Update rule api (#1265)

Author: rudy-regazzoni-sonarsource

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S100.html

@@ -2,17 +2,29 @@ <h2>Why is this an issue?</h2>
 <p>Shared naming conventions allow teams to collaborate efficiently.</p>
 <p>This rule raises an issue when a function name does not match a provided regular expression.</p>
 <p>For example, with the default provided regular expression <code>^[a-z][a-zA-Z0-9]*$</code>, the function:</p>
-<pre>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 function DoSomething(){ // Noncompliant
     // ...
 }
 </pre>
 <p>should be renamed to</p>
-<pre>
+<pre data-diff-id="1" data-diff-type="compliant">
 function doSomething(){
     // ...
 }
 </pre>
+<p>In case the Drupal framework is detected and the default regex is not replaced, it will follow the PHP coding standards for Drupal.</p>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+function doSomething(){ // Noncompliant
+    // ...
+}
+</pre>
+<p>should be renamed to</p>
+<pre data-diff-id="2" data-diff-type="compliant">
+function do_something(){
+    // ...
+}
+</pre>
 <h3>Exceptions</h3>
 <p>Methods with an <code>@inheritdoc</code> annotation, as well as magic methods (<code>__construct()</code>, <code>__destruct()</code>,
 <code>__call()</code>, <code>__callStatic()</code>, <code>__get()</code>, <code>__set()</code>, <code>__isset()</code>, <code>__unset()</code>,
@@ -27,4 +39,9 @@ <h3>Exceptions</h3>
  */
 function myFunc(){...}      // Compliant by exception
 </pre>
+<h2>References</h2>
+<ul>
+  <li> <a href="https://www.drupal.org/docs/develop/standards/php/php-coding-standards#s-functions-and-variables">Drupal - Naming Conventions -
+  Functions and variables</a> </li>
+</ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1781.html

@@ -3,17 +3,32 @@ <h2>Why is this an issue?</h2>
 functionality. This allows for more flexibility and ease of use when writing code.</p>
 <p>However, it is generally recommended to follow a consistent casing convention for readability and maintainability purposes. Relevant constants are
 <code>true</code>, <code>false</code> and <code>null</code>.</p>
+<p>Note that if the Drupal framework is detected, this rule will enforce Drupal standards instead. Relevant constants are <code>TRUE</code>,
+<code>FALSE</code> and <code>NULL</code>.</p>
 <h3>Noncompliant code example</h3>
 <pre data-diff-id="1" data-diff-type="noncompliant">
 &lt;?php ECHO 'Hello World'; ?&gt;
 </pre>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+&lt;?php
+// In a Drupal context
+const CACHE_ENABLED = true;
+?&gt;
+</pre>
 <h3>Compliant solution</h3>
 <pre data-diff-id="1" data-diff-type="compliant">
 &lt;?php echo 'Hello World'; ?&gt;
 </pre>
+<pre data-diff-id="2" data-diff-type="compliant">
+&lt;?php
+// In a Drupal context
+const CACHE_ENABLED = TRUE;
+?&gt;
+</pre>
 <h2>Resources</h2>
 <h3>Documentation</h3>
 <ul>
   <li> <a href="https://www.php.net/manual/en/reserved.constants.php">PHP Manual - Predefined Constants</a> </li>
+  <li> <a href="https://www.drupal.org/docs/develop/standards/php/php-coding-standards#s-constants">Drupal - Naming Conventions - Constants</a> </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2053.html

@@ -42,7 +42,7 @@ <h4>Noncompliant code example</h4>
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
-$salt = random_bytes(16);
+$salt = random_bytes(32);
 $hash = hash_pbkdf2('sha256', $password, $salt, 100000);
 </pre>
 <h3>How does this work?</h3>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2053.json

@@ -36,7 +36,7 @@
     "PCI DSS 4.0": [
       "6.2.4"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222542"
     ]
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.json

@@ -45,7 +45,7 @@
       "6.1.2",
       "6.1.3"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222576"
     ]
   }

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html

@@ -39,8 +39,7 @@ <h2>See</h2>
   <li> OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10 2021 Category A2 - Cryptographic Failures</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
   Exposure</a> </li>
-  <li> <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements">Mobile AppSec
-  Verification Standard - Cryptography Requirements</a> </li>
+  <li> <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/338">CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)</a>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2612.json

