ -16,12 +16,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5547/common/resources/standards-mobile.adoc b/rules/S5547/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..d9ca56e61b7 --- /dev/null +++ b/rules/S5547/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222396[Application Security and Development: V-222396] - The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. + diff --git a/rules/S5547/java/metadata.json b/rules/S5547/java/metadata.json index d5c11b387b0..a1e53be6f9a 100644 --- a/rules/S5547/java/metadata.json +++ b/rules/S5547/java/metadata.json @@ -14,6 +14,9 @@ "OWASP Mobile": [ "M5" ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], "MASVS": [ "MSTG-CRYPTO-3" ], diff --git a/rules/S5547/java/rule.adoc b/rules/S5547/java/rule.adoc index 89ba5ff775d..fe13213228e 100644 --- a/rules/S5547/java/rule.adoc +++ b/rules/S5547/java/rule.adoc @@ -12,7 +12,7 @@ include::how-to-fix-it/java-cryptography-extension.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5547/kotlin/metadata.json b/rules/S5547/kotlin/metadata.json index 544b7b4ddde..cd04068a4ff 100644 --- a/rules/S5547/kotlin/metadata.json +++ b/rules/S5547/kotlin/metadata.json @@ -1,3 +1,42 @@ { - + "securityStandards": { + "CWE": [ + 327, + 326 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "6.2.2", + "6.2.3", + "6.2.5", + "8.3.7" + ], + "STIG ASD_V5R3": [ + "V-222396" + ] + } } \ No newline at end of file diff --git a/rules/S5547/kotlin/rule.adoc b/rules/S5547/kotlin/rule.adoc index a6f24da4ff8..fe13213228e 100644 --- a/rules/S5547/kotlin/rule.adoc +++ b/rules/S5547/kotlin/rule.adoc @@ -12,10 +12,7 @@ include::how-to-fix-it/java-cryptography-extension.adoc[] == Resources -include::../common/resources/standards.adoc[] - -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5547/metadata.json b/rules/S5547/metadata.json index fae0e12d0f9..5f5d83ede1e 100644 --- a/rules/S5547/metadata.json +++ b/rules/S5547/metadata.json @@ -37,12 +37,6 @@ "A3", "A6" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-3" - ], "OWASP Top 10 2021": [ "A2" ], diff --git a/rules/S5547/swift/metadata.json b/rules/S5547/swift/metadata.json index 17971333806..ab7ec9021bd 100644 --- a/rules/S5547/swift/metadata.json +++ b/rules/S5547/swift/metadata.json @@ -1,3 +1,42 @@ { - + "securityStandards": { + "CWE": [ + 327, + 326 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-3" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + "6.2.2", + "6.2.3", + "6.2.5", + "8.3.7" + ], + "STIG ASD_V5R3": [ + "V-222396" + ] + } } diff --git a/rules/S5547/swift/rule.adoc b/rules/S5547/swift/rule.adoc index 8d2755a9a55..7510a1995fc 100644 --- a/rules/S5547/swift/rule.adoc +++ b/rules/S5547/swift/rule.adoc @@ -16,7 +16,7 @@ include::how-to-fix-it/cryptoswift.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S5594/xml/metadata.json b/rules/S5594/xml/metadata.json index ee467ccb58b..c9997ec036f 100644 --- a/rules/S5594/xml/metadata.json +++ b/rules/S5594/xml/metadata.json @@ -36,6 +36,9 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M8" + ], "MASVS": [ "MSTG-PLATFORM-1" ], diff --git a/rules/S5594/xml/rule.adoc b/rules/S5594/xml/rule.adoc index 88e8335982c..583b2d384b5 100644 --- a/rules/S5594/xml/rule.adoc +++ b/rules/S5594/xml/rule.adoc @@ -133,6 +133,8 @@ When targeting Android API versions lower than 12, intent filters will cause ``+ * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] + * CWE - https://cwe.mitre.org/data/definitions/926[CWE-926 - Improper Export of Android Application Components] diff --git a/rules/S5604/xml/metadata.json b/rules/S5604/xml/metadata.json index 9f73be0a56e..58446be8352 100644 --- a/rules/S5604/xml/metadata.json +++ b/rules/S5604/xml/metadata.json @@ -12,6 +12,10 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M6", + "M8" + ], "MASVS": [ "MSTG-PLATFORM-1" ], diff --git a/rules/S5604/xml/rule.adoc b/rules/S5604/xml/rule.adoc index 6aedda53058..3ae3da5875a 100644 --- a/rules/S5604/xml/rule.adoc +++ b/rules/S5604/xml/rule.adoc @@ -33,6 +33,8 @@ In AndroidManifest.xml: * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m6-inadequate-privacy-controls[Mobile Top 10 2024 Category M6 - Inadequate Privacy Controls] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges] * https://developer.android.com/training/permissions/usage-notes[developer.android.com] - App permissions best practices * https://play.google.com/about/privacy-security-deception/permissions/[Google Play] - Privacy, Security, and Deception - Permissions diff --git a/rules/S5883/common/resources/standards-mobile.adoc b/rules/S5883/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..37c20fd0131 --- /dev/null +++ b/rules/S5883/common/resources/standards-mobile.adoc @@ -0,0 +1,9 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/88[CWE-88 - Argument Injection or Modification] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5883/java/metadata.json b/rules/S5883/java/metadata.json index 17971333806..3137a603ed5 100644 --- a/rules/S5883/java/metadata.json +++ b/rules/S5883/java/metadata.json @@ -1,3 +1,30 @@ { - + "securityStandards": { + "CWE": [ + 20, + 88 + ], + "OWASP": [ + "A1" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.1.3", + "5.1.4" + ], + "STIG ASD_V5R3": [ + "V-222609" + ] + } } diff --git a/rules/S5883/java/rule.adoc b/rules/S5883/java/rule.adoc index 88ce2ce3bd4..9bd15e8d4b2 100644 --- a/rules/S5883/java/rule.adoc +++ b/rules/S5883/java/rule.adoc @@ -15,7 +15,7 @@ include::how-to-fix-it/apache-commons.adoc[] include::../common/resources/docs.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6096/common/resources/standards-mobile.adoc b/rules/S6096/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..a2ed108caac --- /dev/null +++ b/rules/S6096/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6096/java/metadata.json b/rules/S6096/java/metadata.json index 17971333806..b9dd3312303 100644 --- a/rules/S6096/java/metadata.json +++ b/rules/S6096/java/metadata.json @@ -1,3 +1,34 @@ { - + "securityStandards": { + "CWE": [ + 20, + 22 + ], + "OWASP": [ + "A5", + "A1" + ], + "OWASP Top 10 2021": [ + "A1", + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.1", + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "12.3.4", + "5.1.3", + "5.1.4" + ], + "STIG ASD_V5R3": [ + "V-222609" + ] + } } diff --git a/rules/S6096/java/rule.adoc b/rules/S6096/java/rule.adoc index 5a96d91ce5f..b9ecb7a9041 100644 --- a/rules/S6096/java/rule.adoc +++ b/rules/S6096/java/rule.adoc @@ -10,7 +10,7 @@ include::how-to-fix-it/java-se.adoc[] include::../common/resources/articles.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6288/java/metadata.json b/rules/S6288/java/metadata.json index 17971333806..6b813edbae9 100644 --- a/rules/S6288/java/metadata.json +++ b/rules/S6288/java/metadata.json @@ -1,3 +1,29 @@ { - + "securityStandards": { + "CWE": [ + 522 + ], + "OWASP Mobile": [ + "M4" + ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M10" + ], + "MASVS": [ + "MSTG-AUTH-1" + ], + "OWASP Top 10 2021": [ + "A4" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.3" + ] + } } diff --git a/rules/S6288/kotlin/metadata.json b/rules/S6288/kotlin/metadata.json index 17971333806..c74b1beace9 100644 --- a/rules/S6288/kotlin/metadata.json +++ b/rules/S6288/kotlin/metadata.json @@ -1,3 +1,29 @@ { - + "securityStandards": { + "CWE": [ + 522 + ], + "OWASP Mobile": [ + "M4" + ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M10" + ], + "MASVS": [ + "MSTG-AUTH-1" + ], + "OWASP Top 10 2021": [ + "A4" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.3" + ] + } } diff --git a/rules/S6288/metadata.json b/rules/S6288/metadata.json index 969baad1bd3..96fa1581735 100644 --- a/rules/S6288/metadata.json +++ b/rules/S6288/metadata.json @@ -32,12 +32,6 @@ "CWE": [ 522 ], - "OWASP Mobile": [ - "M4" - ], - "MASVS": [ - "MSTG-AUTH-1" - ], "OWASP Top 10 2021": [ "A4" ], diff --git a/rules/S6288/see.adoc b/rules/S6288/see.adoc index 099a84ccab0..785c17fc33e 100644 --- a/rules/S6288/see.adoc +++ b/rules/S6288/see.adoc @@ -1,8 +1,10 @@ == See * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] -* https://developer.android.com/privacy-and-security/keystore[developer.android.com] - Android keystore system -* https://developer.android.com/privacy-and-security/keystore#UserAuthentication[developer.android.com] - Require user authentication for key use * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Authentication and Session Management Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication[Mobile Top 10 2016 Category M4 - Insecure Authentication] -* CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] \ No newline at end of file +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] +* https://developer.android.com/privacy-and-security/keystore[developer.android.com] - Android keystore system +* https://developer.android.com/privacy-and-security/keystore#UserAuthentication[developer.android.com] - Require user authentication for key use \ No newline at end of file diff --git a/rules/S6291/metadata.json b/rules/S6291/metadata.json index 4bfd7869cb1..77c32097762 100644 --- a/rules/S6291/metadata.json +++ b/rules/S6291/metadata.json @@ -39,6 +39,9 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M9" + ], "MASVS": [ "MSTG-STORAGE-14" ], diff --git a/rules/S6291/see.adoc b/rules/S6291/see.adoc index f18fce10f6a..3dc6832e21d 100644 --- a/rules/S6291/see.adoc +++ b/rules/S6291/see.adoc @@ -1,10 +1,11 @@ == See +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard] - Data Storage and Privacy Requirements -* https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2] - Insecure Data Storage -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6293/metadata.json b/rules/S6293/metadata.json index d5ca7afeea1..7e77ec8153f 100644 --- a/rules/S6293/metadata.json +++ b/rules/S6293/metadata.json @@ -35,6 +35,9 @@ "OWASP Mobile": [ "M4" ], + "OWASP Mobile Top 10 2024": [ + "M3" + ], "MASVS": [ "MSTG-AUTH-8" ], diff --git a/rules/S6293/see.adoc b/rules/S6293/see.adoc index 88f5278c176..c1e30e1a3ff 100644 --- a/rules/S6293/see.adoc +++ b/rules/S6293/see.adoc @@ -1,7 +1,8 @@ == See * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] -* https://developer.android.com/training/sign-in/biometric-auth[developer.android.com] - Use a cryptographic solution that depends on authentication * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication[Mobile Top 10 2016 Category M4 - Insecure Authentication] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] * OWASP - https://mas.owasp.org/checklists/MASVS-AUTH/[Mobile AppSec Verification Standard - Authentication and Session Management Requirements] -* CWE - https://cwe.mitre.org/data/definitions/287[CWE-287 - Improper Authentication] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/287[CWE-287 - Improper Authentication] +* https://developer.android.com/training/sign-in/biometric-auth[developer.android.com] - Use a cryptographic solution that depends on authentication \ No newline at end of file diff --git a/rules/S6300/metadata.json b/rules/S6300/metadata.json index 50d46bf8789..b58a83675a9 100644 --- a/rules/S6300/metadata.json +++ b/rules/S6300/metadata.json @@ -39,6 +39,9 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M9" + ], "MASVS": [ "MSTG-STORAGE-14" ], diff --git a/rules/S6300/see.adoc b/rules/S6300/see.adoc index d223601a676..829b5f8c761 100644 --- a/rules/S6300/see.adoc +++ b/rules/S6300/see.adoc @@ -1,8 +1,9 @@ == See +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] diff --git a/rules/S6301/common/resources/standards.adoc b/rules/S6301/common/resources/standards.adoc index abe88d58f09..6ec2a433b6a 100644 --- a/rules/S6301/common/resources/standards.adoc +++ b/rules/S6301/common/resources/standards.adoc @@ -1,10 +1,13 @@ === Standards +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage[Mobile Top 10 2024 Category M1 - Improper Credential Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] * CWE - https://cwe.mitre.org/data/definitions/321[CWE-321 - Use of Hard-coded Cryptographic Key] diff --git a/rules/S6301/metadata.json b/rules/S6301/metadata.json index 69b233fd95b..02f1ead0108 100644 --- a/rules/S6301/metadata.json +++ b/rules/S6301/metadata.json @@ -37,6 +37,11 @@ "OWASP Mobile": [ "M2" ], + "OWASP Mobile Top 10 2024": [ + "M1", + "M9", + "M10" + ], "MASVS": [ "MSTG-STORAGE-14" ], diff --git a/rules/S6358/xml/metadata.json b/rules/S6358/xml/metadata.json index 8d7409987de..bece45d2b9c 100644 --- a/rules/S6358/xml/metadata.json +++ b/rules/S6358/xml/metadata.json @@ -40,6 +40,9 @@ "M1", "M2" ], + "OWASP Mobile Top 10 2024": [ + "M9" + ], "MASVS": [ "MSTG-STORAGE-8" ], diff --git a/rules/S6358/xml/rule.adoc b/rules/S6358/xml/rule.adoc index 91056464646..d3c750fb012 100644 --- a/rules/S6358/xml/rule.adoc +++ b/rules/S6358/xml/rule.adoc @@ -67,14 +67,16 @@ If targeting Android 6.0 or above (API level 23), define files to include/exclud == See + +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] -* https://developer.android.com/guide/topics/data/autobackup[Back up user data with Auto Backup] * OWASP - https://mas.owasp.org/checklists/MASVS-STORAGE/[Mobile AppSec Verification Standard - Data Storage and Privacy Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage[Mobile Top 10 2016 Category M2 - Insecure Data Storage] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage] * CWE - https://cwe.mitre.org/data/definitions/312[CWE-922 - Insecure Storage of Sensitive Information] +* https://developer.android.com/guide/topics/data/autobackup[Back up user data with Auto Backup] ifdef::env-github,rspecator-view[] diff --git a/rules/S6359/metadata.json b/rules/S6359/metadata.json index 539f47182c2..a70a027f99e 100644 --- a/rules/S6359/metadata.json +++ b/rules/S6359/metadata.json @@ -38,6 +38,10 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M8" + ], "MASVS": [ "MSTG-PLATFORM-1" ], diff --git a/rules/S6359/xml/rule.adoc b/rules/S6359/xml/rule.adoc index f65b6742d39..eef08c93d83 100644 --- a/rules/S6359/xml/rule.adoc +++ b/rules/S6359/xml/rule.adoc @@ -68,6 +68,8 @@ It is common practice to use the application package name as part of the namespa * Mobile AppSec Verification Standard - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/265[CWE-265 - Privilege Issues] * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] diff --git a/rules/S6361/xml/metadata.json b/rules/S6361/xml/metadata.json index da580fcfc54..ec82d221264 100644 --- a/rules/S6361/xml/metadata.json +++ b/rules/S6361/xml/metadata.json @@ -36,6 +36,10 @@ "M1", "M6" ], + "OWASP Mobile Top 10 2024": [ + "M3", + "M8" + ], "MASVS": [ "MSTG-PLATFORM-1" ] diff --git a/rules/S6361/xml/rule.adoc b/rules/S6361/xml/rule.adoc index dc92cb2cea9..6c2aa4f1645 100644 --- a/rules/S6361/xml/rule.adoc +++ b/rules/S6361/xml/rule.adoc @@ -56,6 +56,8 @@ There is a risk if you answered yes to this question. * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization[Mobile Top 10 2016 Category M6 - Insecure Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization[Mobile Top 10 2024 Category M3 - Insecure Authentication/Authorization] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/1220[CWE-1220 - Insufficient Granularity of Access Control] diff --git a/rules/S6362/metadata.json b/rules/S6362/metadata.json index bdf9ebe3d12..444e61e1d49 100644 --- a/rules/S6362/metadata.json +++ b/rules/S6362/metadata.json @@ -32,6 +32,9 @@ "MASVS": [ "MSTG-PLATFORM-2" ], + "OWASP Mobile Top 10 2024": [ + "M8" + ], "OWASP Top 10 2021": [ "A3" ], diff --git a/rules/S6362/see.adoc b/rules/S6362/see.adoc index 53c7c2eb15c..fa0c2e2d666 100644 --- a/rules/S6362/see.adoc +++ b/rules/S6362/see.adoc @@ -3,4 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] diff --git a/rules/S6363/metadata.json b/rules/S6363/metadata.json index 8b9493e0d53..4f906b677f0 100644 --- a/rules/S6363/metadata.json +++ b/rules/S6363/metadata.json @@ -32,6 +32,9 @@ "MASVS": [ "MSTG-PLATFORM-2" ], + "OWASP Mobile Top 10 2024": [ + "M8" + ], "OWASP Top 10 2021": [ "A3" ], diff --git a/rules/S6363/see.adoc b/rules/S6363/see.adoc index 53c7c2eb15c..fa0c2e2d666 100644 --- a/rules/S6363/see.adoc +++ b/rules/S6363/see.adoc @@ -3,4 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] diff --git a/rules/S6373/java/metadata.json b/rules/S6373/java/metadata.json index d72e842293a..8fd3f8bb520 100644 --- a/rules/S6373/java/metadata.json +++ b/rules/S6373/java/metadata.json @@ -1,4 +1,32 @@ { + "securityStandards": { + "CWE": [ + 611, + 827 + ], + "OWASP": [ + "A4" + ], + "OWASP Top 10 2021": [ + "A5" + ], + "OWASP Mobile Top 10 2024": [ + "M4", + "M8" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.5.2" + ], + "STIG ASD_V5R3": [ + "V-222608" + ] + }, "quickfix": "infeasible", "tags": [ "symbolic-execution" diff --git a/rules/S6373/java/rule.adoc b/rules/S6373/java/rule.adoc index a7bf04128f2..8a98fbc86b9 100644 --- a/rules/S6373/java/rule.adoc +++ b/rules/S6373/java/rule.adoc @@ -73,6 +73,8 @@ property to `false`. * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 - Category A4 - XML External Entities (XXE)] * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 - Category A5 - Security Misconfiguration] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Improper Restriction of XML External Entity Reference] * CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. diff --git a/rules/S6376/java/metadata.json b/rules/S6376/java/metadata.json index ca1da9aca73..c3f108808d7 100644 --- a/rules/S6376/java/metadata.json +++ b/rules/S6376/java/metadata.json @@ -1,4 +1,32 @@ { + "securityStandards": { + "CWE": [ + 611, + 827 + ], + "OWASP": [ + "A4" + ], + "OWASP Top 10 2021": [ + "A5" + ], + "OWASP Mobile Top 10 2024": [ + "M4", + "M8" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.5.2" + ], + "STIG ASD_V5R3": [ + "V-222608" + ] + }, "quickfix": "infeasible", "tags": [ "symbolic-execution" diff --git a/rules/S6376/java/rule.adoc b/rules/S6376/java/rule.adoc index 85685964213..7ccfbc5f81b 100644 --- a/rules/S6376/java/rule.adoc +++ b/rules/S6376/java/rule.adoc @@ -39,6 +39,8 @@ include::how-to-fix-it/jdom2.adoc[] * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/776[CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222593[Application Security and Development: V-222593] - XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. diff --git a/rules/S6384/common/resources/standards.adoc b/rules/S6384/common/resources/standards.adoc index 08cbac28edb..437907ead60 100644 --- a/rules/S6384/common/resources/standards.adoc +++ b/rules/S6384/common/resources/standards.adoc @@ -2,5 +2,6 @@ * OWASP - https://mas.owasp.org/checklists/MASVS-PLATFORM/[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6384/metadata.json b/rules/S6384/metadata.json index 118b8185d26..cc2b014b45f 100644 --- a/rules/S6384/metadata.json +++ b/rules/S6384/metadata.json @@ -34,6 +34,9 @@ "OWASP Mobile": [ "M1" ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], "MASVS": [ "MSTG-PLATFORM-2" ], diff --git a/rules/S6432/common/resources/standards-mobile.adoc b/rules/S6432/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..a73798d92af --- /dev/null +++ b/rules/S6432/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] +* CWE - https://cwe.mitre.org/data/definitions/323[CWE-323 - Reusing a Nonce, Key Pair in Encryption] +* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation +* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf[NIST, SP-800-38C] - Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality +* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf[NIST, SP-800-38D] - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC diff --git a/rules/S6432/common/resources/standards.adoc b/rules/S6432/common/resources/standards.adoc index 85130396cec..7a0bbcf23da 100644 --- a/rules/S6432/common/resources/standards.adoc +++ b/rules/S6432/common/resources/standards.adoc @@ -2,8 +2,6 @@ * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] * CWE - https://cwe.mitre.org/data/definitions/323[CWE-323 - Reusing a Nonce, Key Pair in Encryption] * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf[NIST, SP-800-38C] - Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality diff --git a/rules/S6432/java/metadata.json b/rules/S6432/java/metadata.json index 7a73a41bfdf..b0ee4b67f48 100644 --- a/rules/S6432/java/metadata.json +++ b/rules/S6432/java/metadata.json @@ -1,2 +1,22 @@ { + "securityStandards": { + "CWE": [ + 323 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-6" + ], + "OWASP Top 10 2021": [ + "A2" + ] + } } \ No newline at end of file diff --git a/rules/S6432/java/rule.adoc b/rules/S6432/java/rule.adoc index 7cd0c5c4975..0796c593c8b 100644 --- a/rules/S6432/java/rule.adoc +++ b/rules/S6432/java/rule.adoc @@ -20,7 +20,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6432/kotlin/metadata.json b/rules/S6432/kotlin/metadata.json index 7a73a41bfdf..b0ee4b67f48 100644 --- a/rules/S6432/kotlin/metadata.json +++ b/rules/S6432/kotlin/metadata.json @@ -1,2 +1,22 @@ { + "securityStandards": { + "CWE": [ + 323 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-6" + ], + "OWASP Top 10 2021": [ + "A2" + ] + } } \ No newline at end of file diff --git a/rules/S6432/kotlin/rule.adoc b/rules/S6432/kotlin/rule.adoc index 942dcc29241..9cabd5c5b9d 100644 --- a/rules/S6432/kotlin/rule.adoc +++ b/rules/S6432/kotlin/rule.adoc @@ -18,7 +18,7 @@ include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6432/metadata.json b/rules/S6432/metadata.json index b5af9b55d32..197002391fc 100644 --- a/rules/S6432/metadata.json +++ b/rules/S6432/metadata.json @@ -28,12 +28,6 @@ "OWASP": [ "A3" ], - "OWASP Mobile": [ - "M5" - ], - "MASVS": [ - "MSTG-CRYPTO-6" - ], "OWASP Top 10 2021": [ "A2" ] diff --git a/rules/S6549/common/resources/standards-mobile.adoc b/rules/S6549/common/resources/standards-mobile.adoc new file mode 100644 index 00000000000..a2ed108caac --- /dev/null +++ b/rules/S6549/common/resources/standards-mobile.adoc @@ -0,0 +1,11 @@ +=== Standards + +* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] +* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation] +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6549/java/metadata.json b/rules/S6549/java/metadata.json index 0db3279e44b..97202b93c7c 100644 --- a/rules/S6549/java/metadata.json +++ b/rules/S6549/java/metadata.json @@ -1,3 +1,33 @@ { - + "securityStandards": { + "CWE": [ + 20, + 22 + ], + "OWASP": [ + "A5", + "A1" + ], + "OWASP Top 10 2021": [ + "A1", + "A3" + ], + "OWASP Mobile Top 10 2024": [ + "M4" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "12.3.1", + "5.1.3", + "5.1.4" + ], + "STIG ASD_V5R3": [ + "V-222609" + ] + } } diff --git a/rules/S6549/java/rule.adoc b/rules/S6549/java/rule.adoc index 61fcf6b2d82..2ce00fa8415 100644 --- a/rules/S6549/java/rule.adoc +++ b/rules/S6549/java/rule.adoc @@ -10,7 +10,7 @@ include::how-to-fix-it/java-se.adoc[] == Resources -include::../common/resources/standards.adoc[] +include::../common/resources/standards-mobile.adoc[] ifdef::env-github,rspecator-view[] diff --git a/rules/S6706/secrets/metadata.json b/rules/S6706/secrets/metadata.json index 4fb94bcec5a..07f9a006c57 100644 --- a/rules/S6706/secrets/metadata.json +++ b/rules/S6706/secrets/metadata.json @@ -37,6 +37,10 @@ "OWASP Top 10 2021": [ "A7" ], + "OWASP Mobile Top 10 2024": [ + "M1", + "M10" + ], "PCI DSS 3.2": [ "6.5.10" ], diff --git a/rules/S6706/secrets/rule.adoc b/rules/S6706/secrets/rule.adoc index 490ba76022a..260e7d9b435 100644 --- a/rules/S6706/secrets/rule.adoc +++ b/rules/S6706/secrets/rule.adoc @@ -76,4 +76,7 @@ with open("/path/to/private.key","r") as key_file: include::../../../shared_content/secrets/resources/standards.adoc[] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage[Mobile Top 10 2024 Category M1 - Improper Credential Usage] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] + //=== Benchmarks