Update rule metadata (#2346)

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S121.html

@@ -12,9 +12,7 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/1QGMAg">CERT, EXP19-C.</a> - Use braces for the body of an if, for, or while statement
-  </li>
-  <li> <a href="https://www.securecoding.cert.org/confluence/x/3wHEAw">CERT, EXP52-J.</a> - Use braces for the body of an if, for, or while statement
-  </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/g9YxBQ">CERT, EXP19-C.</a> - Use braces for the body of an if, for, or while statement </li>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/MzZGBQ">CERT, EXP52-J.</a> - Use braces for the body of an if, for, or while statement </li>
 </ul>
 

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2068.html

@@ -5,7 +5,7 @@
   <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466">CVE-2019-13466</a> </li>
   <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389">CVE-2018-15389</a> </li>
 </ul>
-<p>Credentials should be stored outside of the code in a configuration file, a database or secret management service. </p>
+<p>Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets. </p>
 <p>This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
 strings, and for variable names that match any of the patterns from the provided list.</p>
 <p>It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ...</p>
@@ -20,7 +20,7 @@ <h2>Recommended Secure Coding Practices</h2>
 <ul>
   <li> Store the credentials in a configuration file that is not pushed to the code repository. </li>
   <li> Store the credentials in a database. </li>
-  <li> Use the secret management service of you cloud provider. </li>
+  <li> Use your cloud provider's service for managing secrets. </li>
   <li> If the a password has been disclosed through the source code: change it. </li>
 </ul>
 <h2>Sensitive Code Example</h2>

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2681.html

@@ -2,6 +2,8 @@
 misleading and induce bugs.</p>
 <p>This rule raises an issue when the whitespacing of the lines after a one line block indicates an intent to include those lines in the block, but
 the omission of curly braces means the lines will be unconditionally executed once.</p>
+<p>Note that this rule considers tab characters to be equivalent to 1 space. If you mix spaces and tabs you will sometimes see issues in code which
+looks fine in your editor but is confusing when you change the size of tabs.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 if (condition)

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2819.html

@@ -1,9 +1,11 @@
 <p>Browsers <a href="https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage">allow message exchanges</a> between Window objects of
 different origins. </p>
 <p>Because any window can send / receive messages from other window it is important to verify the sender's / receiver's identity:</p>
-<p>- When sending message with postMessage method, the identity's receiver should be defined (the wildcard keyword (<code>*</code>) should not be
-used).</p>
-<p>- When receiving message with message event, the sender's identity should be verified using the origin and possibly source properties.</p>
+<ul>
+  <li> When sending message with postMessage method, the identity's receiver should be defined (the wildcard keyword (<code>*</code>) should not be
+  used). </li>
+  <li> When receiving message with message event, the sender's identity should be verified using the origin and possibly source properties. </li>
+</ul>
 <h2>Noncompliant Code Example</h2>
 <p>When sending message:</p>
 <pre>

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4507.html

@@ -15,22 +15,6 @@ <h2>Ask Yourself Whether</h2>
 <h2>Recommended Secure Coding Practices</h2>
 <p>Do not enable debug features on production servers.</p>
 <h2>Sensitive Code Example</h2>
-<p>The <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/debugger">debugger statement</a> should be removed in
-production:</p>
-<pre>
-for (i = 1; i&lt;5; i++) {
-  // Print i to the Output window.
-  Debug.write("loop index is " + i);
-  // Wait for user to resume.
-  debugger; // Sensitive
-}
-</pre>
-<p><code>alert()</code>, <code>confirm()</code> and <code>prompt()</code> instructions should be removed in production:</p>
-<pre>
-if(unexpectedCondition) {
-  alert("Unexpected Condition");  // Sensitive
-}
-</pre>
 <p><a href="https://www.npmjs.com/package/errorhandler">errorhandler Express.js middleware</a> should not be used in production:</p>
 <pre>
 const express = require('express');

