Update rule meta data for version 3.14. (#735)

Author: nils-werner-sonarsource

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1075.html

@@ -6,6 +6,6 @@
 <p>This rule raises an issue when URI's or path delimiters are hard coded.</p>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/qQCHAQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1116.html

@@ -29,11 +29,11 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/NYA5">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never
-  executed </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/7gCTAw">CERT, MSC51-J.</a> - Do not place a semicolon immediately following an if, for,
-  or while condition </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/i4FtAg">CERT, EXP15-C.</a> - Do not place a semicolon on the same line as an if, for,
-  or while statement </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/5dUxBQ">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never executed
+  </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/IDZGBQ">CERT, MSC51-J.</a> - Do not place a semicolon immediately following an if, for, or while
+  condition </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/WtYxBQ">CERT, EXP15-C.</a> - Do not place a semicolon on the same line as an if, for, or while
+  statement </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S112.html

@@ -14,7 +14,6 @@ <h2>Compliant Solution</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="http://cwe.mitre.org/data/definitions/397.html">MITRE, CWE-397</a> - Declaration of Throws for Generic Exception </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/BoB3AQ">CERT, ERR07-J.</a> - Do not throw RuntimeException, Exception, or Throwable
-  </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/_DdGBQ">CERT, ERR07-J.</a> - Do not throw RuntimeException, Exception, or Throwable </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1121.html

@@ -26,8 +26,7 @@ <h2>Exceptions</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="http://cwe.mitre.org/data/definitions/481.html">MITRE, CWE-481</a> - Assigning instead of Comparing </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/nYFtAg">CERT, EXP45-C.</a> - Do not perform assignments in selection statements </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/1gCTAw">CERT, EXP51-J.</a> - Do not perform assignments in conditional expressions
-  </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/ZNYxBQ">CERT, EXP45-C.</a> - Do not perform assignments in selection statements </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/ITZGBQ">CERT, EXP51-J.</a> - Do not perform assignments in conditional expressions </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1172.html

@@ -24,7 +24,7 @@ <h2>Exceptions</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/NYA5">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never
-  executed </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/5dUxBQ">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never executed
+  </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S121.html

@@ -12,9 +12,7 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/1QGMAg">CERT, EXP19-C.</a> - Use braces for the body of an if, for, or while statement
-  </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/3wHEAw">CERT, EXP52-J.</a> - Use braces for the body of an if, for, or while statement
-  </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/g9YxBQ">CERT, EXP19-C.</a> - Use braces for the body of an if, for, or while statement </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/MzZGBQ">CERT, EXP52-J.</a> - Use braces for the body of an if, for, or while statement </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.html

@@ -49,9 +49,9 @@ <h2>Exceptions</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="http://cwe.mitre.org/data/definitions/484.html">MITRE, CWE-484</a> - Omitted Break Statement in Switch </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/YIFLAQ">CERT, MSC17-C.</a> - Finish every set of statements associated with a case
-  label with a break statement </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/ewHAAQ">CERT, MSC52-J.</a> - Finish every set of statements associated with a case
-  label with a break statement </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/ldYxBQ">CERT, MSC17-C.</a> - Finish every set of statements associated with a case label with a
+  break statement </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/1DdGBQ">CERT, MSC52-J.</a> - Finish every set of statements associated with a case label with a
+  break statement </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S131.html

@@ -29,6 +29,6 @@ <h2>Compliant Solution</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="http://cwe.mitre.org/data/definitions/478.html">MITRE, CWE-478</a> - Missing Default Case in Switch Statement </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/YgE">CERT, MSC01-C.</a> - Strive for logical completeness </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/RtYxBQ">CERT, MSC01-C.</a> - Strive for logical completeness </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1313.html

