SONARKT-625 Update rules metadata

Author: Godin

sonar-kotlin-plugin/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "KOTLIN"
   ],
-  "latest-update": "2025-03-13T20:34:31.901277Z",
+  "latest-update": "2025-04-03T13:07:10.743415Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S4507.html

@@ -32,19 +32,7 @@ <h2>See</h2>
   <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
   Exposure</a> </li>
-  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering">Mobile Top 10 2016 Category M9 - Reverse
-  Engineering</a> </li>
-  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality">Mobile Top 10 2016 Category M10 -
-  Extraneous Functionality</a> </li>
-  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m7-insufficient-binary-protection">Mobile Top 10 2024 Category M7 -
-  Insufficient Binary Protection</a> </li>
-  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration">Mobile Top 10 2024 Category M8 - Security
-  Misconfiguration</a> </li>
-  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CODE/">Mobile AppSec Verification Standard - Code Quality and Build Setting
-  Requirements</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/489">CWE-489 - Active Debug Code</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/215">CWE-215 - Information Exposure Through Debug Information</a> </li>
-  <li> <a href="https://developer.android.com/studio/publish/preparing">developer.android.com</a> - Prepare for release </li>
-  <li> <a href="https://developer.android.com/privacy-and-security/risks/android-debuggable">developer.android.com</a> - android:debuggable </li>
 </ul>
 

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S4507.json

@@ -16,7 +16,6 @@
     "cwe",
     "error-handling",
     "debug",
-    "android",
     "user-experience"
   ],
   "defaultSeverity": "Minor",
@@ -28,17 +27,6 @@
       489,
       215
     ],
-    "OWASP Mobile": [
-      "M9",
-      "M10"
-    ],
-    "OWASP Mobile Top 10 2024": [
-      "M7",
-      "M8"
-    ],
-    "MASVS": [
-      "MSTG-CODE-2"
-    ],
     "OWASP": [
       "A3"
     ],

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S4830.html

@@ -58,27 +58,17 @@ <h3>Code examples</h3>
 <p>The certificate validation gets disabled by overriding the <code>onReceivedSslError</code> method of the <code>WebViewClient</code> class with an
 implementation that calls <code>SslErrorHandler.proceed()</code> unconditionally, and that never calls <code>SslErrorHandler.cancel()</code>.</p>
 <p>This means that a certificate initially rejected by the system will be accepted by the <code>WebViewClient</code>, regardless of its origin.</p>
-<h3>Noncompliant code example</h3>
-<pre>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="101" data-diff-type="noncompliant">
 class MyWebViewClient : WebViewClient() {
     override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) =
         handler.proceed() // Noncompliant
 }
 </pre>
-<h3>How does this work?</h3>
-<p>Addressing the vulnerability of disabled TLS certificate validation primarily involves re-enabling the default validation.</p>
-<p>To avoid running into problems with invalid certificates, consider the following sections.</p>
-<h4>Using trusted certificates</h4>
-<p>If possible, always use a certificate issued by a well-known, trusted CA for your server. Most programming environments come with a predefined list
-of trusted root CAs, and certificates issued by these authorities are validated automatically. This is the best practice, and it requires no
-additional code or configuration.</p>
-<h4>Working with self-signed certificates or non-standard CAs</h4>
-<p>In some cases, you might need to work with a server using a self-signed certificate, or a certificate issued by a CA not included in your trusted
-roots. Rather than disabling certificate validation in your code, you can add the necessary certificates to your trust store.</p>
-<h4>Implementing a server certificate validation</h4>
-<p>Alternatively, you need to implement a validation of the server certificate received in the <code>SslErrorHandler</code> object, calling
-<code>proceed</code> and <code>cancel</code> appropriately.</p>
-<pre>
+<h4>Compliant solution</h4>
+<p>You need to implement a validation of the server certificate received in the <code>SslErrorHandler</code> object, calling <code>proceed</code> and
+<code>cancel</code> appropriately.</p>
+<pre data-diff-id="101" data-diff-type="compliant">
 class MyWebViewClient : WebViewClient() {
     override fun onReceivedSslError(view: WebView, handler: SslErrorHandler, error: SslError) {
         if (error.certificate.isServerCertificateValid()) {
@@ -93,6 +83,16 @@ <h4>Implementing a server certificate validation</h4>
     }
 }
 </pre>
+<h3>How does this work?</h3>
+<p>Addressing the vulnerability of disabled TLS certificate validation primarily involves re-enabling the default validation.</p>
+<p>To avoid running into problems with invalid certificates, consider the following sections.</p>
+<h4>Using trusted certificates</h4>
+<p>If possible, always use a certificate issued by a well-known, trusted CA for your server. Most programming environments come with a predefined list
+of trusted root CAs, and certificates issued by these authorities are validated automatically. This is the best practice, and it requires no
+additional code or configuration.</p>
+<h4>Working with self-signed certificates or non-standard CAs</h4>
+<p>In some cases, you might need to work with a server using a self-signed certificate, or a certificate issued by a CA not included in your trusted
+roots. Rather than disabling certificate validation in your code, you can add the necessary certificates to your trust store.</p>
 <h2>Resources</h2>
 <h3>Standards</h3>
 <ul>
@@ -115,6 +115,8 @@ <h3>Standards</h3>
   Development: V-222550</a> - The application must validate certificates by constructing a certification path to an accepted trust anchor. </li>
   <li> CERT - <a
   href="https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms">https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms</a> </li>
+  <li> Google Support - <a href="https://support.google.com/faqs/answer/7071387?hl=en">How to address WebView SSL Error Handler alerts in your
+  apps</a> </li>
   <li> Android Documentation - <a
   href="https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)">WebViewClient.onReceivedSslError</a> method </li>
 </ul>

