Update rule meta data for version 3.16.

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1121.html

@@ -13,7 +13,7 @@ <h2>Compliant Solution</h2>
 </pre>
 <p>or </p>
 <pre>
-if ($val == value() &amp;&amp; check()) { // Perhaps in fact the assignment operator was expected
+if ($val == value() &amp;&amp; check()) { // Perhaps in fact the equality operator was expected
 }
 </pre>
 <h2>Exceptions</h2>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1186.html

@@ -1,7 +1,9 @@
 <p>There are several reasons for a method not to have a method body:</p>
-<p> * It is an unintentional omission and should be fixed to prevent unexpected behavior in production.</p>
-<p> * It is not yet, or never will be, supported. In this case an <code>UnsupportedOperationException</code> should be thrown.</p>
-<p> * The method is an intentionally-blank override. In this case a nested comment should explain the reason for the blank override.</p>
+<ul>
+  <li> It is an unintentional omission and should be fixed to prevent unexpected behavior in production. </li>
+  <li> It is not yet, or never will be, supported. In this case an <code>UnsupportedOperationException</code> should be thrown. </li>
+  <li> The method is an intentionally-blank override. In this case a nested comment should explain the reason for the blank override. </li>
+</ul>
 <h2>Noncompliant Code Example</h2>
 <pre>
 public function doSomething() {

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1192.html

@@ -21,8 +21,10 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>Exceptions</h2>
 <p>No issue will be raised on:</p>
-<p> * strings with less than 5 characters</p>
-<p> * strings with only letters, numbers, underscores and hyphens</p>
+<ul>
+  <li> strings with less than 5 characters </li>
+  <li> strings with only letters, numbers, underscores and hyphens </li>
+</ul>
 <pre>
 $severity = $request-&gt;getParam('severity-score');{code}
 </pre>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S122.json

@@ -7,8 +7,8 @@
     "constantCost": "1min"
   },
   "tags": [
-    "psr2",
-    "style"
+    "convention",
+    "psr2"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-122",

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S127.html

@@ -22,6 +22,5 @@ <h2>Compliant Solution</h2>
 for ($i = 0; $i &lt; 10; $i++) {
   echo $i;
 }
-
 </pre>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1314.html

@@ -11,7 +11,7 @@ <h2>Compliant Solution</h2>
 <h2>Exceptions</h2>
 <p>This rule does not apply to values smaller than 8 and octal values having 3 digits, since 3 digits octal values are often used as file permission
 masks.</p>
-<p> Example:</p>
+<p>Example:</p>
 <pre>
 $permissionMask = 0777;
 $dayOfMonth = 03;

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1603.html

@@ -1,6 +1,6 @@
 <p>In PHP 4, any function with the same name as the nesting class was considered a class constructor. In PHP 5, this mechanism has been deprecated and
-the "__construct" method name should be used instead. If both styles are present in the same class, PHP 5 will treat the function named "__construct"
-as the class constructor. </p>
+the <code>__construct</code> method name should be used instead. If both styles are present in the same class, PHP 5 will treat the function named
+<code>__construct</code> as the class constructor. </p>
 <p>This rule rule raises an issue for each method with the same name as the enclosing class.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1607.html

@@ -15,7 +15,6 @@ <h2>Noncompliant Code Example</h2>
   $this-&gt;assertTrue($result-&gt;isValid());
   $this-&gt;markTestIncomplete(); // Noncompliant
 }
-
 </pre>
 <h2>Compliant Solution</h2>
 <pre>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1808.json

@@ -7,8 +7,8 @@
     "constantCost": "1min"
   },
   "tags": [
-    "psr2",
-    "style"
+    "convention",
+    "psr2"
   ],
   "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-1808",

