Update rules metadata (#1752)

Author: guillaume-dequenne

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S117.html

@@ -9,15 +9,17 @@ <h2>Why is this an issue?</h2>
 <h3>What is the potential impact?</h3>
 <p>Inconsistent naming of local variables and function parameters can lead to several issues in your code:</p>
 <ul>
-  <li> Reduced Readability: inconsistent local variable and function parameter names make the code harder to read and understand; consequently, it is
-  more difficult to identify the purpose of each variable, spot errors, or comprehend the logic. </li>
-  <li> Difficulty in Identifying Variables: local variables and function parameters that don’t adhere to a standard naming convention are challenging
-  to identify; thus, the coding process slows down, especially when dealing with a large codebase. </li>
-  <li> Increased Risk of Errors: inconsistent or unclear local variable and function parameter names lead to misunderstandings about what the variable
-  represents. This ambiguity leads to incorrect assumptions and, consequently, bugs in the code. </li>
-  <li> Collaboration Difficulties: in a team setting, inconsistent naming conventions lead to confusion and miscommunication among team members. </li>
-  <li> Difficulty in Code Maintenance: inconsistent naming leads to an inconsistent codebase. The code is difficult to understand, and making changes
-  feels like refactoring constantly, as you face different naming methods. Ultimately, it makes the codebase harder to maintain. </li>
+  <li> <strong>Reduced Readability</strong>: Inconsistent local variable and function parameter names make the code harder to read and understand;
+  consequently, it is more difficult to identify the purpose of each variable, spot errors, or comprehend the logic. </li>
+  <li> <strong>Difficulty in Identifying Variables</strong>: The local variables and function parameters that don’t adhere to a standard naming
+  convention are challenging to identify; thus, the coding process slows down, especially when dealing with a large codebase. </li>
+  <li> <strong>Increased Risk of Errors</strong>: Inconsistent or unclear local variable and function parameter names lead to misunderstandings about
+  what the variable represents. This ambiguity leads to incorrect assumptions and, consequently, bugs in the code. </li>
+  <li> <strong>Collaboration Difficulties</strong>: In a team setting, inconsistent naming conventions lead to confusion and miscommunication among
+  team members. </li>
+  <li> <strong>Difficulty in Code Maintenance</strong>: Inconsistent naming leads to an inconsistent codebase. The code is difficult to understand,
+  and making changes feels like refactoring constantly, as you face different naming methods. Ultimately, it makes the codebase harder to maintain.
+  </li>
 </ul>
 <p>In summary, not adhering to a naming convention for local variables and function parameters can lead to confusion, errors, and inefficiencies,
 making the code harder to read, understand, and maintain.</p>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1481.html

@@ -5,16 +5,16 @@ <h2>Why is this an issue?</h2>
 <h3>What is the potential impact?</h3>
 <p>Having unused local variables in your code can lead to several issues:</p>
 <ul>
-  <li> Decreased Readability: Unused variables can make your code more difficult to read. They add extra lines and complexity, which can distract from
-  the main logic of the code. </li>
-  <li> Misunderstanding: When other developers read your code, they may wonder why a variable is declared but not used. This can lead to confusion and
-  misinterpretation of the code’s intent. </li>
-  <li> Potential for Bugs: If a variable is declared but not used, it might indicate a bug or incomplete code. For example, if you declared a variable
-  intending to use it in a calculation, but then forgot to do so, your program might not work as expected. </li>
-  <li> Maintenance Issues: Unused variables can make code maintenance more difficult. If a programmer sees an unused variable, they might think it is
-  a mistake and try to 'fix' the code, potentially introducing new bugs. </li>
-  <li> Memory Usage: Although modern compilers are smart enough to ignore unused variables, not all compilers do this. In such cases, unused variables
-  take up memory space, leading to inefficient use of resources. </li>
+  <li> <strong>Decreased Readability</strong>: Unused variables can make your code more difficult to read. They add extra lines and complexity, which
+  can distract from the main logic of the code. </li>
+  <li> <strong>Misunderstanding</strong>: When other developers read your code, they may wonder why a variable is declared but not used. This can lead
+  to confusion and misinterpretation of the code’s intent. </li>
+  <li> <strong>Potential for Bugs</strong>: If a variable is declared but not used, it might indicate a bug or incomplete code. For example, if you
+  declared a variable intending to use it in a calculation, but then forgot to do so, your program might not work as expected. </li>
+  <li> <strong>Maintenance Issues</strong>: Unused variables can make code maintenance more difficult. If a programmer sees an unused variable, they
+  might think it is a mistake and try to 'fix' the code, potentially introducing new bugs. </li>
+  <li> <strong>Memory Usage</strong>: Although modern compilers are smart enough to ignore unused variables, not all compilers do this. In such cases,
+  unused variables take up memory space, leading to inefficient use of resources. </li>
 </ul>
 <p>In summary, unused local variables can make your code less readable, more confusing, and harder to maintain, and they can potentially lead to bugs
 or inefficient memory use. Therefore, it is best to remove them.</p>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2053.html

