SONARJAVA-3727 Update rules metadata (#3496)

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1120_java.json

@@ -7,7 +7,7 @@
     "constantCost": "1min"
   },
   "tags": [
-    "style"
+    "convention"
   ],
   "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-1120",

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S122_java.json

@@ -7,7 +7,7 @@
     "constantCost": "1min"
   },
   "tags": [
-    "style"
+    "convention"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-122",

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1314_java.html

@@ -2,7 +2,7 @@
 have experience with them. They may not recognize octal values as such, mistaking them instead for decimal values.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
-int myNumber = 010;   // Noncompliant. myNumber will hold 8, not 10 - was this really expected?
+int myNumber = 010; // Noncompliant. myNumber will hold 8, not 10 - was this really expected?
 </pre>
 <h2>Compliant Solution</h2>
 <pre>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2111_java.html

@@ -1,11 +1,11 @@
 <p>Because of floating point imprecision, you're unlikely to get the value you expect from the <code>BigDecimal(double)</code> constructor. </p>
 <p>From <a href="http://docs.oracle.com/javase/7/docs/api/java/math/BigDecimal.html#BigDecimal(double)">the JavaDocs</a>:</p>
 <blockquote>
-  The results of this constructor can be somewhat unpredictable. One might assume that writing new BigDecimal(0.1) in Java creates a BigDecimal which
-  is exactly equal to 0.1 (an unscaled value of 1, with a scale of 1), but it is actually equal to
+  <p>The results of this constructor can be somewhat unpredictable. One might assume that writing new BigDecimal(0.1) in Java creates a BigDecimal
+  which is exactly equal to 0.1 (an unscaled value of 1, with a scale of 1), but it is actually equal to
   0.1000000000000000055511151231257827021181583404541015625. This is because 0.1 cannot be represented exactly as a double (or, for that matter, as a
   binary fraction of any finite length). Thus, the value that is being passed in to the constructor is not exactly equal to 0.1, appearances
-  notwithstanding.
+  notwithstanding.</p>
 </blockquote>
 <p>Instead, you should use <code>BigDecimal.valueOf</code>, which uses a string under the covers to eliminate floating point rounding errors, or the
 constructor that takes a <code>String</code> argument.</p>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2165_java.html

@@ -8,5 +8,7 @@ <h2>Noncompliant Code Example</h2>
   @Override
   void finalize() {
     name = null;  // Noncompliant; completely unnecessary
+  }
+}
 </pre>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2658_java.json

@@ -7,19 +7,10 @@
     "constantCost": "45min"
   },
   "tags": [
-    "cwe",
-    "owasp-a1"
+
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-2658",
   "sqKey": "S2658",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      470
-    ],
-    "OWASP": [
-      "A1"
-    ]
-  }
+  "scope": "Main"
 }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2786_java.html

@@ -1,7 +1,6 @@
 <p>According to <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-8.html#jls-8.9">the Java Language Specification-8.9</a>:</p>
 <blockquote>
-  Nested enum types are implicitly
-  <code>static</code>.
+  <p>Nested enum types are implicitly <code>static</code>.</p>
 </blockquote>
 <p>So there's no need to declare them <code>static</code> explicitly.</p>
 <h2>Noncompliant Code Example</h2>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2975_java.html

@@ -1,11 +1,11 @@
 <p>Many consider <code>clone</code> and <code>Cloneable</code> broken in Java, largely because the rules for overriding <code>clone</code> are tricky
 and difficult to get right, according to Joshua Bloch:</p>
 <blockquote>
-  Object's clone method is very tricky. It's based on field copies, and it's "extra-linguistic." It creates an object without calling a constructor.
-  There are no guarantees that it preserves the invariants established by the constructors. There have been lots of bugs over the years, both in and
-  outside Sun, stemming from the fact that if you just call super.clone repeatedly up the chain until you have cloned an object, you have a shallow
-  copy of the object. The clone generally shares state with the object being cloned. If that state is mutable, you don't have two independent objects.
-  If you modify one, the other changes as well. And all of a sudden, you get random behavior.
+  <p>Object's clone method is very tricky. It's based on field copies, and it's "extra-linguistic." It creates an object without calling a
+  constructor. There are no guarantees that it preserves the invariants established by the constructors. There have been lots of bugs over the years,
+  both in and outside Sun, stemming from the fact that if you just call super.clone repeatedly up the chain until you have cloned an object, you have
+  a shallow copy of the object. The clone generally shares state with the object being cloned. If that state is mutable, you don't have two
+  independent objects. If you modify one, the other changes as well. And all of a sudden, you get random behavior. </p>
 </blockquote>
 <p>A copy constructor or copy factory should be used instead.</p>
 <p>This rule raises an issue when <code>clone</code> is overridden, whether or not <code>Cloneable</code> is implemented.</p>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3281_java.html