@@ -5,23 +5,26 @@
 </ul>
 <p>Today's services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always
 have the same IP address. When it does change, the hardcoded IP will have to be modified too. This will have an impact on the product development,
-delivery and deployment:</p>
+delivery, and deployment:</p>
 <ul>
   <li> The developers will have to do a rapid fix every time this happens, instead of having an operation team change a configuration file. </li>
-  <li> It forces the same address to be used in every environment (dev, sys, qa, prod). </li>
+  <li> It misleads to use the same address in every environment (dev, sys, qa, prod). </li>
 </ul>
 <p>Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially
-sensitive address. They can perform a Denial of Service attack on the service at this address or spoof the IP address. Such an attack is always
-possible, but in the case of a hardcoded IP address the fix will be much slower, which will increase an attack's impact.</p>
+sensitive address. They can perform a Denial of Service attack on the service, try to get access to the system, or try to spoof the IP address to
+bypass security checks. Such attacks can always be possible, but in the case of a hardcoded IP address solving the issue will take more time, which
+will increase an attack's impact.</p>
 <h2>Ask Yourself Whether</h2>
-<p>The disclosed IP address is sensitive, eg:</p>
+<p>The disclosed IP address is sensitive, e.g.:</p>
 <ul>
   <li> Can give information to an attacker about the network topology. </li>
   <li> It's a personal (assigned to an identifiable person) IP address. </li>
 </ul>
 <p>There is a risk if you answered yes to any of these questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<p>Don't hard-code the IP address in the source code, instead make it configurable.</p>
+<p>Don't hard-code the IP address in the source code, instead make it configurable with environment variables, configuration files, or a similar
+approach. Alternatively, if confidentially is not required a domain name can be used since it allows to change the destination quickly without having
+to rebuild the software.</p>
 <h2>Sensitive Code Example</h2>
 <pre>
 $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
@@ -45,6 +48,6 @@ <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
   </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/qQCHAQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1314.html

@@ -18,8 +18,8 @@ <h2>Exceptions</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/_QC7AQ">CERT, DCL18-C.</a> - Do not begin integer constants with 0 when specifying a
-  decimal value </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/hYClBg">CERT, DCL50-J.</a> - Use visually distinct identifiers </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/atYxBQ">CERT, DCL18-C.</a> - Do not begin integer constants with 0 when specifying a decimal
+  value </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/7DZGBQ">CERT, DCL50-J.</a> - Use visually distinct identifiers </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1578.html

@@ -2,6 +2,6 @@
 raises an issue when the names of analyzed files don't match the provided regular expression.</p>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/lQAl">CERT, MSC09-C.</a> - Character encoding: Use subset of ASCII for safety </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/GtYxBQ">CERT, MSC09-C.</a> - Character encoding: Use subset of ASCII for safety </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1656.html

@@ -14,7 +14,7 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/NYA5">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never
-  executed </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/5dUxBQ">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never executed
+  </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1763.html

@@ -19,8 +19,8 @@ <h2>Compliant Solution</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="http://cwe.mitre.org/data/definitions/561.html">MITRE, CWE-561</a> - Dead Code </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/uQCSBg">CERT, MSC56-J.</a> - Detect and remove superfluous code and values </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/NYA5">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never
-  executed </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/9DZGBQ">CERT, MSC56-J.</a> - Detect and remove superfluous code and values </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/5dUxBQ">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never executed
+  </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1764.html

@@ -27,8 +27,8 @@ <h2>Exceptions</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/NYA5">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never
-  executed </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/5dUxBQ">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never executed
+  </li>
   <li> {rule:php:S1656} - Implements a check on <code>=</code>. </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1854.html

@@ -17,7 +17,7 @@ <h2>Exceptions</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="http://cwe.mitre.org/data/definitions/563.html">MITRE, CWE-563</a> - Assignment to Variable without Use ('Unused Variable') </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/QYA5">CERT, MSC13-C.</a> - Detect and remove unused values </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/uQCSBg">CERT, MSC56-J.</a> - Detect and remove superfluous code and values </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/39UxBQ">CERT, MSC13-C.</a> - Detect and remove unused values </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/9DZGBQ">CERT, MSC56-J.</a> - Detect and remove superfluous code and values </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1862.html

@@ -54,7 +54,7 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/NYA5">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never
-  executed </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/5dUxBQ">CERT, MSC12-C.</a> - Detect and remove code that has no effect or is never executed
+  </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2053.html