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2053.html

@@ -1,17 +1,13 @@
-<p>In cryptography, "salt" is extra piece of data which is included in a hashing algorithm. It makes dictionary attacks more difficult. Using a
-cryptographic hash function without an unpredictable salt increases the likelihood that an attacker will be able to successfully guess a hashed value
-such as a password with a dictionary attack.</p>
-<p>This rule raises an issue when a hashing function which has been specifically designed for hashing sensitive data, such as PBKDF2, is used with a
-non-random, reused or too short salt value. It does not raise an issue on base hashing algorithms such as sha1 or md5 as these are often used for
-other purposes.</p>
+<p>In cryptography, a "salt" is an extra piece of data which is included when hashing a password. This makes <code>rainbow-table attacks</code> more
+difficult. Using a cryptographic hash function without an unpredictable salt increases the likelihood that an attacker could successfully find the
+hash value in databases of precomputed hashes (called <code>rainbow-tables</code>).</p>
+<p>This rule raises an issue when a hashing function which has been specifically designed for hashing passwords, such as <code>PBKDF2</code>, is used
+with a non-random, reused or too short salt value. It does not raise an issue on base hashing algorithms such as <code>sha1</code> or <code>md5</code>
+as they should not be used to hash passwords.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
-  <li> Use hashing functions generating their own salt or generate a long random salt of at least 32 bytes. </li>
-  <li> The salt is at least as long as the resulting hash value. </li>
-  <li> Provide the salt to a safe hashing function such as PBKDF2. </li>
-  <li> Save both the salt and the hashed value in the relevant database record; during future validation operations, the salt and hash can then be
-  retrieved from the database. The hash is recalculated with the stored salt and the value being validated, and the result compared to the stored
-  hash. </li>
+  <li> Use hashing functions generating their own secure salt or generate a secure random value of at least 16 bytes. </li>
+  <li> The salt should be unique by user password. </li>
 </ul>
 <h2>Noncompliant Code Example</h2>
 <pre>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html

@@ -41,10 +41,10 @@ <h2>Compliant Solution</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication">OWASP Top 10 2017 Category A2</a> - Broken Authentication </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
   <li> <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
-  <li> Derived from FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD">Hard Coded Password</a> </li>
+  <li> Derived from FindSecBugs rule <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD">Hard Coded Password</a> </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2070.html

@@ -19,10 +19,10 @@ <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
   Misconfiguration </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/328">MITRE, CWE-328</a> - Reversible One-Way Hash </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/327">MITRE, CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/328">MITRE, CWE-328</a> - Reversible One-Way Hash </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/327">MITRE, CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
-  <li> <a href="http://shattered.io/">SHAttered</a> - The first concrete collision attack against SHA-1. </li>
+  <li> <a href="https://shattered.io/">SHAttered</a> - The first concrete collision attack against SHA-1. </li>
 </ul>
 <h2>Deprecated</h2>
 <p>This rule is deprecated; use {rule:php:S4790} instead.</p>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2077.html

