Update rule metadata (#834)

Co-authored-by: thomas-serre-sonarsource <118730793+thomas-serre-sonarsource@users.noreply.github.com>
GitOrigin-RevId: ab5d1e167c9e49b02df1df7cb512c9ebfa102bb8

Author: 2 people

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.html

@@ -1,42 +1,32 @@
-<p>Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true
-for applications that are distributed or that are open-source.</p>
+<h2>Why is this an issue?</h2>
+<p>Hard-coding credentials in source code or binaries makes it easy for attackers to extract sensitive information, especially in distributed or
+open-source applications. This practice exposes your application to significant security risks.</p>
+<p>This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
+strings, and for variable names that match any of the patterns from the provided list.</p>
 <p>In the past, it has led to the following vulnerabilities:</p>
 <ul>
   <li> <a href="https://www.cve.org/CVERecord?id=CVE-2019-13466">CVE-2019-13466</a> </li>
   <li> <a href="https://www.cve.org/CVERecord?id=CVE-2018-15389">CVE-2018-15389</a> </li>
 </ul>
-<p>Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.</p>
-<p>This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
-strings, and for variable names that match any of the patterns from the provided list.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li> Credentials allow access to a sensitive component like a database, a file storage, an API or a service. </li>
-  <li> Credentials are used in production environments. </li>
-  <li> Application re-distribution is required before updating the credentials. </li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li> Store the credentials in a configuration file that is not pushed to the code repository. </li>
-  <li> Store the credentials in a database. </li>
-  <li> Use your cloud provider’s service for managing secrets. </li>
-  <li> If a password has been disclosed through the source code: change it. </li>
-</ul>
-<h2>Sensitive Code Example</h2>
-<pre>
+<h2>How to fix it</h2>
+<p>Credentials should be stored in a configuration file that is not committed to the code repository, in a database, or managed by your cloud
+provider’s secrets management service. If a password is exposed in the source code, it must be changed immediately.</p>
+<h3>Code Examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 username = 'admin'
-password = 'admin' # Sensitive
-usernamePassword = 'user=admin&amp;password=admin' # Sensitive
+password = 'admin' # Noncompliant
+usernamePassword = 'user=admin&amp;password=admin' # Noncompliant
 </pre>
-<h2>Compliant Solution</h2>
-<pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
 import os
 
 username = os.getenv("username") # Compliant
 password = os.getenv("password") # Compliant
-usernamePassword = 'user=%s&amp;password=%s' % (username, password) # Compliant{code}
+usernamePassword = 'user=%s&amp;password=%s' % (username, password) # Compliant
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
 <ul>
   <li> OWASP - <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">Top 10 2021 Category A7 - Identification and
   Authentication Failures</a> </li>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.json

@@ -1,6 +1,6 @@
 {
-  "title": "Hard-coded passwords are security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Credentials should not be hard-coded",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
       "SECURITY": "BLOCKER"
@@ -12,6 +12,7 @@
     "func": "Constant\/Issue",
     "constantCost": "30min"
   },
+  "quickfix": "infeasible",
   "tags": [
     "cwe"
   ],
@@ -41,6 +42,5 @@
       "3.5.2",
       "6.4.1"
     ]
-  },
-  "quickfix": "unknown"
+  }
 }

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6418.html

@@ -1,29 +1,15 @@
-<p>Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for
-applications that are distributed or that are open-source.</p>
-<p>In the past, it has led to the following vulnerabilities:</p>
-<ul>
-  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2022-25510">CVE-2022-25510</a> </li>
-  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2021-42635">CVE-2021-42635</a> </li>
-</ul>
-<p>Secrets should be stored outside of the source code in a configuration file or a management service for secrets.</p>
+<h2>Why is this an issue?</h2>
+<p>Hard-coding secrets in source code or binaries makes it easy for attackers to extract sensitive information, especially in distributed or
+open-source applications. This practice exposes credentials and tokens, increasing the risk of unauthorized access and data breaches.</p>
 <p>This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a
 pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The
 randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li> The secret allows access to a sensitive component like a database, a file storage, an API, or a service. </li>
-  <li> The secret is used in a production environment. </li>
-  <li> Application re-distribution is required before updating the secret. </li>
-</ul>
-<p>There would be a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li> Store the secret in a configuration file that is not pushed to the code repository. </li>
-  <li> Use your cloud provider’s service for managing secrets. </li>
-  <li> If a secret has been disclosed through the source code: revoke it and create a new one. </li>
-</ul>
-<h2>Sensitive Code Example</h2>
-<pre>
+<h2>How to fix it</h2>
+<p>Secrets should be stored in a configuration file that is not committed to the code repository, in a database, or managed by your cloud provider’s
+secrets management service. If a secret is exposed in the source code, it must be rotated immediately.</p>
+<h3>Code Examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 import requests
 