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5542.html

@@ -141,6 +141,7 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography">Mobile Top 10 2024 Category M10 -
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/327">CWE-327 - Use of a Broken or Risky Cryptographic Algorithm</a> </li>
+  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/780">CWE-780 - Use of RSA Algorithm without OAEP</a> </li>
   <li> <a href="https://wiki.sei.cmu.edu/confluence/x/hDdGBQ">CERT, MSC61-J.</a> - Do not use insecure or weak cryptographic algorithms </li>
 </ul>
 

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6362.html

@@ -38,4 +38,8 @@ <h2>See</h2>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/79">CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site
   Scripting')</a> </li>
 </ul>
+<h3>Related rules</h3>
+<ul>
+  <li> {rule:kotlin:S7409} - Exposing Java objects through JavaScript interfaces is security-sensitive </li>
+</ul>
 

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6363.html

@@ -1,41 +1,88 @@
-<p>WebViews can be used to display web content as part of a mobile application. A browser engine is used to render and display the content. Like a web
-application, a mobile application that uses WebViews can be vulnerable to Cross-Site Scripting if untrusted code is rendered.</p>
-<p>If malicious JavaScript code in a WebView is executed this can leak the contents of sensitive files when access to local files is enabled.</p>
+<p>Exposing the Android file system to WebViews is security-sensitive.</p>
+<p>Granting file access to WebViews, particularly through the <code>file://</code> scheme, introduces a risk of local file inclusion vulnerabilities.
+The severity of this risk depends heavily on the specific <code>WebSettings</code> configured. Overly permissive settings can allow malicious scripts
+to access a wide range of local files, potentially exposing sensitive data such as Personally Identifiable Information (PII) or private application
+data, leading to data breaches and other security compromises.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
-  <li> No local files have to be accessed by the Webview. </li>
-  <li> The WebView contains untrusted data that could cause harm when rendered. </li>
+  <li> You open files that may be created or altered by external sources. </li>
+  <li> You open arbitrary URLs from external sources. </li>
 </ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
+<p>There is a risk if you answered yes to any of these questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<p>It is recommended to disable access to local files for WebViews unless it is necessary. In the case of a successful attack through a Cross-Site
-Scripting vulnerability the attackers attack surface decreases drastically if no files can be read out.</p>
+<p>Avoid opening <code>file://</code> URLs from external sources in WebView components. If your application accepts arbitrary URLs from external
+sources, do not enable this functionality. Instead, utilize <code>androidx.webkit.WebViewAssetLoader</code> to access files, including assets and
+resources, via <code>http(s)://</code> schemes.</p>
+<p>For enhanced security, ensure that the options to load <code>file://</code> URLs are explicitly set to false.</p>
 <h2>Sensitive Code Example</h2>
 <pre>
-import android.webkit.WebView
-
-val webView: WebView = findViewById(R.id.webview)
-webView.getSettings().setAllowContentAccess(true) // Sensitive
-webView.getSettings().setAllowFileAccess(true) // Sensitive
+AndroidView(
+    factory = { context -&gt;
+        WebView(context).apply {
+            webViewClient = WebViewClient()