@@ -1,46 +1,18 @@
-<p>Formatting strings used as SQL queries is security-sensitive. It has led in the past to the following vulnerabilities:</p>
-<ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9019">CVE-2018-9019</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7318">CVE-2018-7318</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611">CVE-2017-5611</a> </li>
-</ul>
-<p>SQL queries often need to use a hardcoded SQL string with a dynamic parameter coming from a user request. Formatting a string to add those
-parameters to the request is a bad practice as it can result in an <a href="https://www.owasp.org/index.php/SQL_Injection">SQL injection</a>. The safe
-way to add parameters to a SQL query is to use SQL binding mechanisms.</p>
-<p>This rule flags the execution of SQL queries which are built using formatting of strings, even if there is no injection. This rule does not detect
-SQL injections. The goal is to guide security code reviews and to prevent a common bad practice.</p>
-<p>The following functions are detected as SQL query execution:</p>
-<ul>
-  <li> <code>mysql_query</code> </li>
-  <li> <code>mysql_db_query</code> </li>
-  <li> <code>mysql_unbuffered_query</code> </li>
-  <li> <code>pg_query</code> </li>
-  <li> <code>pg_send_query</code> </li>
-  <li> <code>mssql_query</code> </li>
-  <li> <code>mysqli_query</code> and <code>mysqli::query</code> </li>
-  <li> <code>mysqli_real_query</code> and <code>mysqli::real_query</code> </li>
-  <li> <code>mysqli_multi_query</code> and <code>mysqli::multi_query</code> </li>
-  <li> <code>mysqli_send_query</code> and <code>mysqli::send_query</code> </li>
-  <li> <code>PDO::query</code> </li>
-  <li> <code>PDO::exec</code> </li>
-  <li> <code>PDO::prepare</code> </li>
-</ul>
+<p>Formatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the
+query. However, this rule doesn't detect SQL injections (unlike rule s3649), the goal is only to highlight complex/formatted queries.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
-  <li> the SQL query is built using string formatting technics, such as concatenating variables. </li>
-  <li> some of the values are coming from an untrusted source and are not sanitized. </li>
+  <li> Some parts of the query come from untrusted values (like user inputs). </li>
+  <li> The query is repeated/duplicated in other parts of the code. </li>
+  <li> The application must support different types of relational databases. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
-  <li> Avoid building queries manually using formatting technics. If you do it anyway, do not include user input in this building process. </li>
   <li> Use <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">parameterized queries, prepared statements, or stored
-  procedures</a> whenever possible. </li>
-  <li> PHP Data Objects (PDO) prepared statement with bound parameters should be preferred to native database functions. </li>
-  <li> Avoid executing SQL queries containing unsafe input in stored procedures or functions. </li>
-  <li> <a href="https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet">Sanitize</a> every unsafe input. </li>
+  procedures</a> and bind variables to SQL query parameters. </li>
+  <li> Consider using ORM frameworks if there is a need to have an abstract layer to access data. </li>
 </ul>
-<p>You can also reduce the impact of an attack by using a database account with low privileges.</p>
 <h2>Sensitive Code Example</h2>
 <pre>
 $id = $_GET['id'];
@@ -85,15 +57,16 @@ <h2>Exceptions</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/89">MITRE, CWE-89</a> - Improper Neutralization of Special Elements used in an SQL Command </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/564.html">MITRE, CWE-564</a> - SQL Injection: Hibernate </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/20.html">MITRE, CWE-20</a> - Improper Input Validation </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/943.html">MITRE, CWE-943</a> - Improper Neutralization of Special Elements in Data Query Logic
+  <li> <a href="https://cwe.mitre.org/data/definitions/89">MITRE, CWE-89</a> - Improper Neutralization of Special Elements used in an SQL Command
+  </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/564.html">MITRE, CWE-564</a> - SQL Injection: Hibernate </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/20.html">MITRE, CWE-20</a> - Improper Input Validation </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/943.html">MITRE, CWE-943</a> - Improper Neutralization of Special Elements in Data Query Logic
   </li>
   <li> <a href="https://wiki.sei.cmu.edu/confluence/x/ITdGBQ">CERT, IDS00-J.</a> - Prevent SQL injection </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat1">SANS Top 25</a> - Insecure Interaction Between Components </li>
-  <li> Derived from FindSecBugs rules <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA">Potential SQL/JPQL Injection
-  (JPA)</a>, <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO">Potential SQL/JDOQL Injection (JDO)</a>, <a
-  href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_HIBERNATE">Potential SQL/HQL Injection (Hibernate)</a> </li>
+  <li> Derived from FindSecBugs rules <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA">Potential SQL/JPQL Injection
+  (JPA)</a>, <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO">Potential SQL/JDOQL Injection (JDO)</a>, <a
+  href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_HIBERNATE">Potential SQL/HQL Injection (Hibernate)</a> </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2077.json

@@ -13,7 +13,7 @@
     "bad-practice",
     "sql"
   ],
-  "defaultSeverity": "Critical",
+  "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-2077",
   "sqKey": "S2077",
   "scope": "Main",

