SonarSource · pierre-loup-tristant-sonarsource · Feb 19, 2025 · Feb 12, 2025 · Feb 14, 2025 · Feb 14, 2025
diff --git a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json
@@ -156,6 +156,15 @@
           },
           "uniqueItems": true
         },
+        "OWASP Mobile Top 10 2024": {
+          "type": "array",
+          "minItems": 0,
+          "items": { 
+            "type": "string",
+            "pattern": "^M([1-9]|10)$"
+          },
+          "uniqueItems": true
+        },
         "PCI DSS 3.2": {
           "type": "array",
           "minItems": 0,

diff --git a/rules/S2053/common/resources/standards-mobile.adoc b/rules/S2053/common/resources/standards-mobile.adoc
@@ -0,0 +1,9 @@
+=== Standards
+
+* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
+* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography]
+* CWE - https://cwe.mitre.org/data/definitions/759[CWE-759 - Use of a One-Way Hash without a Salt]
+* CWE - https://cwe.mitre.org/data/definitions/760[CWE-760 - Use of a One-Way Hash with a Predictable Salt]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords.
+
diff --git a/rules/S2053/java/metadata.json b/rules/S2053/java/metadata.json
@@ -1,3 +1,26 @@
 {
-
+    "securityStandards": {
+        "CWE": [
+          759,
+          760
+        ],
+        "OWASP": [
+          "A3"
+        ],
+        "OWASP Top 10 2021": [
+          "A2"
+        ],
+        "OWASP Mobile Top 10 2024": [
+          "M10"
+        ],
+        "PCI DSS 3.2": [
+          "6.5.10"
+        ],
+        "PCI DSS 4.0": [
+          "6.2.4"
+        ],
+        "STIG ASD_V5R3": [
+          "V-222542"
+        ]
+      } 
 }
diff --git a/rules/S2053/java/rule.adoc b/rules/S2053/java/rule.adoc
@@ -14,7 +14,7 @@ include::how-to-fix-it/java-se.adoc[]
 
 == Resources
 
-include::../common/resources/standards.adoc[]
+include::../common/resources/standards-mobile.adoc[]
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2053/kotlin/metadata.json b/rules/S2053/kotlin/metadata.json
@@ -1,3 +1,26 @@
 {
-
+  "securityStandards": {
+    "CWE": [
+      759,
+      760
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "OWASP Top 10 2021": [
+      "A2"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M10"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222542"
+    ]
+  }
 }
diff --git a/rules/S2053/kotlin/rule.adoc b/rules/S2053/kotlin/rule.adoc
@@ -14,7 +14,7 @@ include::how-to-fix-it/java-se.adoc[]
 
 == Resources
 
-include::../common/resources/standards.adoc[]
+include::../common/resources/standards-mobile.adoc[]
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2076/common/resources/standards-mobile.adoc b/rules/S2076/common/resources/standards-mobile.adoc
@@ -0,0 +1,10 @@
+=== Standards
+
+* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation]
+* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
+* CWE - https://cwe.mitre.org/data/definitions/78[CWE-78 - Improper Neutralization of Special Elements used in an OS Command]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222604[Application Security and Development: V-222604] - The application must protect from command injection.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
diff --git a/rules/S2076/java/metadata.json b/rules/S2076/java/metadata.json
@@ -1,3 +1,33 @@
 {
-
+  "securityStandards": {
+    "CWE": [
+      20,
+      78
+    ],
+    "OWASP": [
+      "A1"
+    ],
+    "OWASP Top 10 2021": [
+      "A3"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M4"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.1"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "12.3.5",
+      "5.1.3",
+      "5.1.4",
+      "5.3.8"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222604",
+      "V-222609"
+    ]
+  }  
 }
diff --git a/rules/S2076/java/rule.adoc b/rules/S2076/java/rule.adoc
@@ -14,7 +14,7 @@ include::how-to-fix-it/java-se.adoc[]
 
 include::../common/resources/docs.adoc[]
 
-include::../common/resources/standards.adoc[]
+include::../common/resources/standards-mobile.adoc[]
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2083/common/resources/standards-mobile.adoc b/rules/S2083/common/resources/standards-mobile.adoc
@@ -0,0 +1,11 @@
+=== Standards
+
+* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
+* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation]
+* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
+* CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
diff --git a/rules/S2083/java/metadata.json b/rules/S2083/java/metadata.json
@@ -1,3 +1,33 @@
 {
-
+  "securityStandards": {
+    "CWE": [
+      20,
+      22
+    ],
+    "OWASP": [
+      "A5",
+      "A1"
+    ],
+    "OWASP Top 10 2021": [
+      "A1",
+      "A3"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M4"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.8"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "12.3.1",
+      "5.1.3",
+      "5.1.4"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222609"
+    ]
+  }  
 }
diff --git a/rules/S2083/java/rule.adoc b/rules/S2083/java/rule.adoc
@@ -10,7 +10,7 @@ include::how-to-fix-it/java-se.adoc[]
 
