Update rules metadata (#3185)

SonarSource · Jun 24, 2022 · ecafd2e · ecafd2e
1 parent 04b843e
commit ecafd2e
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 15 deletions.
diff --git a/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4125.json b/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4125.json
@@ -13,5 +13,6 @@
   "scope": "All",
   "quickfix": "unknown",
   "compatibleLanguages": [
-    "JAVASCRIPT"  ]
+    "JAVASCRIPT"
+  ]
 }
diff --git a/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5542.html b/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5542.html
@@ -1,15 +1,16 @@
-<p>Encryption operation mode and the padding scheme should be chosen appropriately to guarantee data confidentiality, integrity and authenticity:</p>
+<p>Encryption operations should use a secure mode and padding scheme so that confidentiality and integrity can be guaranteed.</p>
 <ul>
   <li> For block cipher encryption algorithms (like AES):
     <ul>
+      <li> The ECB (Electronic Codebook) cipher mode doesn’t provide serious message confidentiality: under a given key any given plaintext block
+      always gets encrypted to the same ciphertext block. This mode never be used. </li>
+      <li> The CBC (Cipher Block Chaining) mode by itself provides only data confidentiality. This cipher mode is also vulnerable to <a
+      href="https://en.wikipedia.org/wiki/Padding_oracle_attack">padding oracle attacks</a> when used with padding. Using CBC along with Message
+      Authentication Code can provide data integrity and should prevent such attacks. In practice the implementation has many pitfalls and it’s
+      recommended to avoid CBC with padding completely. </li>
       <li> The GCM (Galois Counter Mode) mode which <a href="https://en.wikipedia.org/wiki/Galois/Counter_Mode#Mathematical_basis">works
       internally</a> with zero/no padding scheme, is recommended, as it is designed to provide both data authenticity (integrity) and confidentiality.
       Other similar modes are CCM, CWC, EAX, IAPM and OCB. </li>
-      <li> The CBC (Cipher Block Chaining) mode by itself provides only data confidentiality, it’s recommended to use it along with Message
-      Authentication Code or similar to achieve data authenticity (integrity) too and thus to <a
-      href="https://en.wikipedia.org/wiki/Padding_oracle_attack">prevent padding oracle attacks</a>. </li>
-      <li> The ECB (Electronic Codebook) mode doesn’t provide serious message confidentiality: under a given key any given plaintext block always gets
-      encrypted to the same ciphertext block. This mode should not be used. </li>
     </ul>  </li>
   <li> For RSA encryption algorithm, the recommended padding scheme is OAEP. </li>
 </ul>

diff --git a/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5852.html b/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5852.html
@@ -84,8 +84,8 @@ <h2>See</h2>
   <li> <a href="https://cwe.mitre.org/data/definitions/1333">MITRE, CWE-1333</a> - Inefficient Regular Expression Complexity </li>
   <li> <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">owasp.org</a> - OWASP Regular expression Denial
   of Service - ReDoS </li>
-  <li> <a href="https://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016">stackstatus.net</a> - Outage Postmortem - July 20, 2016
-  </li>
+  <li> <a
+  href="https://web.archive.org/web/20220506215733/https://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016">stackstatus.net(archived)</a> - Outage Postmortem - July 20, 2016 </li>
   <li> <a href="https://www.regular-expressions.info/catastrophic.html">regular-expressions.info</a> - Runaway Regular Expressions: Catastrophic
   Backtracking </li>
   <li> <a

diff --git a/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6397.html b/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6397.html
@@ -4,14 +4,14 @@
 <p>Thus, having only one character in a character class is usually a simple oversight that remained after removing other characters of the class.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
-"a[b]c"
-"[\\^]"
+/a[b]c/
+/[\^]/
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
-"abc"
-"\\^"
-"a[*]c" // Compliant, see Exceptions
+/abc/
+/\^/
+/a[*]c/ // Compliant, see Exceptions
 </pre>
 <h2>Exceptions</h2>
 <p>This rule does not raise when the character inside the class is a metacharacter. This notation is sometimes used to avoid escaping (e.g.,

diff --git a/sonarpedia.json b/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "JS"
   ],
-  "latest-update": "2022-05-30T09:13:12.414059Z",
+  "latest-update": "2022-06-24T11:52:42.803533300Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true