SONARTEXT-10 Migrate rules to educational format (#112)

Author: nils-werner-sonarsource

pom.xml

@@ -71,7 +71,7 @@
     <!-- dependency versions -->
     <sonar.version>9.8.0.63668</sonar.version>
     <sonar.api.version>9.13.0.360</sonar.api.version>
-    <analyzer.commons.version>2.1.0.1111</analyzer.commons.version>
+    <analyzer.commons.version>2.5.0.1358</analyzer.commons.version>
     <orchestrator.version>3.40.0.183</orchestrator.version>
     <junit.version>5.9.1</junit.version>
     <assertj.version>3.23.1</assertj.version>

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6290.html

@@ -1,3 +1,4 @@
+<h2>Why is this an issue?</h2>
 <p>AWS credentials are designed to authenticate and authorize requests to AWS.</p>
 <p>If your application interacts with AWS then it requires AWS credentials to access all the resources it needs to function properly. Resources that
 can be accessed depend on the permission granted to the AWS account. These credentials may authenticate to the AWS account root user who has
@@ -16,7 +17,7 @@ <h2>Recommended Secure Coding Practices</h2>
 <p>If possible, a better alternative is to use your cloud provider’s service for managing secrets. On AWS this service is called <a
 href="https://aws.amazon.com/fr/secrets-manager/">Secrets Manager</a>.</p>
 <p>When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.</p>
-<h2>See</h2>
+<h2>Resources</h2>
 <ul>
   <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
   Authentication Failures </li>

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6290.json

@@ -7,9 +7,7 @@
     "constantCost": "30min"
   },
   "tags": [
-    "cwe",
-    "sans-top25-porous",
-    "owasp-a3"
+    "cwe"
   ],
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-6290",

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6292.html

@@ -1,3 +1,4 @@
+<h2>Why is this an issue?</h2>
 <p>Amazon Marketplace Web Service credentials are designed to authenticate and authorize Amazon sellers.</p>
 <p>If your application interacts with Amazon MWS then it requires credentials to access all the resources it needs to function properly. The
 credentials authenticate to a seller account which can have access to resources like products, orders, price or shipment information.</p>
@@ -9,7 +10,7 @@ <h2>Recommended Secure Coding Practices</h2>
 <p>If possible, a better alternative is to use your cloud provider’s service for managing secrets. On AWS this service is called <a
 href="https://aws.amazon.com/fr/secrets-manager/">Secrets Manager</a>.</p>
 <p>When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.</p>
-<h2>See</h2>
+<h2>Resources</h2>
 <ul>
   <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
   Authentication Failures </li>

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6292.json

@@ -7,9 +7,7 @@
     "constantCost": "30min"
   },
   "tags": [
-    "cwe",
-    "sans-top25-porous",
-    "owasp-a3"
+    "cwe"
   ],
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-6292",

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6334.html

@@ -1,3 +1,4 @@
+<h2>Why is this an issue?</h2>
 <p>Google API keys are used to authenticate applications that consume Google Cloud APIs. They are especially useful for accessing public data
 anonymously (like Google Maps), and are used to associate API requests with your project for quota and billing.</p>
 <p>API keys are not strictly secret as they are often embedded into client side code or mobile applications that consume Google Cloud APIs. Still,
@@ -17,7 +18,7 @@ <h2>Recommended Secure Coding Practices</h2>
 <p>In addition to secure storage, it’s important to apply <a
 href="https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions">restrictions</a> to API keys in order to mitigate the impacts when
 they are discovered by malicious actors.</p>
-<h2>See</h2>
+<h2>Resources</h2>
 <ul>
   <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
   Authentication Failures </li>

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6334.json

@@ -7,9 +7,7 @@
     "constantCost": "30min"
   },
   "tags": [
-    "cwe",
-    "sans-top25-porous",
-    "owasp-a3"
+    "cwe"
   ],
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-6334",

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6335.html

@@ -1,3 +1,4 @@
+<h2>Why is this an issue?</h2>
 <p>Google Cloud service accounts are designed to authenticate and authorize requests to Google APIs.</p>
 <p>If your application interacts with Google Cloud services then it requires a service account to access all the resources it needs to function
 properly. Resources that can be accessed depend on the permission granted to the service account. Establishing the identity of a service account
@@ -13,7 +14,7 @@ <h2>Recommended Secure Coding Practices</h2>
 <p>If possible, a better alternative is to use your cloud provider’s service for managing secrets. On Google Cloud this service is called <a
 href="https://cloud.google.com/secret-manager">Secret Manager</a>.</p>
 <p>When keys are disclosed in the application code, consider them as compromised and revoke them immediately.</p>
-<h2>See</h2>
+<h2>Resources</h2>
 <ul>
   <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
   Authentication Failures </li>

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6335.json

@@ -7,9 +7,7 @@
     "constantCost": "30min"
   },
   "tags": [
-    "cwe",
-    "sans-top25-porous",
-    "owasp-a3"
+    "cwe"
   ],
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-6335",

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6336.html

@@ -1,3 +1,4 @@
+<h2>Why is this an issue?</h2>
 <p>AccessKeys are long term credentials designed to authenticate and authorize requests to Alibaba Cloud.</p>
 <p>If your application interacts with Alibaba Cloud then it requires AccessKeys to access all the resources it needs to function properly. Resources
 that can be accessed depend on the permissions granted to the Alibaba Cloud account. These credentials may authenticate to the account root user who
@@ -15,7 +16,7 @@ <h2>Recommended Secure Coding Practices</h2>
 <p>If possible, a better alternative is to use your cloud provider’s service for managing secrets. On AlibabaCloud this service is called <a
 href="https://www.alibabacloud.com/help/doc-detail/152001.htm">Secrets Manager</a>.</p>
 <p>When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.</p>
-<h2>See</h2>
+<h2>Resources</h2>
 <ul>
   <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
   Authentication Failures </li>