SONARPHP-1633 Fix discrepancies between MQR and severity for PHP rules (#1380)

Author: jonas-wielage-sonarsource

gradle.properties

@@ -1,5 +1,5 @@
 group=org.sonarsource.php
-version=3.42-SNAPSHOT
+version=3.42.1-SNAPSHOT
 description=SonarSource PHP Analyzer
 org.gradle.parallel=false
 org.gradle.caching=true

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1135.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "LOW"
+      "MAINTAINABILITY": "INFO"
     },
     "attribute": "COMPLETE"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2115.json

@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "TRUSTWORTHY"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html

@@ -49,15 +49,10 @@ <h2>See</h2>
   <li> OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10 2021 Category A2 - Cryptographic Failures</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
   Exposure</a> </li>
-  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
-  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
-  Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/338">CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)</a>
   </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/330">CWE-330 - Use of Insufficiently Random Values</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/326">CWE-326 - Inadequate Encryption Strength</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/1241">CWE-1241 - Use of Predictable Algorithm in Random Number Generator</a> </li>
-  <li> Derived from FindSecBugs rule <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM">Predictable Pseudo Random Number
-  Generator</a> </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.json

@@ -29,12 +29,6 @@
     "OWASP": [
       "A3"
     ],
-    "OWASP Mobile": [
-      "M5"
-    ],
-    "MASVS": [
-      "MSTG-CRYPTO-6"
-    ],
     "OWASP Top 10 2021": [
       "A2"
     ],

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2755.json

@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4423.json

@@ -30,12 +30,6 @@
       "A3",
       "A6"
     ],
-    "OWASP Mobile": [
-      "M3"
-    ],
-    "MASVS": [
-      "MSTG-NETWORK-2"
-    ],
     "OWASP Top 10 2021": [
       "A2",
       "A7"

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.html

@@ -73,7 +73,7 @@ <h3>How does this work?</h3>
 <h4>RSA (Rivest-Shamir-Adleman) and DSA (Digital Signature Algorithm)</h4>
 <p>The security of these algorithms depends on the difficulty of attacks attempting to solve their underlying mathematical problem.</p>
 <p>In general, a minimum key size of <strong>2048</strong> bits is recommended for both. It provides 112 bits of security. A key length of
-<strong>3072</strong> or <strong>4092</strong> should be preferred when possible.</p>
+<strong>3072</strong> or <strong>4096</strong> should be preferred when possible.</p>
 <h4>AES (Advanced Encryption Standard)</h4>
 <p>AES supports three key sizes: 128 bits, 192 bits and 256 bits. The security of the AES algorithm is based on the computational complexity of trying
 all possible keys.<br> A larger key size increases the number of possible keys and makes exhaustive search attacks computationally infeasible.
@@ -127,9 +127,6 @@ <h3>Standards</h3>
   Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
-  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
-  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
-  Insufficient Cryptography</a> </li>
   <li> <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf">NIST 800-131A</a> - Recommendation for Transitioning the
   Use of Cryptographic Algorithms and Key Lengths </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/326">CWE-326 - Inadequate Encryption Strength</a> </li>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.json

@@ -28,12 +28,6 @@
       "A3",
       "A6"
     ],
-    "OWASP Mobile": [
-      "M5"
-    ],
-    "MASVS": [
-      "MSTG-CRYPTO-3"
-    ],
     "OWASP Top 10 2021": [
       "A2"
     ],

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.html

@@ -34,9 +34,6 @@ <h2>See</h2>
   Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
-  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
-  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
-  Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/1240">CWE-1240 - Use of a Risky Cryptographic Primitive</a> </li>
 </ul>