From 1ee0049ab86440acf066dfe1dd12dbee4ad95011 Mon Sep 17 00:00:00 2001 From: aurelien-coet-sonarsource Date: Thu, 7 May 2026 15:03:32 +0000 Subject: [PATCH 1/2] Update rule metadata --- .../org/sonar/l10n/java/rules/java/S106.html | 4 +- .../org/sonar/l10n/java/rules/java/S1065.html | 3 +- .../org/sonar/l10n/java/rules/java/S1111.html | 3 +- .../org/sonar/l10n/java/rules/java/S1113.html | 3 +- .../org/sonar/l10n/java/rules/java/S1114.html | 3 +- .../org/sonar/l10n/java/rules/java/S1116.html | 12 +-- .../org/sonar/l10n/java/rules/java/S1117.html | 4 +- .../org/sonar/l10n/java/rules/java/S112.html | 4 +- .../org/sonar/l10n/java/rules/java/S1121.html | 4 +- .../org/sonar/l10n/java/rules/java/S1143.html | 4 +- .../org/sonar/l10n/java/rules/java/S1147.html | 4 +- .../org/sonar/l10n/java/rules/java/S1163.html | 4 +- .../org/sonar/l10n/java/rules/java/S1166.html | 4 +- .../org/sonar/l10n/java/rules/java/S1168.html | 8 +- .../org/sonar/l10n/java/rules/java/S1172.html | 3 +- .../org/sonar/l10n/java/rules/java/S1174.html | 3 +- .../org/sonar/l10n/java/rules/java/S1181.html | 5 +- .../org/sonar/l10n/java/rules/java/S1182.html | 3 +- .../org/sonar/l10n/java/rules/java/S1193.html | 4 +- .../org/sonar/l10n/java/rules/java/S1206.html | 4 +- .../org/sonar/l10n/java/rules/java/S121.html | 4 +- .../org/sonar/l10n/java/rules/java/S126.html | 7 +- .../org/sonar/l10n/java/rules/java/S128.html | 9 ++- .../org/sonar/l10n/java/rules/java/S131.html | 3 +- .../org/sonar/l10n/java/rules/java/S1313.json | 3 +- .../org/sonar/l10n/java/rules/java/S1314.html | 7 +- .../org/sonar/l10n/java/rules/java/S1444.html | 3 +- .../org/sonar/l10n/java/rules/java/S1449.html | 5 +- .../org/sonar/l10n/java/rules/java/S1656.html | 3 +- .../org/sonar/l10n/java/rules/java/S1659.html | 6 +- .../org/sonar/l10n/java/rules/java/S1696.html | 3 +- .../org/sonar/l10n/java/rules/java/S1698.html | 8 +- .../org/sonar/l10n/java/rules/java/S1699.html | 7 +- .../org/sonar/l10n/java/rules/java/S1764.html | 3 +- .../org/sonar/l10n/java/rules/java/S1860.html | 3 +- .../org/sonar/l10n/java/rules/java/S1862.html | 3 +- .../org/sonar/l10n/java/rules/java/S1872.html | 3 +- .../org/sonar/l10n/java/rules/java/S1943.html | 8 +- .../org/sonar/l10n/java/rules/java/S1989.html | 4 +- .../org/sonar/l10n/java/rules/java/S2057.html | 3 +- .../org/sonar/l10n/java/rules/java/S2059.html | 3 +- .../org/sonar/l10n/java/rules/java/S2061.html | 4 +- .../org/sonar/l10n/java/rules/java/S2066.html | 3 +- .../org/sonar/l10n/java/rules/java/S2068.json | 3 +- .../org/sonar/l10n/java/rules/java/S2077.html | 3 +- .../org/sonar/l10n/java/rules/java/S2077.json | 3 +- .../org/sonar/l10n/java/rules/java/S2092.json | 3 +- .../org/sonar/l10n/java/rules/java/S2093.html | 4 +- .../org/sonar/l10n/java/rules/java/S2111.html | 3 +- .../org/sonar/l10n/java/rules/java/S2143.html | 70 ++++++++++++------ .../org/sonar/l10n/java/rules/java/S2151.html | 3 +- .../org/sonar/l10n/java/rules/java/S2159.html | 3 +- .../org/sonar/l10n/java/rules/java/S2162.html | 4 +- .../org/sonar/l10n/java/rules/java/S2164.html | 4 +- .../org/sonar/l10n/java/rules/java/S2168.html | 3 +- .../org/sonar/l10n/java/rules/java/S2175.html | 4 +- .../org/sonar/l10n/java/rules/java/S2178.html | 3 +- .../org/sonar/l10n/java/rules/java/S2184.html | 8 +- .../org/sonar/l10n/java/rules/java/S2197.html | 7 +- .../org/sonar/l10n/java/rules/java/S2201.html | 3 +- .../org/sonar/l10n/java/rules/java/S2225.html | 3 +- .../org/sonar/l10n/java/rules/java/S2245.html | 3 +- .../org/sonar/l10n/java/rules/java/S2251.html | 4 +- .../org/sonar/l10n/java/rules/java/S2274.html | 3 +- .../org/sonar/l10n/java/rules/java/S2276.html | 3 +- .../org/sonar/l10n/java/rules/java/S2384.html | 9 ++- .../org/sonar/l10n/java/rules/java/S2386.html | 6 +- .../org/sonar/l10n/java/rules/java/S2390.html | 4 +- .../org/sonar/l10n/java/rules/java/S2442.html | 4 +- .../org/sonar/l10n/java/rules/java/S2445.html | 4 +- .../org/sonar/l10n/java/rules/java/S2446.html | 3 +- .../org/sonar/l10n/java/rules/java/S2447.html | 3 +- .../org/sonar/l10n/java/rules/java/S2612.html | 5 +- .../org/sonar/l10n/java/rules/java/S2612.json | 3 +- .../org/sonar/l10n/java/rules/java/S2674.html | 3 +- .../org/sonar/l10n/java/rules/java/S2681.html | 4 +- .../org/sonar/l10n/java/rules/java/S2693.html | 3 +- .../org/sonar/l10n/java/rules/java/S2886.html | 4 +- .../org/sonar/l10n/java/rules/java/S3011.html | 4 +- .../org/sonar/l10n/java/rules/java/S3014.html | 3 +- .../org/sonar/l10n/java/rules/java/S3034.html | 3 +- .../org/sonar/l10n/java/rules/java/S3064.html | 3 +- .../org/sonar/l10n/java/rules/java/S3067.html | 3 +- .../org/sonar/l10n/java/rules/java/S3077.html | 5 +- .../org/sonar/l10n/java/rules/java/S3078.html | 4 +- .../org/sonar/l10n/java/rules/java/S3346.html | 3 +- .../org/sonar/l10n/java/rules/java/S3366.html | 6 +- .../org/sonar/l10n/java/rules/java/S3457.html | 3 +- .../org/sonar/l10n/java/rules/java/S3551.html | 4 +- .../org/sonar/l10n/java/rules/java/S4347.html | 5 +- .../org/sonar/l10n/java/rules/java/S4423.html | 4 +- .../org/sonar/l10n/java/rules/java/S4426.html | 4 +- .../org/sonar/l10n/java/rules/java/S4507.json | 3 +- .../org/sonar/l10n/java/rules/java/S4512.html | 73 ++++++++++--------- .../org/sonar/l10n/java/rules/java/S4512.json | 7 +- .../org/sonar/l10n/java/rules/java/S4830.html | 5 +- .../org/sonar/l10n/java/rules/java/S4973.html | 8 +- .../org/sonar/l10n/java/rules/java/S5042.html | 60 ++++++++------- .../org/sonar/l10n/java/rules/java/S5042.json | 15 ++-- .../org/sonar/l10n/java/rules/java/S5324.html | 2 +- .../org/sonar/l10n/java/rules/java/S5527.html | 4 +- .../org/sonar/l10n/java/rules/java/S5542.html | 4 +- .../org/sonar/l10n/java/rules/java/S5738.html | 3 +- .../org/sonar/l10n/java/rules/java/S6418.html | 4 +- .../org/sonar/l10n/java/rules/java/S6418.json | 3 +- .../org/sonar/l10n/java/rules/java/S7409.html | 4 +- .../org/sonar/l10n/java/rules/java/S818.html | 6 +- .../org/sonar/l10n/java/rules/java/S864.html | 7 +- .../org/sonar/l10n/java/rules/java/S881.html | 10 ++- .../org/sonar/l10n/java/rules/java/S888.html | 3 +- .../org/sonar/l10n/java/rules/java/S899.html | 6 +- .../org/sonar/l10n/java/rules/java/S923.html | 4 +- .../java/rules/java/Sonar_way_profile.json | 1 + sonarpedia.json | 2 +- 114 files changed, 417 insertions(+), 264 deletions(-) diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S106.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S106.html index b5e935f9ed2..7b01700531a 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S106.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S106.html @@ -41,6 +41,8 @@

