SONARXML-279 Update RSPEC (#379)

Author: tomasz-tylenda-sonarsource

sonar-xml-plugin/src/main/resources/org/sonar/l10n/xml/rules/xml/S2068.html

@@ -2,8 +2,8 @@
 for applications that are distributed or that are open-source.</p>
 <p>In the past, it has led to the following vulnerabilities:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466">CVE-2019-13466</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389">CVE-2018-15389</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2019-13466">CVE-2019-13466</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2018-15389">CVE-2018-15389</a> </li>
 </ul>
 <p>Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.</p>
 <p>This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection

sonar-xml-plugin/src/main/resources/org/sonar/l10n/xml/rules/xml/S2647.html

@@ -86,7 +86,7 @@ <h3>Standards</h3>
   <li> <a href="https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html#user-authentication">OWASP Web Service Security
   Cheat Sheet</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/522">CWE-522 - Insufficiently Protected Credentials</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222533">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222533">Application Security and
   Development: V-222533</a> - The application must authenticate all network connected endpoint devices before establishing any connection. </li>
 </ul>
 

sonar-xml-plugin/src/main/resources/org/sonar/l10n/xml/rules/xml/S3330.html

@@ -44,7 +44,7 @@ <h2>See</h2>
   (XSS)</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/1004">CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag</a> </li>
   <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE">HTTPONLY_COOKIE</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222575">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222575">Application Security and
   Development: V-222575</a> - The application must set the HTTPOnly flag on session cookies. </li>
 </ul>
 

sonar-xml-plugin/src/main/resources/org/sonar/l10n/xml/rules/xml/S4507.json

@@ -39,6 +39,9 @@
     ],
     "OWASP Top 10 2021": [
       "A5"
+    ],
+    "ASVS 4.0": [
+      "14.3.2"
     ]
   },
   "quickfix": "unknown"

sonar-xml-plugin/src/main/resources/org/sonar/l10n/xml/rules/xml/S5122.html

@@ -1,7 +1,7 @@
 <p>Having a permissive Cross-Origin Resource Sharing policy is security-sensitive. It has led in the past to the following vulnerabilities:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0269">CVE-2018-0269</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14460">CVE-2017-14460</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2018-0269">CVE-2018-0269</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2017-14460">CVE-2017-14460</a> </li>
 </ul>
 <p><a href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy">Same origin policy</a> in browsers prevents, by default and for
 security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port)

sonar-xml-plugin/src/main/resources/org/sonar/l10n/xml/rules/xml/S5322.html

@@ -1,8 +1,8 @@
 <p>Android applications can receive broadcasts from the system or other applications. Receiving intents is security-sensitive. For example, it has led
 in the past to the following vulnerabilities:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1677">CVE-2019-1677</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1275">CVE-2015-1275</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2019-1677">CVE-2019-1677</a> </li>
+  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2015-1275">CVE-2015-1275</a> </li>
 </ul>
 <p>Receivers can be declared in the manifest or in the code to make them context-specific. If the receiver is declared in the manifest Android will
 start the application if it is not already running once a matching broadcast is received. The receiver is an entry point into the application.</p>

sonar-xml-plugin/src/main/resources/org/sonar/l10n/xml/rules/xml/S5332.html

@@ -90,27 +90,27 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10 2021 Category A2 - Cryptographic Failures</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/200">CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/319">CWE-319 - Cleartext Transmission of Sensitive Information</a> </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222397">Application Security and
   Development: V-222397</a> - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222534">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222534">Application Security and
   Development: V-222534</a> - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222562">Application Security and
   Development: V-222562</a> - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of
   maintenance and diagnostic communications. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222563">Application Security and
   Development: V-222563</a> - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of
   maintenance and diagnostic communications. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222577">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222577">Application Security and
   Development: V-222577</a> - The application must not expose session IDs. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222596">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222596">Application Security and
   Development: V-222596</a> - The application must protect the confidentiality and integrity of transmitted information. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222597">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222597">Application Security and
   Development: V-222597</a> - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect
   changes to information during transmission. </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222598">Application Security and
   Development: V-222598</a> - The application must maintain the confidentiality and integrity of information during preparation for transmission.
   </li>
-  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599">Application Security and
+  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222599">Application Security and
   Development: V-222599</a> - The application must maintain the confidentiality and integrity of information during reception. </li>
 </ul>
 

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "XML"
   ],
-  "latest-update": "2025-04-03T15:02:09.825524Z",
+  "latest-update": "2025-11-24T13:42:34.135101Z",
   "options": {
     "no-language-in-filenames": true
   }