update metadata for 3.4.1 (#908)

Author: andrea-guarino-sonarsource

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2053.json

@@ -14,7 +14,7 @@
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-2053",
   "sqKey": "S2053",
-  "scope": "All",
+  "scope": "Main",
   "securityStandards": {
     "CWE": [
       759,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2092.html

@@ -3,8 +3,8 @@
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> the cookie is for instance a <em>session-cookie</em> not designed to be sent over non-HTTPS communication. </li>
-  <li> it's not sure that the website contains <a href="https://developer.mozilla.org/fr/docs/Web/Security/Mixed_content">mixed content</a> or not (ie
-  HTTPS everywhere or not) </li>
+  <li> it's not sure that the website contains <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content">mixed content</a> or not
+  (ie HTTPS everywhere or not) </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3329.html

@@ -1,15 +1,7 @@
-<p>In encryption, when Cipher Block Chaining (CBC) is used, the Initialization Vector (IV) must be random and unpredictable. Otherwise, the encrypted
-value is vulnerable to crypto-analysis attacks such as the "Chosen-Plaintext Attack".</p>
-<p>An IV value should be associated to one, and only one encryption cycle, because the IV's purpose is to ensure that the same plaintext encrypted
-twice will yield two different ciphertexts.</p>
-<p>To that end, IV's should be:</p>
-<ul>
-  <li> random </li>
-  <li> unpredictable </li>
-  <li> publishable (IVs are frequently published) </li>
-  <li> authenticated, along with the ciphertext, with a Message Authentication Code (MAC) </li>
-</ul>
-<p>This rule raises an issue when the IV is hard-coded.</p>
+<p>When encrypting data with the Cipher Block Chaining (CBC) mode an Initialization Vector (IV) is used to randomize the encryption, ie under a given
+key the same plaintext doesn't always produce the same ciphertext. The IV doesn't need to be secret but should be unpredictable to avoid
+"Chosen-Plaintext Attack".</p>
+<p>To generate Initialization Vectors, NIST recommends to use a secure random number generator.</p>
 <h2>Noncompliant Code Example</h2>
 <p>For <a href="https://github.com/Legrandin/pycryptodome">PyCryptodome</a> module:</p>
 <pre>
@@ -54,6 +46,9 @@ <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
   Misconfiguration </li>
+  <li> <a href="http://cwe.mitre.org/data/definitions/329">MITRE, CWE-329</a> - CWE-329: Not Using an Unpredictable IV with CBC Mode </li>
   <li> <a href="http://cwe.mitre.org/data/definitions/330">MITRE, CWE-330</a> - Use of Insufficiently Random Values </li>
+  <li> <a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf">NIST, SP-800-38A</a> - Recommendation for Block Cipher
+  Modes of Operation </li>
 </ul>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3329.json

@@ -1,5 +1,5 @@
 {
-  "title": "Cipher Block Chaining IV's should be random and unique",
+  "title": "Cipher Block Chaining IV's should be unpredictable",
   "type": "VULNERABILITY",
   "status": "ready",
   "remediation": {
@@ -16,7 +16,8 @@
   "scope": "Main",
   "securityStandards": {
     "CWE": [
-      330
+      330,
+      329
     ],
     "OWASP": [
       "A6"

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3752.html

@@ -69,7 +69,7 @@ <h2>See</h2>
   <li> <a href="https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control">OWASP Top 10 2017 Category A5</a> -
   Broken Access Control </li>
   <li> <a href="https://cwe.mitre.org/data/definitions/352.html">MITRE, CWE-352</a> - Cross-Site Request Forgery (CSRF) </li>
-  <li> <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29">OWASP: Cross-Site Request Forgery</a> </li>
+  <li> <a href="https://owasp.org/www-community/attacks/csrf">OWASP: Cross-Site Request Forgery</a> </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat1">SANS Top 25</a> - Insecure Interaction Between Components </li>
   <li> <a href="https://docs.djangoproject.com/en/3.1/topics/http/decorators/#allowed-http-methods">Django</a> - Allowed HTTP Methods </li>
   <li> <a href="https://flask.palletsprojects.com/en/1.1.x/quickstart/#http-methods">Flask</a> - HTTP Methods </li>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.json

