Update rule metadata to prepare v3.21 (#1315)

Author: andreaguarino

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3329.html

@@ -45,16 +45,13 @@ <h2>Compliant Solution</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">OWASP Top 10 2021 Category A2</a> - Cryptographic Failures </li>
-  <li> <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
-  Misconfiguration </li>
+  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
+  </li>
   <li> <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements">Mobile AppSec
   Verification Standard</a> - Cryptography Requirements </li>
   <li> <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">OWASP Mobile Top 10 2016 Category M5</a> -
   Insufficient Cryptography </li>
   <li> <a href="https://cwe.mitre.org/data/definitions/329">MITRE, CWE-329</a> - Not Using an Unpredictable IV with CBC Mode </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/330">MITRE, CWE-330</a> - Use of Insufficiently Random Values </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/340">MITRE, CWE-340</a> - Generation of Predictable Numbers or Identifiers </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/1204">MITRE, CWE-1204</a> - Generation of Weak Initialization Vector (IV) </li>
   <li> <a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf">NIST, SP-800-38A</a> - Recommendation for Block Cipher
   Modes of Operation </li>
 </ul>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3329.json

@@ -8,7 +8,7 @@
   },
   "tags": [
     "cwe",
-    "owasp-a6",
+    "owasp-a3",
     "owasp-m5"
   ],
   "defaultSeverity": "Critical",
@@ -17,13 +17,10 @@
   "scope": "Main",
   "securityStandards": {
     "CWE": [
-      329,
-      330,
-      340,
-      1204
+      329
     ],
     "OWASP": [
-      "A6"
+      "A3"
     ],
     "OWASP Mobile": [
       "M5"

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.html

@@ -3,6 +3,9 @@
 <p>It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the
 door to downgrade attacks: a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a
 less secure version.</p>
+<p>In most cases, using the default system configuration is not compliant. Indeed, an application might get deployed on a wide range of systems with
+different configurations. While using a system’s default value might be safe on modern up-to-date systems, this might not be the case on older
+systems. It is therefore recommended to explicitly set a safe configuration in every case.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 from OpenSSL import SSL
@@ -41,12 +44,14 @@ <h2>Compliant Solution</h2>
 <pre>
 from OpenSSL import SSL
 
-SSL.Context(SSL.TLSv1_2_METHOD)
+context = SSL.Context(SSL.TLS_SERVER_METHOD)
+context.set_min_proto_version(SSL.TLS1_3_VERSION)
 </pre>
 <pre>
 import ssl
 
-ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+context.minimum_version = ssl.TLSVersion.TLSv1_3
 </pre>
 <p>For <a href="https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html">aws_cdk.aws_apigateway.DomainName</a>:</p>
 <pre>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5332.html

@@ -1,20 +1,20 @@
-<p>Clear-text protocols such as <code>ftp</code>, <code>telnet</code> or non-secure <code>http</code> lack encryption of transported data, as well as
-the capability to build an authenticated connection. It means that an attacker able to sniff traffic from the network can read, modify or corrupt the
+<p>Clear-text protocols such as <code>ftp</code>, <code>telnet</code>, or <code>http</code> lack encryption of transported data, as well as the
+capability to build an authenticated connection. It means that an attacker able to sniff traffic from the network can read, modify, or corrupt the
 transported content. These protocols are not secure as they expose applications to an extensive range of risks:</p>
 <ul>
-  <li> Sensitive data exposure </li>
-  <li> Traffic redirected to a malicious endpoint </li>
-  <li> Malware infected software update or installer </li>
-  <li> Execution of client side code </li>
-  <li> Corruption of critical information </li>
+  <li> sensitive data exposure </li>
+  <li> traffic redirected to a malicious endpoint </li>
+  <li> malware-infected software update or installer </li>
+  <li> execution of client-side code </li>
+  <li> corruption of critical information </li>
 </ul>
 <p>Even in the context of isolated networks like offline environments or segmented cloud environments, the insider threat exists. Thus, attacks
 involving communications being sniffed or tampered with can still happen.</p>
 <p>For example, attackers could successfully compromise prior security layers by:</p>
 <ul>
-  <li> Bypassing isolation mechanisms </li>
-  <li> Compromising a component of the network </li>
-  <li> Getting the credentials of an internal IAM account (either from a service account or an actual person) </li>
+  <li> bypassing isolation mechanisms </li>
+  <li> compromising a component of the network </li>
+  <li> getting the credentials of an internal IAM account (either from a service account or an actual person) </li>
 </ul>
 <p>In such cases, encrypting communications would decrease the chances of attackers to successfully leak data or steal credentials from other network
 components. By layering various security practices (segmentation and encryption, for example), the application will follow the
@@ -30,27 +30,27 @@
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> Application data needs to be protected against falsifications or leaks when transiting over the network. </li>
-  <li> Application data transits over a network that is considered untrusted. </li>
+  <li> Application data transits over an untrusted network. </li>
   <li> Compliance rules require the service to encrypt data in transit. </li>
   <li> Your application renders web pages with a relaxed mixed content policy. </li>
-  <li> OS level protections against clear-text traffic are deactivated. </li>
+  <li> OS-level protections against clear-text traffic are deactivated. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
   <li> Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most
   common clear-text protocols:
     <ul>
-      <li> Use<code>ssh</code> as an alternative to <code>telnet</code> </li>
-      <li> Use <code>sftp</code>, <code>scp</code> or <code>ftps</code> instead of <code>ftp</code> </li>
-      <li> Use <code>https</code> instead of <code>http</code> </li>
-      <li> Use <code>SMTP</code> over <code>SSL/TLS</code> or <code>SMTP</code> with <code>STARTTLS</code> instead of clear-text SMTP </li>
+      <li> Use <code>ssh</code> as an alternative to <code>telnet</code>. </li>
+      <li> Use <code>sftp</code>, <code>scp</code>, or <code>ftps</code> instead of <code>ftp</code>. </li>
+      <li> Use <code>https</code> instead of <code>http</code>. </li>
+      <li> Use <code>SMTP</code> over <code>SSL/TLS</code> or <code>SMTP</code> with <code>STARTTLS</code> instead of clear-text SMTP. </li>
     </ul>  </li>
-  <li> Enable encryption of cloud components communications whenever it’s possible. </li>
+  <li> Enable encryption of cloud components communications whenever it is possible. </li>
   <li> Configure your application to block mixed content when rendering web pages. </li>
-  <li> If available, enforce OS level deactivation of all clear-text traffic </li>
+  <li> If available, enforce OS-level deactivation of all clear-text traffic. </li>
 </ul>
-<p>It is recommended to secure all transport channels (even local network) as it can take a single non secure connection to compromise an entire
+<p>It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire
 application or system.</p>
 <h2>Sensitive Code Example</h2>
 <pre>
@@ -629,7 +629,7 @@ <h2>Compliant Solution</h2>
 <h2>Exceptions</h2>
 <p>No issue is reported for the following cases because they are not considered sensitive:</p>
 <ul>
-  <li> Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or <code>localhost</code> </li>
+  <li> Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or <code>localhost</code>. </li>
 </ul>
 <h2>See</h2>
 <ul>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5542.html