Documentation

Monitoring Failures
  • OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
    • -
  • CERT, ERR02-J. - Prevent exceptions while logging data
    • +
  • CERT, + ERR02-J. - Prevent exceptions while logging data
    • diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1065.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1065.html index ee08e1648ee..282ea34238c 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1065.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1065.html @@ -20,6 +20,7 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1111.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1111.html index 8e0e9a96313..815ad80f114 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1111.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1111.html @@ -18,6 +18,7 @@

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1113.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1113.html index 76259bd86b7..cf48fb43b27 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1113.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1113.html @@ -29,6 +29,7 @@

    Exceptions

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1114.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1114.html index abaac7a0920..53080d11818 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1114.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1114.html @@ -24,6 +24,7 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1116.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1116.html index dcf08dd0964..1a5d35754fc 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1116.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1116.html @@ -28,10 +28,12 @@

    Compliant solution

    Resources

    Documentation

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1117.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1117.html index 004b0a5bce1..c8a00874578 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1117.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1117.html @@ -24,8 +24,8 @@

    Noncompliant code example

    Resources

    Documentation

    Related rules

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1699.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1699.html index 7aeaa3d820b..087479dd2c3 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1699.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1699.html @@ -38,8 +38,9 @@

    Noncompliant code example

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1764.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1764.html index 08f0200dc1a..48dda451e06 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1764.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1764.html @@ -39,7 +39,8 @@

    Exceptions

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1860.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1860.html index 47553549551..9ade357314b 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1860.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1860.html @@ -96,7 +96,8 @@

    Compliant solution

    Resources

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1989.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1989.html index e6c1b1f58cd..8cb24a12f92 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1989.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1989.html @@ -46,6 +46,8 @@

    Articles & blog posts

  • OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
  • CWE - CWE-600 - Uncaught Exception in Servlet
    • -
  • CERT, ERR01-J. - Do not allow exceptions to expose sensitive information
    • +
  • CERT, + ERR01-J. - Do not allow exceptions to expose sensitive information
    • diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2057.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2057.html index bb11cb2772d..29b21769712 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2057.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2057.html @@ -36,7 +36,8 @@

    Exceptions

    Errors), and classes marked with @SuppressWarnings("serial") are ignored.

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2059.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2059.html index 23f8e15f0da..85112ab4bb5 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2059.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2059.html @@ -29,6 +29,7 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2061.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2061.html index 0c5bd6d43b5..11df8635891 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2061.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2061.html @@ -42,8 +42,8 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2066.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2066.html index 0f4d1377077..4bd688542b4 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2066.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2066.html @@ -34,6 +34,7 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json index 2d7e1399f56..fc12ceb2ead 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json @@ -15,7 +15,8 @@ "quickfix": "infeasible", "tags": [ "cwe", - "cert" + "cert", + "former-hotspot" ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2068", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html index 5eb1ede7bc6..2ac22139f9f 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html @@ -78,7 +78,8 @@

    See

  • CWE - CWE-564 - SQL Injection: Hibernate
  • CWE - CWE-20 - Improper Input Validation
  • CWE - CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
    • -
  • CERT, IDS00-J. - Prevent SQL injection
    • +
  • CERT, IDS00-J. - Prevent SQL injection
  • Derived from FindSecBugs rules Potential SQL/JPQL Injection (JPA), Potential SQL/JDOQL Injection (JDO), Potential SQL/HQL Injection (Hibernate)
    • diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json index 8fc140052fa..0e7bc3fb10e 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json @@ -19,7 +19,8 @@ "bad-practice", "cert", "hibernate", - "sql" + "sql", + "former-hotspot" ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2077", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2092.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2092.json index 56c30f558e7..d69ce264447 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2092.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2092.json @@ -16,7 +16,8 @@ "tags": [ "cwe", "spring", - "privacy" + "privacy", + "former-hotspot" ], "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-2092", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2093.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2093.html index 83228b64482..59a5ef3be69 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2093.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2093.html @@ -60,8 +60,8 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2111.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2111.html index 0c1993e6209..2d0fb37571d 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2111.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2111.html @@ -28,6 +28,7 @@

    Resources

    Documentation

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2143.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2143.html index 695533b054e..b4c460a7cbe 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2143.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2143.html @@ -1,7 +1,11 @@

    Why is this an issue?