@@ -13,7 +13,7 @@
     "sans-top25-porous",
     "owasp-a3"
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4423",
   "sqKey": "S4423",
   "scope": "Main",

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4426.json

@@ -12,7 +12,7 @@
     "owasp-a6",
     "owasp-a3"
   ],
-  "defaultSeverity": "Blocker",
+  "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4426",
   "sqKey": "S4426",
   "scope": "Main",

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4502.html

@@ -141,7 +141,7 @@ <h2>See</h2>
   <li> <a href="https://cwe.mitre.org/data/definitions/352.html">MITRE, CWE-352</a> - Cross-Site Request Forgery (CSRF) </li>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
   Misconfiguration </li>
-  <li> <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29">OWASP: Cross-Site Request Forgery</a> </li>
+  <li> <a href="https://owasp.org/www-community/attacks/csrf">OWASP: Cross-Site Request Forgery</a> </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat1">SANS Top 25</a> - Insecure Interaction Between Components </li>
 </ul>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5542.html

@@ -1,15 +1,17 @@
-<p>To perform secure cryptography, operation modes and padding scheme are essentials and should be used correctly according to the encryption
-algorithm:</p>
+<p>Encryption operation mode and the padding scheme should be chosen appropriately to guarantee data confidentiality, integrity and authenticity:</p>
 <ul>
-  <li> For block cipher encryption algorithms (like AES), the GCM (Galois Counter Mode) mode that <a
-  href="https://en.wikipedia.org/wiki/Galois/Counter_Mode#Mathematical_basis">works internally</a> with zero/no padding scheme, is recommended. At the
-  opposite, these modes and/or schemes are highly discouraged:
+  <li> For block cipher encryption algorithms (like AES):
     <ul>
-      <li> Electronic Codebook (ECB) mode is vulnerable because it doesn't provide serious message confidentiality: under a given key any given
-      plaintext block always gets encrypted to the same ciphertext block. </li>
-      <li> Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is vulnerable to padding oracle attacks. </li>
+      <li> The GCM (Galois Counter Mode) mode which <a href="https://en.wikipedia.org/wiki/Galois/Counter_Mode#Mathematical_basis">works
+      internally</a> with zero/no padding scheme, is recommended, as it is designed to provide both data authenticity (integrity) and confidentiality.
+      Other similar modes are CCM, CWC, EAX, IAPM and OCB. </li>
+      <li> The CBC (Cipher Block Chaining) mode by itself provides only data confidentiality, it's recommended to use it along with Message
+      Authentication Code or similar to achieve data authenticity (integrity) too and thus to <a
+      href="https://en.wikipedia.org/wiki/Padding_oracle_attack">prevent padding oracle attacks</a>. </li>
+      <li> The ECB (Electronic Codebook) mode doesn't provide serious message confidentiality: under a given key any given plaintext block always gets
+      encrypted to the same ciphertext block. This mode should not be used. </li>
     </ul> </li>
-  <li> RSA encryption algorithm should be used with the recommended padding scheme (OAEP) </li>
+  <li> For RSA encryption algorithm, the recommended padding scheme is OAEP. </li>
 </ul>
 <h2>Noncompliant Code Examples</h2>
 <p><a href="https://pycryptodome.readthedocs.io">pycryptodomex</a> library:</p>
@@ -48,7 +50,7 @@ <h2>Noncompliant Code Examples</h2>
   padding.PKCS1v15() # Noncompliant
 )
 </pre>
-<p><a href="http://whitemans.ca/des.html">pydes</a> library:</p>
+<p><a href="https://pypi.org/project/pyDes/">pydes</a> library:</p>
 <pre>
 # For DES cipher
 des = pyDes.des('ChangeIt') # Noncompliant

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5542.json

@@ -9,7 +9,7 @@
     "sans-top25-porous",
     "owasp-a3"
   ],
-  "defaultSeverity": "Blocker",
+  "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5542",
   "sqKey": "S5542",
   "scope": "Main",