 API_KEY = "1234567890abcdef"  # Hard-coded secret (bad practice)
@@ -34,10 +20,10 @@ <h2>Sensitive Code Example</h2>
     }
     return requests.post("https://api.example.com", headers=headers, data=data)
 </pre>
-<h2>Compliant Solution</h2>
+<h4>Compliant solution</h4>
 <p>Using <a href="https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/python/example_code/secretsmanager/scenario_get_secret.py">AWS Secrets
 Manager</a>:</p>
-<pre>
+<pre data-diff-id="1" data-diff-type="compliant">
 import boto3
 import logging
 
@@ -73,13 +59,14 @@ <h2>Compliant Solution</h2>
     }
     return requests.post("https://api.example.com", headers=headers, data=data)
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
 <ul>
   <li> OWASP - <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">Top 10 2021 Category A7 - Identification and
   Authentication Failures</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication">Top 10 2017 Category A2 - Broken Authentication</a>
   </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li>
+  <li> MSC - <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">MSC03-J - Never hard code sensitive information</a> </li>
   <li> AWS Secrets Manager - <a href="https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/secretsmanager">Code Examples</a>
   </li>
   <li> Azure Key Vault - <a href="https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-python?tabs=azure-cli">Quickstart</a> </li>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6418.json

@@ -1,6 +1,6 @@
 {
-  "title": "Hard-coded secrets are security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Secrets should not be hard-coded",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
       "SECURITY": "BLOCKER"
@@ -12,6 +12,7 @@
     "func": "Constant\/Issue",
     "constantCost": "30min"
   },
+  "quickfix": "infeasible",
   "tags": [
     "cwe"
   ],
@@ -40,6 +41,5 @@
       "3.5.2",
       "6.4.1"
     ]
-  },
-  "quickfix": "unknown"
+  }
 }

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6552.html

@@ -53,8 +53,8 @@ <h4>Compliant solution</h4>
 <h2>Resources</h2>
 <h3>Documentation</h3>
 <ul>
-  <li> <a href="https://docs.djangoproject.com/en/4.1/topics/signals/">Django signals</a> </li>
-  <li> <a href="https://flask.palletsprojects.com/en/stable/patterns/viewdecorators/">Flask View Decorators</a> </li>
-  <li> <a href="https://flask.palletsprojects.com/en/stable/quickstart/#routing">Flask Routing</a> </li>
+  <li> Django - <a href="https://docs.djangoproject.com/en/4.1/topics/signals/">Signals</a> </li>
+  <li> Flask - <a href="https://flask.palletsprojects.com/en/stable/patterns/viewdecorators/">View Decorators</a> </li>
+  <li> Flask - <a href="https://flask.palletsprojects.com/en/stable/quickstart/#routing">Routing</a> </li>
 </ul>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8371.html