@@ -1,4 +1,4 @@
-<p>Encryption operations should use a secure mode and padding scheme so that confidentiality and integrity can be guaranteed.</p>
+<p>Encryption algorithms should use secure modes and padding schemes where appropriate to guarantee data confidentiality and integrity.</p>
 <ul>
   <li> For block cipher encryption algorithms (like AES):
     <ul>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6303.html

@@ -1,15 +1,20 @@
-<p>Amazon Relational Database Service (RDS) allows to easily host and manage a relational database in the cloud. RDS databases can be encrypted,
-ensuring the security of data-at-rest. In the case that adversaries gain physical access to the storage medium they are not able to access the
-data.</p>
+<p>Using unencrypted RDS DB resources exposes data to unauthorized access to the underlying storage.<br> This includes database data, logs, automatic
+backups, read replicas, snapshots, and cluster metadata.</p>
+<p>This situation can occur in a variety of scenarios, such as:</p>
+<ul>
+  <li> a malicious insider working at the cloud provider gains physical access to the storage device and exfiltrates data. </li>
+  <li> unknown attackers penetrate the cloud provider’s logical infrastructure and systems for extortion. </li>
+</ul>
+<p>AWS-managed encryption at rest reduces this risk with a simple switch.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> The database contains sensitive data that could cause harm when leaked. </li>
   <li> There are compliance requirements for the service to store data encrypted. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<p>It’s recommended to encrypt databases that contain sensitive information. Encryption and decryption are handled transparently by RDS, so no further
-modifications to the application are necessary.</p>
+<p>It is recommended to enable encryption at rest on any RDS DB resource, regardless of the engine.<br> In any case, no further maintenance is
+required as encryption at rest is fully managed by AWS.</p>
 <h2>Sensitive Code Example</h2>
 <p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html">aws_cdk.aws_rds.DatabaseCluster</a> and <a
 href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html">aws_cdk.aws_rds.DatabaseInstance</a>:</p>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6303.json

@@ -1,5 +1,5 @@
 {
-  "title": "Using unencrypted RDS databases is security-sensitive",
+  "title": "Using unencrypted RDS DB resources is security-sensitive",
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
   "remediation": {

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6304.html

@@ -43,7 +43,10 @@ <h2>Compliant Solution</h2>
 )
 </pre>
 <h2>Exceptions</h2>
-<p>No issue is reported when on Key policies in AWS KMS.</p>
+<ul>
+  <li> Should not be raised on key policies (when AWS KMS actions are used.) </li>
+  <li> Should not be raised on policies not using any resources (if and only if all actions in the policy never require resources.) </li>
+</ul>
 <h2>See</h2>
 <ul>
   <li> <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP Top 10 2021 Category A1</a> - Broken Access Control </li>

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "PY"
   ],
-  "latest-update": "2022-11-03T10:54:41.092693Z",
+  "latest-update": "2022-12-08T09:58:09.170573Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true