JS-381 Update rules and prepare for release (#4906)

css-sonarpedia/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "CSS"
   ],
-  "latest-update": "2024-09-25T13:47:31.326757900Z",
+  "latest-update": "2024-11-15T08:36:47.923296Z",
   "options": {
     "no-language-in-filenames": true
   }

package.json

@@ -30,7 +30,7 @@
     "td": "npm --prefix typedoc/searchable-parameters-plugin run setup && npx typedoc --options typedoc/typedoc.js",
     "prepare": "husky install",
     "precommit": "pretty-quick --staged",
-    "count-rules": "node tools/count-rules.js",
+    "count-rules": "node tools/count-rules.cjs",
     "_:bridge:copy-protofiles": "cpy --flat packages/jsts/src/parsers/estree.proto sonar-plugin/bridge/src/main/protobuf && cpy --flat packages/jsts/src/parsers/estree.proto lib/jsts/src/parsers",
     "_:bridge:clear": "rimraf --glob lib/*",
     "_:plugin:prepare-bridge": "npm pack && node tools/check-distribution-filepath-length.cjs && npm run _:plugin:copy-bridge && npm run generate-rules-list",
@@ -44,7 +44,7 @@
     "eslint-plugin:types": "tsc -p tsconfig-plugin.json --declaration true --emitDeclarationOnly --outDir lib/types",
     "eslint-plugin:package-json": "node generate-eslint-package-json.mjs",
     "eslint-plugin:copy-assets": "cpy LICENSE.txt lib/ --rename LICENSE && cpy packages/jsts/src/rules/README.md lib/ --flat",
-    "eslint-docs": "npm run compile && eslint-doc-generator lib"
+    "eslint-docs": "npm run eslint-plugin:compile && eslint-doc-generator lib --init-rule-docs"
   },
   "repository": {
     "type": "git",

sonar-plugin/css/src/main/resources/org/sonar/l10n/css/rules/css/S4650.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

sonar-plugin/css/src/main/resources/org/sonar/l10n/css/rules/css/S4653.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

sonar-plugin/css/src/main/resources/org/sonar/l10n/css/rules/css/S4654.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

sonar-plugin/css/src/main/resources/org/sonar/l10n/css/rules/css/S4668.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S1219.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "CLEAR"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S128.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "CLEAR"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S1314.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "CLEAR"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S1451.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "LAWFUL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S1526.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S1527.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2068.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "TRUSTWORTHY"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2187.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "TESTED"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2189.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2245.html

@@ -1,26 +1,34 @@
-<p>Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:</p>
+<p>PRNGs are algorithms that produce sequences of numbers that only approximate true randomness. While they are suitable for applications like
+simulations or modeling, they are not appropriate for security-sensitive contexts because their outputs can be predictable if the internal state is
+known.</p>
+<p>In contrast, cryptographically secure pseudorandom number generators (CSPRNGs) are designed to be secure against prediction attacks. CSPRNGs use
+cryptographic algorithms to ensure that the generated sequences are not only random but also unpredictable, even if part of the sequence or the
+internal state becomes known. This unpredictability is crucial for security-related tasks such as generating encryption keys, tokens, or any other
+values that must remain confidential and resistant to guessing attacks.</p>
+<p>For example, the use of non-cryptographic PRNGs has led to vulnerabilities such as:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386">CVE-2013-6386</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419">CVE-2006-3419</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102">CVE-2008-4102</a> </li>
+  <li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386">CVE-2013-6386</a> </li>
+  <li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419">CVE-2006-3419</a> </li>
+  <li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102">CVE-2008-4102</a> </li>
 </ul>
 <p>When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that
-will be generated, and use this guess to impersonate another user or access sensitive information.</p>
+will be generated, and use this guess to impersonate another user or access sensitive information. Therefore, it is critical to use CSPRNGs in any
+security-sensitive application to ensure the robustness and security of the system.</p>
 <p>As the <code>Math.random()</code> function relies on a weak pseudorandom number generator, this function should not be used for security-critical
 applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used
 instead.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> the code using the generated value requires it to be unpredictable. It is the case for all encryption mechanisms or when a secret value, such
   as a password, is hashed. </li>
-  <li> the function you use generates a value which can be predicted (pseudo-random). </li>
+  <li> the function you use is a non-cryptographic PRNG. </li>
   <li> the generated value is used multiple times. </li>
   <li> an attacker can access the generated value. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
-  <li> Use a cryptographically strong pseudorandom number generator (CSPRNG) like <code>crypto.getRandomValues()</code>. </li>
+  <li> Use a cryptographically secure pseudorandom number generator (CSPRNG) like <code>crypto.getRandomValues()</code>. </li>
   <li> Use the generated random values only once. </li>
   <li> You should not expose the generated random value. If you have to store it, make sure that the database or file is secure. </li>
 </ul>
@@ -34,18 +42,20 @@ <h2>Compliant Solution</h2>
 // === Client side ===
 const crypto = window.crypto || window.msCrypto;
 var array = new Uint32Array(1);
-crypto.getRandomValues(array); // Compliant for security-sensitive use cases
+crypto.getRandomValues(array);
 
 // === Server side ===
 const crypto = require('crypto');
-const buf = crypto.randomBytes(1); // Compliant for security-sensitive use cases
+const buf = crypto.randomBytes(1);
 </pre>
 <h2>See</h2>
 <ul>
+  <li> OWASP - <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation">Secure
+  Random Number Generation Cheat Sheet</a> </li>
   <li> OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10 2021 Category A2 - Cryptographic Failures</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
   Exposure</a> </li>
-  <li> <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/338">CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)</a>

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2699.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "TESTED"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2703.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "CLEAR"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2817.json

@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2970.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "TESTED"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S3516.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S3796.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S3827.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "CLEAR"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6265.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6268.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6270.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6299.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6302.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6304.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6321.html

@@ -158,5 +158,8 @@ <h3>Documentation</h3>
 <h3>Standards</h3>
 <ul>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/284">CWE-284 - Improper Access Control</a> </li>
+  <li> OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
+  Exposure</a> </li>
 </ul>
 

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6321.json

@@ -24,6 +24,12 @@
     "CWE": [
       284
     ],
+    "OWASP": [
+      "A3"
+    ],
+    "OWASP Top 10 2021": [
+      "A1"
+    ],
     "PCI DSS 3.2": [
       "6.5.8"
     ],

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6329.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6333.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "JS"
   ],
-  "latest-update": "2024-09-25T13:47:06.983012100Z",
+  "latest-update": "2024-11-15T08:36:20.934286Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

tools/generate-meta.ts

@@ -42,9 +42,9 @@ type rspecMeta = {
   quickfix: 'covered' | undefined;
   tags: string[];
 };
-const RULES_FOLDER = join(toUnixPath(__dirname), '../packages/jsts/src/rules/');
+const RULES_FOLDER = join(toUnixPath(import.meta.dirname), '../packages/jsts/src/rules/');
 const METADATA_FOLDER = join(
-  toUnixPath(__dirname),
+  toUnixPath(import.meta.dirname),
   '../sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/',
 );
 const sonarWayProfileFile = join(METADATA_FOLDER, `Sonar_way_profile.json`);