@@ -37,22 +37,69 @@ <h3>Code examples</h3>
 <p>The following code contains examples of hard-coded salts.</p>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
-import crypt
+import hashlib
 
-hash = crypt.crypt(password) # Noncompliant
+hash = hashlib.scrypt(password, salt=b"F3MdWpeHeeSjlUxvKBnzzA", n=2**17, r=8, p=1) # Noncompliant
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
-import crypt
+import hashlib
+import secrets
 
-salt = crypt.mksalt(crypt.METHOD_SHA256)
-hash = crypt.crypt(password, salt)
+salt = secrets.token_bytes(32)
+hash = hashlib.scrypt(password, salt=salt, n=2**17, r=8, p=1)
 </pre>
 <h3>How does this work?</h3>
 <p>This code ensures that each user’s password has a unique salt value associated with it. It generates a salt randomly and with a length that
 provides the required security level. It uses a salt length of at least 32 bytes (256 bits), as recommended by industry standards.</p>
-<p>Here, the compliant code example ensures the salt is random and has a sufficient length by calling the <code>crypt.mksalt</code> function. This one
-internally uses a cryptographically secure pseudo random number generator.</p>
+<p>Here, the compliant code example ensures the salt is random and has a sufficient length by calling the <code>secrets.token_bytes</code> function.
+This one internally uses a cryptographically secure pseudo random number generator.</p>
+<h2>How to fix it in pyca</h2>
+<h3>Code examples</h3>
+<p>The following code contains examples of hard-coded salts.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.primitives import hashes
+
+digest = PBKDF2HMAC(hashes.SHA256(), length=32, salt=b"F3MdWpeHeeSjlUxvKBnzzA", iterations=100000).derive(password)
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+import secrets
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.primitives import hashes
+
+salt = secrets.token_bytes(32)
+digest = PBKDF2HMAC(hashes.SHA256(), length=32, salt=salt, iterations=100000).derive(password)
+</pre>
+<h3>How does this work?</h3>
+<p>This code ensures that each user’s password has a unique salt value associated with it. It generates a salt randomly and with a length that
+provides the required security level. It uses a salt length of at least 32 bytes (256 bits), as recommended by industry standards.</p>
+<p>Here, the compliant code example ensures the salt is random and has a sufficient length by calling the <code>secrets.token_bytes</code> function.
+This one internally uses a cryptographically secure pseudo random number generator.</p>
+<h2>How to fix it in Cryptodome</h2>
+<h3>Code examples</h3>
+<p>The following code contains examples of hard-coded salts.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="3" data-diff-type="noncompliant">
+from Crypto.Protocol.KDF import scrypt
+
+digest = scrypt(password, salt=b"F3MdWpeHeeSjlUxvKBnzzA", key_len=32, N=2**17, r=8, p=1) # Noncompliant
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="3" data-diff-type="compliant">
+import secrets
+from Crypto.Protocol.KDF import scrypt
+
+salt = secrets.token_bytes(32)
+digest = scrypt(password, salt=salt, key_len=32, N=2**17, r=8, p=1)
+</pre>
+<h3>How does this work?</h3>
+<p>This code ensures that each user’s password has a unique salt value associated with it. It generates a salt randomly and with a length that
+provides the required security level. It uses a salt length of at least 32 bytes (256 bits), as recommended by industry standards.</p>
+<p>Here, the compliant code example ensures the salt is random and has a sufficient length by calling the <code>secrets.token_bytes</code> function.
+This function internally uses a cryptographically secure pseudo-random number generator.</p>
 <h2>Resources</h2>
 <h3>Standards</h3>
 <ul>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4784.html