@@ -5,15 +5,24 @@ <h2>Why is this an issue?</h2>
 dictionary-style access like <code>request.headers['Authorization']</code>, Flask raises a KeyError if the header is missing.</p>
 <p>This can cause your application to crash unexpectedly, especially when dealing with optional headers like authentication tokens, custom headers, or
 headers that vary between different clients and browsers.</p>
+<p>Even when the header presence appears to be validated by guards or preconditions, dictionary-style access introduces unnecessary risk due to
+potential refactoring.</p>
 <p>The <code>.get()</code> method provides a safer alternative by returning <code>None</code> (or a default value) when a header is missing, allowing
-your code to handle the absence gracefully instead of crashing.</p>
+your code to handle the absence gracefully instead of crashing. Using <code>.get()</code> consistently throughout your codebase establishes a robust
+pattern that prevents runtime errors, improves code maintainability, and makes the optional nature of headers explicit in the code.</p>
 <h3>What is the potential impact?</h3>
 <p>A missing header will cause a KeyError exception, potentially crashing the request handler and returning a 500 Internal Server Error to the client.
 This creates a poor user experience and can make your application appear unreliable.</p>
 <p>In security-sensitive contexts, unexpected crashes might also expose error information that could be useful to attackers.</p>
 <h2>How to fix it</h2>
-<p>Replace dictionary-style header read access with the <code>.get()</code> method. This returns <code>None</code> for missing headers instead of
-raising an exception. Add appropriate checks to handle missing headers gracefully.</p>
+<p>Always use the <code>.get()</code> method instead of dictionary-style header access. This returns <code>None</code> for missing headers instead of
+raising an exception, and should be used consistently even when guards appear to protect the access. This consistent approach:</p>
+<ul>
+  <li> Prevents KeyError exceptions from missing headers </li>
+  <li> Makes the optional nature of headers explicit in the code </li>
+  <li> Reduces the risk of runtime errors during code evolution and refactoring </li>
+</ul>
+<p>Add appropriate checks to handle missing headers gracefully after retrieving them with <code>.get()</code>.</p>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8375.html

@@ -36,7 +36,7 @@ <h2>Resources</h2>
 <h3>Documentation</h3>
 <ul>
   <li> Flask preprocess_request documentation - <a href="https://flask.palletsprojects.com/en/stable/api/#flask.Flask.preprocess_request">Official
-  Flask documentation for the preprocess_request method</a> </li>
+  documentation</a> </li>
   <li> Flask Request Hooks - <a href="https://flask.palletsprojects.com/en/stable/reqcontext/#request-hooks">Documentation about Flask’s
   before-request and after-request hooks</a> </li>
 </ul>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8375.json

@@ -7,9 +7,7 @@
     "constantCost": "5 min"
   },
   "tags": [
-    "flask",
-    "security",
-    "bug-prone"
+    "flask"
   ],
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-8375",

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8389.html

@@ -168,16 +168,5 @@ <h3>Documentation</h3>
   encoding</a> </li>
   <li> Pydantic - Validators - <a href="https://docs.pydantic.dev/latest/concepts/validators/">Documentation on Pydantic validators for custom data
   parsing</a> </li>
-  <li> OWASP - Logging Cheat Sheet - <a href="https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html">Guidelines on what data should
-  not be logged, including query parameters with sensitive data</a> </li>
-</ul>
-<h3>Standards</h3>
-<ul>
-  <li> OWASP Top 10 2021 A01 - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Broken Access Control - exposing sensitive data in
-  URLs can lead to unauthorized access</a> </li>
-  <li> OWASP Top 10 2021 A09 - <a href="https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/">Security Logging and Monitoring
-  Failures - sensitive data in logs creates security risks</a> </li>
-  <li> CWE 359 - <a href="https://cwe.mitre.org/data/definitions/359.html">Exposure of Private Personal Information to an Unauthorized Actor</a> </li>
-  <li> CWE 598 - <a href="https://cwe.mitre.org/data/definitions/598.html">Use of GET Request Method With Sensitive Query Strings</a> </li>
 </ul>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8392.html

@@ -87,7 +87,7 @@ <h2>How to fix it in FastAPI</h2>
 application is only accessible from your local machine.</p>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
-<pre data-diff-id="1" data-diff-type="noncompliant">
+<pre data-diff-id="3" data-diff-type="noncompliant">
 import uvicorn
 from fastapi import FastAPI
 
@@ -97,7 +97,7 @@ <h4>Noncompliant code example</h4>
     uvicorn.run(app, host="0.0.0.0", port=8000)  # Noncompliant
 </pre>
 <h4>Compliant solution</h4>
-<pre data-diff-id="1" data-diff-type="compliant">
+<pre data-diff-id="3" data-diff-type="compliant">
 import uvicorn
 from fastapi import FastAPI