@@ -40,7 +40,7 @@
     "ASVS 4.0": [
       "4.3.3"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222430"
     ]
   }

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2755.json

@@ -39,7 +39,7 @@
     "ASVS 4.0": [
       "5.5.2"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222608"
     ]
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3330.json

@@ -39,7 +39,7 @@
     "ASVS 4.0": [
       "3.4.2"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222575"
     ]
   }

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.html

@@ -127,8 +127,7 @@ <h3>Standards</h3>
   Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
-  <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements">Mobile AppSec
-  Verification Standard - Cryptography Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
   Insufficient Cryptography</a> </li>
   <li> <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf">NIST 800-131A</a> - Recommendation for Transitioning the

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4502.json

@@ -39,7 +39,7 @@
       "13.2.3",
       "4.2.2"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222603"
     ]
   }

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4784.html

@@ -66,8 +66,8 @@ <h2>Exceptions</h2>
 $pattern = "/(a+)+/";
 $result = eregi($pattern, $input);  // No issue will be raised even if it is Sensitive
 </pre>
-<p>Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: <code>(a|aa)+</code>,
-<code>(a|a?)+</code>.</p>
+<p>Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: <code>(a|aa)``,
+``(a|a?)</code>.</p>
 <p>It is a good idea to test your regular expression if it has the same pattern on both side of a "<code>|</code>".</p>
 <h2>See</h2>
 <ul>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.html

@@ -34,8 +34,7 @@ <h2>See</h2>
   Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
-  <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements">Mobile AppSec
-  Verification Standard - Cryptography Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/1240">CWE-1240 - Use of a Risky Cryptographic Primitive</a> </li>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4830.html

@@ -60,8 +60,8 @@ <h3>Standards</h3>
   Misconfiguration</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication">Mobile Top 10 2016 Category M3 - Insecure
   Communication</a> </li>
-  <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements">Mobile AppSec
-  Verification Standard - Network Communication Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-NETWORK/">Mobile AppSec Verification Standard - Network Communication Requirements</a>
+  </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/295">CWE-295 - Improper Certificate Validation</a> </li>
   <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550">Application Security and
   Development: V-222550</a> - The application must validate certificates by constructing a certification path to an accepted trust anchor. </li>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4830.json

@@ -53,7 +53,7 @@
       "1.9.2",
       "9.2.1"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222550"
     ]
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5328.json

@@ -42,7 +42,7 @@
       "2.6.2",
       "2.9.2"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222579",
       "V-222582"
     ]

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5332.html

@@ -109,8 +109,8 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
   Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10 2021 Category A2 - Cryptographic Failures</a> </li>
-  <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements">Mobile AppSec
-  Verification Standard - Network Communication Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-NETWORK/">Mobile AppSec Verification Standard - Network Communication Requirements</a>
+  </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication">Mobile Top 10 2016 Category M3 - Insecure
   Communication</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/200">CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor</a> </li>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5332.json

@@ -45,7 +45,7 @@
       "9.1.1",
       "9.2.2"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222397",
       "V-222534",
       "V-222562",

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5527.html

@@ -61,8 +61,8 @@ <h3>Standards</h3>
   Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
-  <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements">Mobile AppSec
-  Verification Standard - Network Communication Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-NETWORK/">Mobile AppSec Verification Standard - Network Communication Requirements</a>
+  </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication">Mobile Top 10 2016 Category M3 - Insecure
   Communication</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/297">CWE-297 - Improper Validation of Certificate with Host Mismatch</a> </li>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5527.json

@@ -49,7 +49,7 @@
       "4.2.1",
       "6.2.4"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222550"
     ]
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5547.json

@@ -53,7 +53,7 @@
       "6.2.5",
       "8.3.7"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222396"
     ]
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5876.json

@@ -38,7 +38,7 @@
     "ASVS 4.0": [
       "3.2.1"
     ],
-    "STIG ASD 2023-06-08": [
+    "STIG ASD_V5R3": [
       "V-222579",
       "V-222582"
     ]

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "PHP"
   ],
-  "latest-update": "2024-06-17T07:58:30.080972500Z",
+  "latest-update": "2024-08-13T08:39:04.772066700Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true