+            settings.apply {
+                allowFileAccess = true  // Sensitive
+                allowFileAccessFromFileURLs = true  // Sensitive
+                allowUniversalAccessFromFileURLs = true  // Sensitive
+                allowContentAccess = true  // Sensitive
+            }
+            loadUrl("file:///android_asset/example.html")
+        }
+   }
+)
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
-import android.webkit.WebView
+AndroidView(
+    factory = { context -&gt;
+        val webView = WebView(context)
+        val assetLoader = WebViewAssetLoader.Builder()
+            .addPathHandler("/assets/", WebViewAssetLoader.AssetsPathHandler(context))
+            .build()
+
+        webView.webViewClient = object : WebViewClient() {
+            @RequiresApi(Build.VERSION_CODES.LOLLIPOP)
+            override fun shouldInterceptRequest(view: WebView?, request: WebResourceRequest): WebResourceResponse? {
+                return assetLoader.shouldInterceptRequest(request.url)
+            }
+
+            @Suppress("deprecation")
+            override fun shouldInterceptRequest(view: WebView?, url: String?): WebResourceResponse? {
+                return assetLoader.shouldInterceptRequest(Uri.parse(url))
+            }
+        }
+
+        webView.settings.apply {
+            allowFileAccess = false
+            allowFileAccessFromFileURLs = false
+            allowUniversalAccessFromFileURLs = false
+            allowContentAccess = false
+        }
 
-val webView: WebView = findViewById(R.id.webview)
-webView.getSettings().setAllowContentAccess(false)
-webView.getSettings().setAllowFileAccess(false)
+        webView.loadUrl("https://appassets.androidplatform.net/assets/example.html")
+        webView
+    }
+)
 </pre>
+<p>The compliant solution uses <code>WebViewAssetLoader</code> to load local files instead of directly accessing them via <code>file://</code> URLs.
+This approach serves assets over a secure <code><a href="https://appassets.androidplatform.net">https://appassets.androidplatform.net</a></code> URL,
+effectively isolating the WebView from the local file system.</p>
+<p>The file access settings are disabled by default in modern Android versions. To prevent possible security issues in
+<code>Build.VERSION_CODES.Q</code> and earlier, it is still recommended to explicitly set those values to false.</p>
 <h2>See</h2>
 <ul>
-  <li> OWASP - <a href="https://owasp.org/Top10/A03_2021-Injection/">Top 10 2021 Category A3 - Injection</a> </li>
+  <li> OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
+  Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
-  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)">Top 10 2017 Category A7 - Cross-Site Scripting
-  (XSS)</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration">Mobile Top 10 2024 Category M8 - Security
   Misconfiguration</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-PLATFORM/">Mobile AppSec Verification Standard - Platform Interaction Requirements</a>
+  </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/79">CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site
   Scripting')</a> </li>
+  <li> Android Documentation - <a href="https://developer.android.com/privacy-and-security/risks/webview-unsafe-file-inclusion">WebViews - Unsafe File
+  Inclusion</a> </li>
 </ul>
 

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S6363.json

@@ -25,8 +25,8 @@
       79
     ],
     "OWASP": [
-      "A6",
-      "A7"
+      "A3",
+      "A6"
     ],
     "MASVS": [
       "MSTG-PLATFORM-2"
@@ -35,7 +35,7 @@
       "M8"
     ],
     "OWASP Top 10 2021": [
-      "A3"
+      "A1"
     ],
     "PCI DSS 3.2": [
       "6.5.1",