    -

    The old, much-derided Date and Calendar classes have always been confusing and difficult to use properly, particularly in -a multi-threaded context. JodaTime has long been a popular alternative, but now an even better option is built-in. Java 8’s JSR 310 -implementation offers specific classes for:

    +

    The old, much-derided Date and Calendar classes have always been confusing and error-prone, particularly in a +multi-threaded context. The JodaTime library has long been a popular alternative, but it is also considered outdated. Starting from Java SE 8, the +built-in java.time (JSR-310) API provides a modern, immutable, and thread-safe framework that addresses these long-standing design +flaws.

    +

    Note: While Joda-Time remains the standard for handling date and time in java versions prior to 8, users of newer versions should +migrate to the java.time API.

    +

    The java.time package offers specific classes for:

    @@ -16,34 +20,34 @@

    Why is this an issue?

    @@ -70,6 +74,14 @@

    Why is this an issue?

    the date and time with a time zone and offset

    + + + +
    -

    LocalDate

    +

    Instant

    		 -

    a date, without time of day, offset, or zone

    +

    a timestamp
    -

    LocalTime

    +

    LocalDate

    		 -

    the time of day, without date, offset, or zone

    +

    a date, without time of day, offset, or zone
    -

    LocalDateTime

    +

    LocalTime

    		 -

    the date and time, without offset, or zone

    +

    the time of day, without date, offset, or zone
    -

    OffsetDate

    +

    LocalDateTime

    		 -

    a date with an offset such as +02:00, without time of day, or zone

    +

    the date and time, without offset, or zone
    +

    Year

    +     		+

    a year

    +

    YearMonth

    @@ -88,49 +100,63 @@

    Why is this an issue?

    -

    Year/MonthOfDay/DayOfWeek/…​

    +

    Month/DayOfWeek

    		 -

    classes for the important fields

    +

    enum classes for date fields
    -

    DateTimeFields

    +

    Period

    		 -

    stores a map of field-value pairs which may be invalid

    +

    a date-based amount of time, such as "2 months and 3 days"
    -

    Calendrical

    +

    Duration

    		 -

    access to the low-level API

    +

    a time-based amount of time, such as "34.5 seconds"
    -

    Period

    +

    Clock

    		 -

    a descriptive amount of time, such as "2 months and 3 days"

    +

    a clock providing access to the current instant, date and time
    +

    How to fix it

    +

    Use the java.time API instead of java.util.Calendar, java.util.Date or JodaTime.

    Noncompliant code example

    +

    Use of java.util.Date or java.util.Calendar

     Date now = new Date();  // Noncompliant
 DateFormat df = new SimpleDateFormat("dd.MM.yyyy");
 Calendar christmas  = Calendar.getInstance();  // Noncompliant
 christmas.setTime(df.parse("25.12.2020"));
    +

    Use of Joda-Time

    +
    +DateTime dateTime =  new DateTime(); // Noncompliant
+

    Compliant solution

    -LocalDate now = LocalDate.now();  // gets calendar date. no time component
-LocalTime now2 = LocalTime.now(); // gets current time. no date component
-LocalDate christmas = LocalDate.of(2020,12,25);
+LocalDate nowUTC = LocalDate.now(ZoneOffset.UTC);  // gets current date in UTC
+LocalDate christmas = LocalDate.of(2020, Month.DECEMBER,25); // create date from year/month/day
+ZonedDateTime nowParis = ZonedDateTime.now(ZoneId.of("Europe/Paris")); // get current time in Paris with time-zone information
    +

    Resources

    +

    Documentation

    + diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2151.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2151.html index 171be0e8fdb..c2d16048cf4 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2151.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2151.html @@ -21,6 +21,7 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2159.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2159.html index c60184b9120..f3e7a437bb8 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2159.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2159.html @@ -53,6 +53,7 @@

    Noncompliant code example

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2162.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2162.html index 159d0296d26..f331611156f 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2162.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2162.html @@ -63,7 +63,7 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2164.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2164.html index b45e3e8410c..a1126a382d0 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2164.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2164.html @@ -25,7 +25,7 @@

    Exceptions

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2168.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2168.html index 9008b5d254b..1728a990079 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2168.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2168.html @@ -56,7 +56,8 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2251.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2251.html index a4a3033bf55..f07d76c8245 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2251.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2251.html @@ -60,7 +60,9 @@

    Compliant solution

    Resources

    Documentation

    Articles & blog posts

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.json index 49909d4f519..c4484e9d751 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.json @@ -14,7 +14,8 @@ }, "tags": [ "cwe", - "cert" + "cert", + "former-hotspot" ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2612", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2674.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2674.html index 02037e629ff..98f76ffd676 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2674.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2674.html @@ -32,6 +32,7 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2681.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2681.html index b0c47c5b67f..9ae69317606 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2681.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2681.html @@ -30,6 +30,8 @@

    Why is this an issue?