@@ -1,5 +1,5 @@
 <p>Default interceptors, such as application security interceptors, must be listed in the <code>ejb-jar.xml</code> file, or they will not be treated
-as default. </p>
+as default.</p>
 <p>This rule applies to projects that contain JEE Beans (any one of <code>javax.ejb.Singleton</code>, <code>MessageDriven</code>,
 <code>Stateless</code> or <code>Stateful</code>).</p>
 <h2>Noncompliant Code Example</h2>
@@ -8,7 +8,7 @@ <h2>Noncompliant Code Example</h2>
 &lt;assembly-descriptor&gt;
  &lt;interceptor-binding&gt; &lt;!-- should be declared in ejb-jar.xml --&gt;
       &lt;ejb-name&gt;*&lt;/ejb-name&gt;
-      &lt;interceptor-class&gt;com.myco.ImportantInterceptor&lt;/interceptor-class&gt;&lt;!-- Noncompliant; will NOT be treated as default --&gt;
+      &lt;interceptor-class&gt;com.myco.ImportantInterceptor&lt;/interceptor-class&gt; &lt;!-- Noncompliant; will NOT be treated as default --&gt;
    &lt;/interceptor-binding&gt;
 &lt;/assembly-descriptor&gt;
 </pre>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3369_java.html

@@ -8,4 +8,4 @@ <h2>See</h2>
 </ul>
 <h2>Deprecated</h2>
 <p>This rule is deprecated, and will eventually be removed.</p>
-
+

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3369_java.json

@@ -13,4 +13,4 @@
   "ruleSpecification": "RSPEC-3369",
   "sqKey": "S3369",
   "scope": "Main"
-}
+}

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3374_java.html

@@ -1,7 +1,7 @@
 <p>According to the Common Weakness Enumeration,</p>
 <blockquote>
-  If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the
-  other. This decision might not correspond to the programmer's expectations...
+  <p>If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards
+  the other. This decision might not correspond to the programmer's expectations...</p>
 </blockquote>
 <p>In such a case, it is likely that the two forms should be combined. At the very least, one should be removed.</p>
 <h2>Noncompliant Code Example</h2>
@@ -23,7 +23,7 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="http://cwe.mitre.org/data/definitions/102.html">MITRE, CWE-102</a> - Struts: Duplicate Validation Forms </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/102.html">MITRE, CWE-102</a> - Struts: Duplicate Validation Forms </li>
   <li> <a href="https://owasp.org/www-community/vulnerabilities/Improper_Data_Validation">OWASP, Improper Data Validation</a> - Struts: Duplicate
   Validation Forms </li>
 </ul>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3436_java.html

@@ -1,7 +1,7 @@
 <p>According to the documentation,</p>
 <blockquote>
-  A program may produce unpredictable results if it attempts to distinguish two references to equal values of a value-based class, whether directly
-  via reference equality or indirectly via an appeal to synchronization...
+  <p>A program may produce unpredictable results if it attempts to distinguish two references to equal values of a value-based class, whether directly
+  via reference equality or indirectly via an appeal to synchronization...</p>
 </blockquote>
 <p>This is because value-based classes are intended to be wrappers for value types, which will be primitive-like collections of data (similar to
 <code>struct</code>s in other languages) that will come in future versions of Java.</p>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3437_java.html

@@ -1,7 +1,7 @@
 <p>According to the documentation,</p>
 <blockquote>
-  A program may produce unpredictable results if it attempts to distinguish two references to equal values of a value-based class, whether directly
-  via reference equality or indirectly via an appeal to synchronization, identity hashing, serialization...
+  <p>A program may produce unpredictable results if it attempts to distinguish two references to equal values of a value-based class, whether directly
+  via reference equality or indirectly via an appeal to synchronization, identity hashing, serialization...</p>
 </blockquote>
 <p>For example (credit to Brian Goetz), imagine Foo is a value-based class:</p>
 <pre>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S3551_java.html

@@ -12,7 +12,7 @@ <h2>Noncompliant Code Example</h2>
 public class Child extends Parent {
 
  @Override
-  public foo () {  // Noncompliant
+  public void foo () {  // Noncompliant
     // ...
     super.foo();
   }
@@ -30,7 +30,7 @@ <h2>Compliant Solution</h2>
 public class Child extends Parent {
 
   @Override
-  synchronized foo () {
+  synchronized void foo () {
     // ...
     super.foo();
   }