 == Resources
 
-include::../common/resources/standards.adoc[]
+include::../common/resources/standards-mobile.adoc[]
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2245/cfamily/metadata.json b/rules/S2245/cfamily/metadata.json
@@ -18,12 +18,6 @@
     "OWASP": [
       "A3"
     ],
-    "OWASP Mobile": [
-      "M5"
-    ],
-    "MASVS": [
-      "MSTG-CRYPTO-6"
-    ],
     "OWASP Top 10 2021": [
       "A2"
     ],

diff --git a/rules/S2245/cfamily/rule.adoc b/rules/S2245/cfamily/rule.adoc
@@ -38,17 +38,8 @@ void f() {
 }
 ----
 
-== See
-
-* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet]
-* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements]
-* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography]
-* CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)]
-* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values]
-* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength]
-* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator]
+include::../see.adoc[]
+
 * https://wiki.sei.cmu.edu/confluence/x/UNcxBQ[CERT, MSC30-C.] - Do not use the rand() function for generating pseudorandom numbers
 * https://wiki.sei.cmu.edu/confluence/x/2ns-BQ[CERT, MSC50-CPP.] - Do not use std::rand() for generating pseudorandom numbers
 * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator]

diff --git a/rules/S2245/java/metadata.json b/rules/S2245/java/metadata.json
@@ -17,6 +17,9 @@
     "OWASP Mobile": [
       "M5"
     ],
+    "OWASP Mobile Top 10 2024": [
+      "M10"
+    ],
     "MASVS": [
       "MSTG-CRYPTO-6"
     ],

diff --git a/rules/S2245/java/rule.adoc b/rules/S2245/java/rule.adoc
@@ -27,19 +27,12 @@ byte bytes[] = new byte[20];
 random.nextBytes(bytes);
 ----
 
-== See
+include::../see.adoc[]
 
-* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet]
-* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
-* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography]
-* CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)]
-* CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values]
-* CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength]
-* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography]
 * https://wiki.sei.cmu.edu/confluence/x/oTdGBQ[CERT, MSC02-J.] - Generate strong random numbers
-* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator]
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2245/kotlin/metadata.json b/rules/S2245/kotlin/metadata.json
@@ -1,3 +1,29 @@
 {
+  "securityStandards": {
+    "CWE": [
+      326,
+      330,
+      338,
+      1241
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "OWASP Mobile": [
+      "M5"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M10"
+    ],
+    "MASVS": [
+      "MSTG-CRYPTO-6"
+    ],
+    "OWASP Top 10 2021": [
+      "A2"
+    ],
+    "ASVS 4.0": [
+      "6.2.4"
+    ]
+  },
   "quickfix": "unknown"
 }
diff --git a/rules/S2245/kotlin/rule.adoc b/rules/S2245/kotlin/rule.adoc
@@ -23,6 +23,10 @@ random.nextBytes(bytes)
 
 include::../see.adoc[]
 
+* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography]
+
 ifdef::env-github,rspecator-view[]
 
 '''

diff --git a/rules/S2245/metadata.json b/rules/S2245/metadata.json
@@ -37,12 +37,6 @@
     "OWASP": [
       "A3"
     ],
-    "OWASP Mobile": [
-      "M5"
-    ],
-    "MASVS": [
-      "MSTG-CRYPTO-6"
-    ],
     "OWASP Top 10 2021": [
       "A2"
     ],

diff --git a/rules/S2245/see.adoc b/rules/S2245/see.adoc
@@ -3,10 +3,7 @@
 * OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[Secure Random Number Generation Cheat Sheet]
 * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
-* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements]
-* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography]
 * CWE - https://cwe.mitre.org/data/definitions/338[CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)]
 * CWE - https://cwe.mitre.org/data/definitions/330[CWE-330 - Use of Insufficiently Random Values]
 * CWE - https://cwe.mitre.org/data/definitions/326[CWE-326 - Inadequate Encryption Strength]
-* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator]
-* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM[Predictable Pseudo Random Number Generator]
+* CWE - https://cwe.mitre.org/data/definitions/1241[CWE-1241 - Use of Predictable Algorithm in Random Number Generator]
diff --git a/rules/S2755/common/resources/standards-mobile.adoc b/rules/S2755/common/resources/standards-mobile.adoc
@@ -0,0 +1,10 @@
+=== Standards
+
+* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
+* CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Information Exposure Through XML External Entity Reference]
+* CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.
+
diff --git a/rules/S2755/java/metadata.json b/rules/S2755/java/metadata.json
@@ -1,4 +1,32 @@
 {
+  "securityStandards": {
+    "CWE": [
+      611,
+      827
+    ],
+    "OWASP": [
+      "A4"
+    ],
+    "OWASP Top 10 2021": [
+      "A5"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M4",
+      "M8"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.1"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "5.5.2"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222608"
+    ]
+  },
   "quickfix": "infeasible",
   "tags": [
   	"cwe",

diff --git a/rules/S2755/java/rule.adoc b/rules/S2755/java/rule.adoc
@@ -18,7 +18,7 @@ include::how-to-fix-it/sax.adoc[]
 
 == Resources
 
-include::../common/resources/standards.adoc[]
+include::../common/resources/standards-mobile.adoc[]
 
 ifdef::env-github,rspecator-view[]