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2693.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2693.html index b869287bed7..e77e22454e0 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2693.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2693.html @@ -16,6 +16,7 @@

    Noncompliant code example

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2886.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2886.html index bc5ac236b8d..b3da1ad24fd 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2886.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2886.html @@ -75,7 +75,9 @@

    Articles & blog posts

    Standards

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3011.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3011.html index 63fee75c65b..0355cc08755 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3011.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3011.html @@ -17,7 +17,7 @@

    Resources

    Documentation

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3014.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3014.html index 2bf49019117..d30a1c09c3f 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3014.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3014.html @@ -33,6 +33,7 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3034.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3034.html index e26fbb411d9..b443752393e 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3034.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3034.html @@ -62,7 +62,8 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3064.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3064.html index 346dfcd70a6..179d9f5edf4 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3064.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3064.html @@ -44,7 +44,8 @@

    Compliant solution

    Resources

    Related rules

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4423.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4423.html index a9513383605..dfbc3dc887b 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4423.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4423.html @@ -144,6 +144,8 @@

    Standards

  • OWASP - Mobile Top 10 2024 Category M5 - Insecure Communication
  • CWE - CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    • -
  • CERT, MSC61-J. - Do not use insecure or weak cryptographic algorithms
    • +
  • CERT, + MSC61-J. - Do not use insecure or weak cryptographic algorithms
    • diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4426.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4426.html index 7bca208490f..9d167750e95 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4426.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4426.html @@ -184,6 +184,8 @@

    Standards

    Use of Cryptographic Algorithms and Key Lengths
  • CWE - CWE-326 - Inadequate Encryption Strength
  • CWE - CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    • -
  • CERT, MSC61-J. - Do not use insecure or weak cryptographic algorithms
    • +
  • CERT, + MSC61-J. - Do not use insecure or weak cryptographic algorithms
    • diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4507.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4507.json index 424b00cc4da..1192aac3943 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4507.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4507.json @@ -17,7 +17,8 @@ "error-handling", "spring", "debug", - "user-experience" + "user-experience", + "former-hotspot" ], "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-4507", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4512.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4512.html index 42ebd686f70..6138c4c4717 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4512.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4512.html @@ -1,31 +1,18 @@ -

    Setting JavaBean properties is security sensitive. Doing it with untrusted values has led in the past to the following vulnerability:

    - -

    JavaBeans can have their properties or nested properties set by population functions. An attacker can leverage this feature to push into the -JavaBean malicious data that can compromise the software integrity. A typical attack will try to manipulate the ClassLoader and finally execute -malicious code.

    -

    This rule raises an issue when:

    - -

    Ask Yourself Whether

    - -

    There is a risk if you answered yes to any of those questions.

    -

    Recommended Secure Coding Practices

    -

    Sanitize all values used as JavaBean properties.

    -

    Don’t set any sensitive properties. Keep full control over which properties are set. If the property names are provided by an unstrusted source, -filter them with a whitelist.

    -

    Sensitive Code Example

    -
    +
    Setting JavaBean properties from untrusted user input can allow an attacker to manipulate arbitrary object properties, including sensitive
+internals such as class.classLoader.
    
+
    Why is this an issue?
    
+
    JavaBean property population functions such as BeanUtils.populate(), BeanUtils.setProperty(),
+BeanUtilsBean.populate(), and BeanUtilsBean.setProperty() from Apache Commons BeanUtils, and
+BeanWrapper.setPropertyValue() and BeanWrapper.setPropertyValues() from Spring, allow setting arbitrary bean properties by
+name. When the property names or values are derived from untrusted input without validation, an attacker can set sensitive properties — for example,
+class.classLoader — and use them to load and execute malicious code.
    
+
    What is the potential impact?
    
+
    If successfully exploited, this vulnerability can lead to remote code execution, full application compromise, data exfiltration, or lateral
+movement within the network.
    