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2115.html

@@ -1,34 +1,23 @@
-<p>Databases should always be password protected. The use of a database connection with an empty password is a clear indication of a database that is
-not protected.</p>
-<p>This rule flags database connections with empty passwords.</p>
+<p>When relying on the password authentication mode for the database connection, a secure password should be chosen.</p>
+<p>This rule raises an issue when an empty password is used.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
-&lt;?php
-  $servername = "localhost";
-  $username = "AppLogin";
-  $password = "";
-
-  // MySQL
-  $conn = new mysqli($servername, $username, $password);
-  // MySQL
-  $conn = mysqli_connect($servername, $username, $password);
-  // PDO way
-  $conn = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);
-  // Oracle
-  $conn = oci_connect($username, $password, "//localhost/orcl");
-  // MS SQL Server
-  $sqlsrvName = "serverName\sqlexpress";
-  $sqlsrvConnInfo = array( "Database"=&gt;"myDB", "UID"=&gt;$username, "PWD"=&gt;$password);
-  $conn = sqlsrv_connect( $sqlsrvName, $sqlsrvConnInfo);
-  // PosgreSQL
-  $pgConnInfo = "host=localhost port=5432 dbname=test user=" . $username . " password=" . $password;
-  $conn = pg_connect($pgConnInfo);
-?&gt;
+// example of an empty password when connecting to a mysql database
+$conn = new mysqli($servername, $username, "");
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+// generate a secure password, set it to the username database, and store it in a environment variable for instance
+$password = getenv('MYSQL_SECURE_PASSWORD');
+// then connect to the database
+$conn = new mysqli($servername, $username, $password);
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
-  </li>
+  <li> <a href="https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication.html">OWASP Top 10 2017 Category A2</a> - Broken
+  Authentication </li>
+  <li> <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data
+  Exposure </li>
   <li> <a href="https://cwe.mitre.org/data/definitions/521.html">MITRE, CWE-521</a> - Weak Password Requirements </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2115.json

@@ -1,5 +1,5 @@
 {
-  "title": "Databases should be password-protected",
+  "title": "A secure password should be used when connecting to a database",
   "type": "VULNERABILITY",
   "status": "ready",
   "remediation": {
@@ -8,6 +8,7 @@
   },
   "tags": [
     "cwe",
+    "owasp-a2",
     "owasp-a3"
   ],
   "defaultSeverity": "Blocker",
@@ -19,6 +20,7 @@
       521
     ],
     "OWASP": [
+      "A2",
       "A3"
     ]
   }

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html

@@ -38,15 +38,15 @@ <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
   </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/338.html">MITRE, CWE-338</a> - Use of Cryptographically Weak Pseudo-Random Number Generator
+  <li> <a href="https://cwe.mitre.org/data/definitions/338.html">MITRE, CWE-338</a> - Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG) </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/330.html">MITRE, CWE-330</a> - Use of Insufficiently Random Values </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/326.html">MITRE, CWE-326</a> - Inadequate Encryption Strength </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/330.html">MITRE, CWE-330</a> - Use of Insufficiently Random Values </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/326.html">MITRE, CWE-326</a> - Inadequate Encryption Strength </li>
   <li> <a href="https://wiki.sei.cmu.edu/confluence/x/oTdGBQ">CERT, MSC02-J.</a> - Generate strong random numbers </li>
   <li> <a href="https://wiki.sei.cmu.edu/confluence/x/UNcxBQ">CERT, MSC30-C.</a> - Do not use the rand() function for generating pseudorandom numbers
   </li>
   <li> <a href="https://wiki.sei.cmu.edu/confluence/x/2ns-BQ">CERT, MSC50-CPP.</a> - Do not use std::rand() for generating pseudorandom numbers </li>
-  <li> Derived from FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM">Predictable Pseudo Random Number
+  <li> Derived from FindSecBugs rule <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#PREDICTABLE_RANDOM">Predictable Pseudo Random Number
   Generator</a> </li>
 </ul>
 

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2277.html

@@ -23,10 +23,10 @@ <h2>See</h2>
   </li>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
   Misconfiguration </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/780.html">MITRE CWE-780</a> - Use of RSA Algorithm without OAEP </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/327.html">MITRE CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/780.html">MITRE CWE-780</a> - Use of RSA Algorithm without OAEP </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/327.html">MITRE CWE-327</a> - Use of a Broken or Risky Cryptographic Algorithm </li>
   <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
-  <li> Derived from FindSecBugs rule <a href="http://h3xstream.github.io/find-sec-bugs/bugs.htm#RSA_NO_PADDING">RSA NoPadding Unsafe</a> </li>
+  <li> Derived from FindSecBugs rule <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#RSA_NO_PADDING">RSA NoPadding Unsafe</a> </li>
 </ul>
 <h2>Deprecated</h2>
 <p>This rule is deprecated; use {rule:php:S5542} instead.</p>