@@ -1,15 +1,15 @@
 <p>In cryptography, "salt" is extra piece of data which is included in a hashing algorithm. It makes dictionary attacks more difficult. Using a
 cryptographic hash function without an unpredictable salt increases the likelihood that an attacker will be able to successfully guess a hashed value
 such as a password with a dictionary attack.</p>
-<p>This rule raises an issue when a hashing function which has been specifically designed for hashing sensitive data, such as pbkdf2, is used with a
+<p>This rule raises an issue when a hashing function which has been specifically designed for hashing sensitive data, such as PBKDF2, is used with a
 non-random, reused or too short salt value. It does not raise an issue on base hashing algorithms such as sha1 or md5 as these are often used for
 other purposes.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
-  <li> use hashing functions generating their own salt or generate a long random salt of at least 32 bytes. </li>
-  <li> the salt is at least as long as the resulting hash value. </li>
-  <li> provide the salt to a safe hashing function such as PBKDF2. </li>
-  <li> save both the salt and the hashed value in the relevant database record; during future validation operations, the salt and hash can then be
+  <li> Use hashing functions generating their own salt or generate a long random salt of at least 32 bytes. </li>
+  <li> The salt is at least as long as the resulting hash value. </li>
+  <li> Provide the salt to a safe hashing function such as PBKDF2. </li>
+  <li> Save both the salt and the hashed value in the relevant database record; during future validation operations, the salt and hash can then be
   retrieved from the database. The hash is recalculated with the stored salt and the value being validated, and the result compared to the stored
   hash. </li>
 </ul>
@@ -26,8 +26,8 @@ <h2>Noncompliant Code Example</h2>
 
   $hash = hash_pbkdf2('sha256', $password, 'D8VxSmTZt2E2YV454mkqAY5e', 100000); // Noncompliant; salt is hardcoded
 
-  $hash = crypt($password); // Noncompliant; salt is not provided
-  $hash = crypt($password, ""); // Noncompliant; salt is hardcoded
+  $hash = crypt($password); // Noncompliant; salt is not provided; fails in PHP 8
+  $hash = crypt($password, ""); // Noncompliant; salt is hardcoded; fails in PHP 8
 
   $options = [
     'cost' =&gt; 11,

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html

@@ -5,7 +5,7 @@
   <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466">CVE-2019-13466</a> </li>
   <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389">CVE-2018-15389</a> </li>
 </ul>
-<p>Credentials should be stored outside of the code in a configuration file, a database or secret management service. </p>
+<p>Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets. </p>
 <p>This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
 strings, and for variable names that match any of the patterns from the provided list.</p>
 <p>It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ...</p>
@@ -20,7 +20,7 @@ <h2>Recommended Secure Coding Practices</h2>
 <ul>
   <li> Store the credentials in a configuration file that is not pushed to the code repository. </li>
   <li> Store the credentials in a database. </li>
-  <li> Use the secret management service of you cloud provider. </li>
+  <li> Use your cloud provider's service for managing secrets. </li>
   <li> If the a password has been disclosed through the source code: change it. </li>
 </ul>
 <h2>Sensitive Code Example</h2>
@@ -43,7 +43,7 @@ <h2>See</h2>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication">OWASP Top 10 2017 Category A2</a> - Broken Authentication </li>
   <li> <a href="http://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
   <li> <a href="http://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/qQCHAQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
   <li> Derived from FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD">Hard Coded Password</a> </li>
 </ul>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2077.html

@@ -90,7 +90,7 @@ <h2>See</h2>
   <li> <a href="http://cwe.mitre.org/data/definitions/20.html">MITRE, CWE-20</a> - Improper Input Validation </li>
   <li> <a href="http://cwe.mitre.org/data/definitions/943.html">MITRE, CWE-943</a> - Improper Neutralization of Special Elements in Data Query Logic
   </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/PgIRAg">CERT, IDS00-J.</a> - Prevent SQL injection </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/ITdGBQ">CERT, IDS00-J.</a> - Prevent SQL injection </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat1">SANS Top 25</a> - Insecure Interaction Between Components </li>
   <li> Derived from FindSecBugs rules <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA">Potential SQL/JPQL Injection
   (JPA)</a>, <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO">Potential SQL/JDOQL Injection (JDO)</a>, <a

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.html

@@ -3,8 +3,8 @@
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> the cookie is for instance a <em>session-cookie</em> not designed to be sent over non-HTTPS communication. </li>
-  <li> it's not sure that the website contains <a href="https://developer.mozilla.org/fr/docs/S%C3%A9curit%C3%A9/MixedContent">mixed content</a> or
-  not (ie HTTPS everywhere or not) </li>
+  <li> it's not sure that the website contains <a href="https://developer.mozilla.org/fr/docs/Web/Security/Mixed_content">mixed content</a> or not (ie
+  HTTPS everywhere or not) </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2201.html

@@ -10,7 +10,7 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/9YIRAQ">CERT, EXP12-C.</a> - Do not ignore values returned by functions </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/9gEqAQ">CERT, EXP00-J.</a> - Do not ignore values returned by methods </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/mtYxBQ">CERT, EXP12-C.</a> - Do not ignore values returned by functions </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/xzdGBQ">CERT, EXP00-J.</a> - Do not ignore values returned by methods </li>
 </ul>