+
    How to fix it
    
+
    Code examples
    
+
    Noncompliant code example
    
+
     Company bean = new Company();
 HashMap map = new HashMap();
 Enumeration names = request.getParameterNames();
@@ -33,17 +20,35 @@ 
    Sensitive Code Example
    
     String name = (String) names.nextElement();
     map.put(name, request.getParameterValues(name));
 }
-BeanUtils.populate(bean, map); // Sensitive: "map" is populated with data coming from user input, here "request.getParameterNames()"
+BeanUtils.populate(bean, map); // Noncompliant: "map" is populated with data coming from user input, here "request.getParameterNames()"
 
    
-
    See
    
+
    Compliant solution
    
+
    +Company bean = new Company();
+HashMap map = new HashMap();
+Set<String> allowedProperties = Set.of("name", "address"); // define allowed properties
+Enumeration names = request.getParameterNames();
+while (names.hasMoreElements()) {
+    String name = (String) names.nextElement();
+    if (allowedProperties.contains(name)) {
+        map.put(name, request.getParameterValues(name));
+    }
+}
+BeanUtils.populate(bean, map);
+
    
+
    Resources
    
+
    Articles & blog posts
    
+
+
    Standards
    
 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4512.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4512.json
index 475d991a750..311e6924b8b 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4512.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4512.json
@@ -1,6 +1,6 @@
 {
-  "title": "Setting JavaBean properties is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "JavaBean properties should not be populated from untrusted input",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
       "SECURITY": "HIGH"
@@ -14,7 +14,8 @@
   },
   "tags": [
     "cwe",
-    "cert"
+    "cert",
+    "former-hotspot"
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4512",
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4830.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4830.html
index 05240565e0f..dc94cc5c2d5 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4830.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4830.html
@@ -67,7 +67,7 @@ 
    Standards
    
   Misconfiguration
   
  • OWASP - Mobile Top 10 2016 Category M3 - Insecure
   Communication
    • 
-  
  • OWASP - Mobile Top 10 2024 Category M5 - Insecure
+  
  • OWASP - Mobile Top 10 2023 Category M5 - Insecure
   Communication
    • 
   
  • OWASP - Mobile AppSec Verification Standard - Network Communication
   Requirements
    • 
@@ -75,6 +75,7 @@ 
    Standards
    
   
  • STIG Viewer - Application Security and
   Development: V-222550 - The application must validate certificates by constructing a certification path to an accepted trust anchor.
    • 
   
  • https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms
    • 
+  href="https://cmu-sei.github.io/secure-coding-standards/sei-cert-oracle-coding-standard-for-java/recommendations/miscellaneous-msc/msc61-j">MSC61-J
+  - Do not use insecure or weak cryptographic algorithms
 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4973.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4973.html
index 6d67615f6fd..3688ed27f5f 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4973.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4973.html
@@ -19,8 +19,10 @@ 
    Resources
    
 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5042.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5042.html
index 42cc42aaed0..5c728b672bb 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5042.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5042.html
@@ -3,27 +3,24 @@
 lead to denial of service. A Zip bomb is usually a malicious archive file of a few kilobytes of compressed data but turned into gigabytes of
 uncompressed data. To achieve this extreme compression ratio, attackers will
 compress irrelevant data (eg: a long string of repeated bytes).
    
-
    Ask Yourself Whether
    
-
    Archives to expand are untrusted and:
    
-
-
    There is a risk if you answered yes to any of those questions.
    
-
    Recommended Secure Coding Practices
    
-
-
    Sensitive Code Example
    
-
    +
    Why is this an issue?
    
+
    Expanding archive files without controlling the size of the extracted data can lead to denial of service. A Zip bomb is a malicious archive of a
+few kilobytes of compressed data that expands into gigabytes of uncompressed data by compressing highly repetitive content. Applications that fail to
+validate the number of entries, total uncompressed size, or compression ratio of an archive are vulnerable to this attack.
    
+
    What is the potential impact?
    
+
    Denial of service
    
+
    An attacker who can supply a malicious archive can exhaust the server’s disk space, memory, or CPU by triggering unbounded decompression. This can
+make the application completely unavailable to legitimate users and may require manual intervention to recover the affected system.
    
+
    How to fix it in Java SE
    
+
    Validate the number of entries, total uncompressed size, and compression ratio when extracting archive files. Do not rely on getSize to retrieve the uncompressed size, as this value
+comes from archive headers that can be forged; calculate the actual size while reading.
    
+
    Code examples
    
+
    Noncompliant code example
    
+
     File f = new File("ZipBomb.zip");
 ZipFile zipFile = new ZipFile(f);
-Enumeration<? extends ZipEntry> entries = zipFile.entries(); // Sensitive
+Enumeration<? extends ZipEntry> entries = zipFile.entries(); // Noncompliant
 
 while(entries.hasMoreElements()) {
   ZipEntry ze = entries.nextElement();
@@ -31,19 +28,16 @@ 
    Sensitive Code Example
    
   Files.copy(zipFile.getInputStream(ze), out.toPath(), StandardCopyOption.REPLACE_EXISTING);
 }
 