@@ -79,8 +79,8 @@ <h2>Sensitive Code Example</h2>
 regex.subn('(a*)*b', replacement, input)  # Sensitive
 </pre>
 <h2>Exceptions</h2>
-<p>Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: <code>(a|aa)``,
-``(a|a?)</code>.</p>
+<p>Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: <code>(a|aa)+</code>,
+<code>(a|a?)+</code>.</p>
 <p>It is a good idea to test your regular expression if it has the same pattern on both side of a "<code>|</code>".</p>
 <h2>See</h2>
 <ul>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5542.html

@@ -14,8 +14,10 @@ <h2>Why is this an issue?</h2>
 </ol>
 <p>For these reasons, as soon as cryptography is included in a project, it is important to choose encryption algorithms that are considered strong and
 secure by the cryptography community.</p>
-<p>For AES, the weakest modes are CBC (Cipher Block Chaining) and ECB (Electronic Codebook) because they are either vulnerable to padding oracles or
-do not provide authentication mechanisms.</p>
+<p>For AES, the weakest mode is ECB (Electronic Codebook). Repeated blocks of data are encrypted to the same value, making them easy to identify and
+reducing the difficulty of recovering the original cleartext.</p>
+<p>Unauthenticated modes such as CBC (Cipher Block Chaining) may be used but are prone to attacks that manipulate the ciphertext. They must be used
+with caution.</p>
 <p>For RSA, the weakest algorithms are either using it without padding or using the PKCS1v1.5 padding scheme.</p>
 <h3>What is the potential impact?</h3>
 <p>The cleartext of an encrypted message might be recoverable. Additionally, it might be possible to modify the cleartext of an encrypted message.</p>
@@ -58,7 +60,8 @@ <h4>Compliant solution</h4>
 <h3>How does this work?</h3>
 <p>As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.</p>
 <p>Appropriate choices are currently the following.</p>
-<h4>For AES: Use Galois/Counter mode (GCM)</h4>
+<h4>For AES: use authenticated encryption modes</h4>
+<p>The best-known authenticated encryption mode for AES is Galois/Counter mode (GCM).</p>
 <p>GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and
 authenticity of data.</p>
 <p>Other similar modes are:</p>
@@ -69,8 +72,8 @@ <h4>For AES: Use Galois/Counter mode (GCM)</h4>
   <li> IAPM: <code>Integer Authenticated Parallelizable Mode</code> </li>
   <li> OCB: <code>Offset Codebook Mode</code> </li>
 </ul>
-<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it</p>
-<p>is considered more straightforward to use AES-GCM directly instead.</p>
+<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it is considered more straightforward to use AES-GCM directly
+instead.</p>
 <h4>For RSA: use the OAEP scheme</h4>
 <p>The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of
 RSA.</p>
@@ -147,7 +150,8 @@ <h4>Compliant solution</h4>
 <h3>How does this work?</h3>
 <p>As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.</p>
 <p>Appropriate choices are currently the following.</p>
-<h4>For AES: Use Galois/Counter mode (GCM)</h4>
+<h4>For AES: use authenticated encryption modes</h4>
+<p>The best-known authenticated encryption mode for AES is Galois/Counter mode (GCM).</p>
 <p>GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and
 authenticity of data.</p>
 <p>Other similar modes are:</p>
@@ -158,8 +162,8 @@ <h4>For AES: Use Galois/Counter mode (GCM)</h4>
   <li> IAPM: <code>Integer Authenticated Parallelizable Mode</code> </li>
   <li> OCB: <code>Offset Codebook Mode</code> </li>
 </ul>
-<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it</p>
-<p>is considered more straightforward to use AES-GCM directly instead.</p>
+<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it is considered more straightforward to use AES-GCM directly
+instead.</p>
 <h4>For RSA: use the OAEP scheme</h4>
 <p>The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of
 RSA.</p>
@@ -198,7 +202,8 @@ <h4>Compliant solution</h4>
 <h3>How does this work?</h3>
 <p>As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.</p>
 <p>Appropriate choices are currently the following.</p>
-<h4>For AES: Use Galois/Counter mode (GCM)</h4>
+<h4>For AES: use authenticated encryption modes</h4>
+<p>The best-known authenticated encryption mode for AES is Galois/Counter mode (GCM).</p>
 <p>GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and
 authenticity of data.</p>
 <p>Other similar modes are:</p>
@@ -209,8 +214,8 @@ <h4>For AES: Use Galois/Counter mode (GCM)</h4>
   <li> IAPM: <code>Integer Authenticated Parallelizable Mode</code> </li>
   <li> OCB: <code>Offset Codebook Mode</code> </li>
 </ul>
-<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it</p>
-<p>is considered more straightforward to use AES-GCM directly instead.</p>
+<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it is considered more straightforward to use AES-GCM directly
+instead.</p>
 <h4>For RSA: use the OAEP scheme</h4>
 <p>The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of
 RSA.</p>
@@ -237,7 +242,8 @@ <h4>Compliant solution</h4>
 <h3>How does this work?</h3>
 <p>As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.</p>
 <p>Appropriate choices are currently the following.</p>
-<h4>For AES: Use Galois/Counter mode (GCM)</h4>
+<h4>For AES: use authenticated encryption modes</h4>
+<p>The best-known authenticated encryption mode for AES is Galois/Counter mode (GCM).</p>
 <p>GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and
 authenticity of data.</p>
 <p>Other similar modes are:</p>
@@ -248,8 +254,8 @@ <h4>For AES: Use Galois/Counter mode (GCM)</h4>
   <li> IAPM: <code>Integer Authenticated Parallelizable Mode</code> </li>
   <li> OCB: <code>Offset Codebook Mode</code> </li>
 </ul>
-<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it</p>
-<p>is considered more straightforward to use AES-GCM directly instead.</p>
+<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it is considered more straightforward to use AES-GCM directly
+instead.</p>
 <h4>For RSA: use the OAEP scheme</h4>
 <p>The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of
 RSA.</p>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6554.html