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S7409.html

@@ -1,19 +1,20 @@
-<p>Using Javascript interfaces in WebViews is unsafe as it allows JavaScript to invoke Java methods, potentially giving attackers access to data or
-sensitive app functionality. WebViews might include untrusted sources such as third-party iframes, making this functionality particularly risky. As
-Javascript interfaces are passed to every frame in the WebView, those iframes are also able to access the exposed Java methods.</p>
+<p>Using JavaScript interfaces in WebViews to expose Java objects is unsafe. Doing so allows JavaScript to invoke Java methods, potentially giving
+attackers access to data or sensitive app functionality. WebViews might include untrusted sources such as third-party iframes, making this
+functionality particularly risky. As JavaScript interfaces are passed to every frame in the WebView, those iframes are also able to access the exposed
+Java object.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> The content in the WebView is fully trusted and secure. </li>
   <li> Potentially untrusted iframes could be loaded in the WebView. </li>
-  <li> The Javascript interface has to be exposed for the entire lifecycle of the WebView. </li>
-  <li> The exposed Java methods will accept input from potentially untrusted sources. </li>
+  <li> The JavaScript interface has to be exposed for the entire lifecycle of the WebView. </li>
+  <li> The exposed Java object might be called by untrusted sources. </li>
 </ul>
 <p>There is a risk if you answered yes to any of these questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <h3>Disable JavaScript</h3>
-<p>If it is possible to disable JavaScript in the WebView, this is the most secure option. By default, JavaScript is disabled in a WebView, so you do
-not need to explicitly call <code>webSettings.setJavaScriptEnabled(true)</code> in your <code>WebSettings</code> configuration. Of course, sometimes
-it is necessary to enable JavaScript, in which case the following recommendations should be considered.</p>
+<p>If it is possible to disable JavaScript in the WebView, this is the most secure option. By default, JavaScript is disabled in a WebView, so
+<code>webSettings.javaScriptEnabled = false</code> does not need to be explicitly called. Of course, sometimes it is necessary to enable JavaScript,
+in which case the following recommendations should be considered.</p>
 <h3>Remove JavaScript interface when loading untrusted content</h3>
 <p>JavaScript interfaces can be removed at a later point. It is recommended to remove the JavaScript interface when it is no longer needed. If it is
 needed for a longer time, consider removing it before loading untrusted content. This can be done by calling
@@ -45,7 +46,8 @@ <h2>Sensitive Code Example</h2>
 }
 </pre>
 <h2>Compliant Solution</h2>
-<p>The most secure option is to disable JavaScript entirely.</p>
+<p>The most secure option is to disable JavaScript entirely. {rule:kotlin:S6362} further explains why it should not be enabled unless absolutely
+necessary.</p>
 <pre>
 class ExampleActivity : AppCompatActivity() {
     override fun onCreate(savedInstanceState: Bundle?) {
@@ -85,7 +87,9 @@ <h2>Compliant Solution</h2>
         webView.settings.javaScriptEnabled = true
 
         WebViewCompat.addWebMessageListener(
-            webView, "androidBridge", ALLOWED_ORIGINS,  // Only allow messages from these origins
+            webView,
+            "androidBridge",
+            ALLOWED_ORIGINS,  // Only allow messages from these origins
             object : WebViewCompat.WebMessageListener {
                 override fun onPostMessage(
                     view: WebView,
@@ -113,4 +117,8 @@ <h2>See</h2>
   Security Misconfiguration</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/79">CWE-79 - Improper Neutralization of Input During Web Page Generation</a> </li>
 </ul>
+<h3>Related rules</h3>
+<ul>
+  <li> {rule:kotlin:S6362} - Enabling JavaScript support for WebViews is security-sensitive </li>
+</ul>
 

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S7409.json

@@ -1,5 +1,5 @@
 {
-  "title": "Exposing Java interfaces in WebViews is security-sensitive",
+  "title": "Exposing Java objects through JavaScript interfaces is security-sensitive",
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
   "remediation": {
@@ -29,7 +29,7 @@
       79
     ]
   },
-  "quickfix": "unknown",
+  "quickfix": "partial",
   "code": {
     "impacts": {
       "SECURITY": "MEDIUM"