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4605_java.html

@@ -1,7 +1,7 @@
 <p>Spring beans belonging to packages that are not included in a <code>@ComponentScan</code> configuration will not be accessible in the Spring
-Application Context. Therefore, it's likely to be a configuration mistake that will be detected by this rule. <strong>Note:</strong> the
-<code>@ComponentScan</code> is implicit in the <code>@SpringBootApplication</code> annotation, case in which Spring Boot will auto scan for components
-in the package containing the Spring Boot main class and its sub-packages.</p>
+Application Context. Therefore, it's likely to be a configuration mistake that will be detected by this rule. </p>
+<p><strong>Note:</strong> the <code>@ComponentScan</code> is implicit in the <code>@SpringBootApplication</code> annotation, case in which Spring Boot
+will auto scan for components in the package containing the Spring Boot main class and its sub-packages.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 @Configuration
@@ -18,9 +18,12 @@ <h2>Noncompliant Code Example</h2>
 }
 </pre>
 <h2>Compliant Solution</h2>
+<p>If you are not using SpringBoot:</p>
 <pre>
 @Configuration
 @ComponentScan({"com.mycompany.app.beans","com.mycompany.app.web"})
+or
+@ComponentScan(basePackages= "com.mycompany.app")
 public class Application {
 ...
 }
@@ -32,4 +35,20 @@ <h2>Compliant Solution</h2>
 ...
 }
 </pre>
+<p>If you are using SpringBoot:</p>
+<pre>
+package com.mycompany.app;
+
+@SpringBootApplication
+public class Application {
+...
+}
+
+package com.mycompany.app.web;
+
+@Controller
+public class MyController { // Compliant; "com.mycompany.app.web" is taken into account by @SpringBootApplication annotation which is in the package "com.mycompany.app"
+...
+}
+</pre>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4684_java.html

@@ -81,7 +81,7 @@ <h2>Exceptions</h2>
 <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control">OWASP Top 10 2017 Category A5</a> - Broken Access Control </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/915.html">MITRE, CWE-915</a> - Improperly Controlled Modification of Dynamically-Determined
+  <li> <a href="https://cwe.mitre.org/data/definitions/915.html">MITRE, CWE-915</a> - Improperly Controlled Modification of Dynamically-Determined
   Object Attributes </li>
   <li> <a href="https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf">Two Security Vulnerabilities in the Spring
   Framework’s MVC by Ryan Berg and Dinis Cruz</a> </li>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4790_java.html

@@ -1,7 +1,7 @@
 <p>Cryptographic hash algorithms such as <code>MD2</code>, <code>MD4</code>, <code>MD5</code>, <code>MD6</code>, <code>HAVAL-128</code>,
 <code>HMAC-MD5</code>, <code>DSA</code> (which uses <code>SHA-1</code>), <code>RIPEMD</code>, <code>RIPEMD-128</code>, <code>RIPEMD-160</code>,
 <code>HMACRIPEMD160</code> and <code>SHA-1</code> are no longer considered secure, because it is possible to have <code>collisions</code> (little
-computational effort is enough to find two or more different inputs that produces the same hash).</p>
+computational effort is enough to find two or more different inputs that produce the same hash).</p>
 <h2>Ask Yourself Whether</h2>
 <p>The hashed value is used in a security context like:</p>
 <ul>
@@ -12,7 +12,7 @@ <h2>Ask Yourself Whether</h2>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <p>Safer alternatives, such as <code>SHA-256</code>, <code>SHA-512</code>, <code>SHA-3</code> are recommended, and for password hashing, it's even
-better to use algorithms that not compute too "quickly", like <code>bcrypt</code>, <code>scrypt</code>, <code>argon2</code> or <code>pbkdf2</code>
+better to use algorithms that do not compute too "quickly", like <code>bcrypt</code>, <code>scrypt</code>, <code>argon2</code> or <code>pbkdf2</code>
 because it slows down <code>brute force attacks</code>.</p>
 <h2>Sensitive Code Example</h2>
 <pre>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S4830_java.html

@@ -31,7 +31,7 @@ <h2>See</h2>
 <ul>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
   Misconfiguration </li>
-  <li> <a href="http://cwe.mitre.org/data/definitions/295.html">MITRE, CWE-295</a> - Improper Certificate Validation </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/295.html">MITRE, CWE-295</a> - Improper Certificate Validation </li>
   <li> <a href="https://wiki.sei.cmu.edu/confluence/x/hDdGBQ">CERT, MSC61-J.</a> - Do not use insecure or weak cryptographic algorithms </li>
 </ul>