    
-
    Compliant Solution
    
-
    Do not rely on getsize to retrieve the size of an
-uncompressed entry because this method returns what is defined in the archive headers which can be forged by attackers, instead calculate the actual
-entry size when unzipping it:
    
-
    +
    Compliant solution
    
+
     File f = new File("ZipBomb.zip");
 ZipFile zipFile = new ZipFile(f);
 Enumeration<? extends ZipEntry> entries = zipFile.entries();
 
 int THRESHOLD_ENTRIES = 10000;
-int THRESHOLD_SIZE = 1000000000; // 1 GB
+long THRESHOLD_SIZE = 1000000000L; // 1 GB
 double THRESHOLD_RATIO = 10;
-int totalSizeArchive = 0;
+long totalSizeArchive = 0;
 int totalEntryArchive = 0;
 
 while(entries.hasMoreElements()) {
@@ -57,7 +51,7 @@ 
    Compliant Solution
    
   byte[] buffer = new byte[2048];
   int totalSizeEntry = 0;
 
-  while((nBytes = in.read(buffer)) > 0) { // Compliant
+  while((nBytes = in.read(buffer)) > 0) {
       out.write(buffer, 0, nBytes);
       totalSizeEntry += nBytes;
       totalSizeArchive += nBytes;
@@ -80,7 +74,12 @@ 
    Compliant Solution
    
   }
 }
 
    
-
    See
    
+
    Resources
    
+
    Articles & blog posts
    
+
+
    Standards
    
 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5042.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5042.json
index 32484b21a10..71dc87a9c66 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5042.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5042.json
@@ -1,9 +1,10 @@
 {
-  "title": "Expanding archive files without controlling resource consumption is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Expanding archive files should not be done without controlling resource consumption",
+  "type": "CODE_SMELL",
+  "quickfix": "unknown",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "RELIABILITY": "MEDIUM"
     },
     "attribute": "COMPLETE"
   },
@@ -14,9 +15,10 @@
   },
   "tags": [
     "cwe",
-    "cert"
+    "cert",
+    "former-hotspot"
   ],
-  "defaultSeverity": "Critical",
+  "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-5042",
   "sqKey": "S5042",
   "scope": "Main",
@@ -38,6 +40,5 @@
     "ASVS 4.0": [
       "12.1.2"
     ]
-  },
-  "quickfix": "unknown"
+  }
 }
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5324.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5324.html
index fe780b822e2..884ad1e6d0e 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5324.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5324.html
@@ -52,7 +52,7 @@ 
    Standards
    
   Requirements
   
  • OWASP - Mobile Top 10 2016 Category M2 - Insecure Data
   Storage
    • 
-  
  • OWASP - Mobile Top 10 2024 Category M9 - Insecure Data
+  
  • OWASP - Mobile Top 10 2023 Category M9 - Insecure Data
   Storage
    • 
   
  • CWE - CWE-312 - Cleartext Storage of Sensitive Information
    • 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5527.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5527.html
index a3fe6274025..342cd394b1b 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5527.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5527.html
@@ -203,12 +203,12 @@ 
    Standards
    
   Requirements
   
  • OWASP - Mobile Top 10 2016 Category M3 - Insecure
   Communication
    • 
-  
  • OWASP - Mobile Top 10 2024 Category M5 - Insecure
+  
  • OWASP - Mobile Top 10 2023 Category M5 - Insecure
   Communication
    • 
   
  • CWE - CWE-297 - Improper Validation of Certificate with Host Mismatch
    • 
   
  • STIG Viewer - Application Security and
   Development: V-222550 - The application must validate certificates by constructing a certification path to an accepted trust anchor.
    • 
   
  • https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms
    • 
+  href="https://cmu-sei.github.io/secure-coding-standards/sei-cert-oracle-coding-standard-for-java/recommendations/miscellaneous-msc/msc61-j">https://cmu-sei.github.io/secure-coding-standards/sei-cert-oracle-coding-standard-for-java/recommendations/miscellaneous-msc/msc61-j
 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5542.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5542.html
index 1f911e35fad..f6498d2ca9d 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5542.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5542.html
@@ -134,6 +134,8 @@ 
    Standards
    
   Insufficient Cryptography
   
  • CWE - CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    • 
   
  • CWE - CWE-780 - Use of RSA Algorithm without OAEP
    • 
-  
  • CERT, MSC61-J. - Do not use insecure or weak cryptographic algorithms
    • 
+  
  • CERT,
+  MSC61-J. - Do not use insecure or weak cryptographic algorithms
    • 
 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5738.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5738.html
index f87da44a396..58cfc1c1819 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5738.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5738.html
@@ -58,7 +58,8 @@ 
    Noncompliant code example
    