@@ -26,5 +26,7 @@ <h4>Compliant solution</h4>
 </pre>
 <h2>Resources</h2>
 <h3>Documentation</h3>
-<p><a href="https://docs.djangoproject.com/en/4.1/ref/models/instances/#django.db.models.Model.<em>str</em>">Django Model.<em>str</em>()</a></p>
+<p><a
+href="https://docs.djangoproject.com/en/4.1/ref/models/instances/#django.db.models.Model">https://docs.djangoproject.com/en/4.1/ref/models/instances/#django.db.models.Model</a>.<em>str</em>[Django
+Model.<em>str</em>()]</p>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6662.html

@@ -31,7 +31,8 @@ <h4>Compliant solution</h4>
 <h2>Resources</h2>
 <h3>Documentation</h3>
 <ul>
-  <li> Python Documentation - <a href="https://docs.python.org/3/reference/datamodel.html#object.<em>hash</em>">object.<em>hash</em></a> </li>
+  <li> Python Documentation - <a
+  href="https://docs.python.org/3/reference/datamodel.html#object">https://docs.python.org/3/reference/datamodel.html#object</a>.<em>hash</em>[object.<em>hash</em>] </li>
   <li> Python Documentation - <a href="https://docs.python.org/3/library/functions.html#hash">the hash built-in function</a> </li>
 </ul>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6663.html

@@ -34,5 +34,7 @@ <h4>Compliant solution</h4>
 </pre>
 <h2>Resources</h2>
 <h3>Documentation</h3>
-<p>Python Documentation - <a href="https://docs.python.org/3/library/operator.html#operator.<em>index</em>"><em>index</em> method</a></p>
+<p>Python Documentation - <a
+href="https://docs.python.org/3/library/operator.html#operator">https://docs.python.org/3/library/operator.html#operator</a>.<em>index</em>[<em>index</em>
+method]</p>