 
    Resources
    
 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6418.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6418.html
index 088f3504ee5..9271b6a528e 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6418.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6418.html
@@ -73,7 +73,9 @@ 
    Resources
    
   
  • OWASP - Top 10 2017 Category A2 - Broken
   Authentication
    • 
   
  • CWE - CWE-798 - Use of Hard-coded Credentials
    • 
-  
  • MSC - MSC03-J - Never hard code sensitive information
    • 
+  
  • MSC - MSC03-J - Never
+  hard code sensitive information
    • 
   
  • OWASP - Mobile Top 10 2024 Category M1 -
   Improper Credential Usage
    • 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6418.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6418.json
index 99c7c5b6f3f..6c5dda39b59 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6418.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6418.json
@@ -15,7 +15,8 @@
   "quickfix": "infeasible",
   "tags": [
     "cwe",
-    "cert"
+    "cert",
+    "former-hotspot"
   ],
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-6418",
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7409.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7409.html
index dfc9747a5f5..68d5db16f47 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7409.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7409.html
@@ -91,9 +91,9 @@ 
    Documentation
    
 
    Standards
    
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S818.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S818.html
index 1cdff6a1173..0bb0963effc 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S818.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S818.html
@@ -14,7 +14,9 @@ 
    Compliant solution
    
 
    
 
    Resources
    
 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S864.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S864.html
index e1e6bee426f..b823528f857 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S864.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S864.html
@@ -138,8 +138,11 @@ 
    Compliant solution
    
 
    
 
    Resources
    
 
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S881.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S881.html
index 52f2de19227..d9d8843c858 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S881.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S881.html
@@ -21,9 +21,11 @@ 
    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S888.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S888.html index 8182a1d39f6..3b9b399ae96 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S888.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S888.html @@ -35,6 +35,7 @@

    Exceptions

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S899.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S899.html index 989095024bb..f866415d84a 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S899.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S899.html @@ -33,8 +33,10 @@

    Compliant solution

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S923.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S923.html index 76470ab698b..1c6bff832f4 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S923.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S923.html @@ -13,7 +13,7 @@

    Noncompliant code example

    Resources

    diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/Sonar_way_profile.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/Sonar_way_profile.json index ab7c96504a9..8183be0098b 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/Sonar_way_profile.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/Sonar_way_profile.json @@ -156,6 +156,7 @@ "S2139", "S2140", "S2142", + "S2143", "S2147", "S2151", "S2153", diff --git a/sonarpedia.json b/sonarpedia.json index 48d67623420..38f66f406f5 100644 --- a/sonarpedia.json +++ b/sonarpedia.json @@ -3,7 +3,7 @@ "languages": [ "JAVA" ], - "latest-update": "2026-04-24T14:36:54.720528421Z", + "latest-update": "2026-05-07T15:03:31.056802325Z", "options": { "no-language-in-filenames": true, "preserve-filenames": false From ecafbba2879cb953f3bcee32028dd11370fc990f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Coet?= Date: Fri, 8 May 2026 15:11:07 +0200 Subject: [PATCH 2/2] Revert rules with inconsistant metadata --- .../main/resources/org/sonar/l10n/java/rules/java/S2077.html | 3 +-- .../main/resources/org/sonar/l10n/java/rules/java/S2077.json | 3 +-- .../main/resources/org/sonar/l10n/java/rules/java/S4507.json | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html index 2ac22139f9f..5eb1ede7bc6 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html @@ -78,8 +78,7 @@

    See

  • CWE - CWE-564 - SQL Injection: Hibernate
  • CWE - CWE-20 - Improper Input Validation
  • CWE - CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
    • -
  • CERT, IDS00-J. - Prevent SQL injection
    • +
  • CERT, IDS00-J. - Prevent SQL injection
  • Derived from FindSecBugs rules Potential SQL/JPQL Injection (JPA), Potential SQL/JDOQL Injection (JDO), Potential SQL/HQL Injection (Hibernate)
    • diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json index 0e7bc3fb10e..8fc140052fa 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json @@ -19,8 +19,7 @@ "bad-practice", "cert", "hibernate", - "sql", - "former-hotspot" + "sql" ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2077", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4507.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4507.json index 1192aac3943..424b00cc4da 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4507.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4507.json @@ -17,8 +17,7 @@ "error-handling", "spring", "debug", - "user-experience", - "former-hotspot" + "user-experience" ], "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-4507",