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4822.html

@@ -1,7 +1,7 @@
 <p>An exception (including <code>reject</code>) thrown by a promise will not be caught by a nesting <code>try</code> block, due to the asynchronous
 nature of execution. Instead, use <code>catch</code> method of <code>Promise</code> or wrap it inside <code>await</code> expression.</p>
-<p>This rule reports <code>try-catch</code> statements containing nothing else but call(s) to a function returning a&nbsp;<code>Promise</code> (thus
-it's less likely that <code>catch</code> is intended to catch something else than <code>Promise</code> rejection).</p>
+<p>This rule reports <code>try-catch</code> statements containing nothing else but call(s) to a function returning a <code>Promise</code> (thus it's
+less likely that <code>catch</code> is intended to catch something else than <code>Promise</code> rejection).</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 function runPromise() {

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5247.html

@@ -2,7 +2,7 @@
 <code>Groovy's template engine</code>, allow configuration of automatic variable escaping before rendering templates. When escape occurs, characters
 that make sense to the browser (eg: &lt;a&gt;) will be transformed/replaced with escaped/sanitized values (eg: &amp; lt;a&amp; gt; ).</p>
 <p>Auto-escaping is not a magic feature to annihilate all cross-site scripting attacks, it depends on <a
-href="https://twig.symfony.com/doc/3.x/filters/escape.html">the strategy applied</a> and the context, for example a "_html auto-escaping_" strategy
+href="https://twig.symfony.com/doc/3.x/filters/escape.html">the strategy applied</a> and the context, for example a "html auto-escaping" strategy
 (which only transforms html characters into <a href="https://developer.mozilla.org/en-US/docs/Glossary/Entity">html entities</a>) will not be relevant
 when variables are used in a <a href="https://en.wikipedia.org/wiki/HTML_attribute">html attribute</a> because '<code>:</code>' character is not
 escaped and thus an attack as below is possible:</p>
@@ -20,10 +20,8 @@ <h2>Ask Yourself Whether</h2>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li> Enable auto-escaping by default and continue to review the use of inputs in order to be sure that the chosen auto-escaping strategy is the
-  right one. </li>
-</ul>
+<p>Enable auto-escaping by default and continue to review the use of inputs in order to be sure that the chosen auto-escaping strategy is the right
+one.</p>
 <p> </p>
 <h2>Sensitive Code Example</h2>
 <p><a href="https://www.npmjs.com/package/mustache">mustache.js</a> template engine:</p>
@@ -130,4 +128,4 @@ <h2>See</h2>
   </li>
   <li> <a href="https://cwe.mitre.org/data/definitions/84.html">MITRE, CWE-84</a> - Improper Neutralization of Encoded URI Schemes in a Web Page </li>
 </ul>
-
+

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5247.json

@@ -2,6 +2,10 @@
   "title": "Disabling auto-escaping in template engines is security-sensitive",
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
   "tags": [
     "cwe",
     "owasp-a7"

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5604.html

@@ -5,11 +5,15 @@
 future standard (but currently experimental) web browser query API</a> and specific APIs related to the permission. It is highly recommended to
 customize this rule with the permissions considered as intrusive in the context of the web application.</p>
 <h2>Ask Yourself Whether</h2>
-<p> * Some powerful features used by the application are not really necessary.</p>
-<p> * Users are not clearly informed why and when powerful features are used by the application.</p>
+<ul>
+  <li> Some powerful features used by the application are not really necessary. </li>
+  <li> Users are not clearly informed why and when powerful features are used by the application. </li>
+</ul>
 <p>You are at risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<p> * In order to respect user privacy it is recommended to avoid using intrusive powerful features.</p>
+<ul>
+  <li> In order to respect user privacy it is recommended to avoid using intrusive powerful features. </li>
+</ul>
 <h2>Sensitive Code Example</h2>
 <p>When using <a href="https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API">geolocation API</a>, Firefox for example retrieves personal
 information like nearby wireless access points and IP address and sends it to the default geolocation service provider, <a
@@ -41,11 +45,12 @@ <h2>Compliant Solution</h2>
 &lt;/html&gt;
 </pre>
 <h2>See</h2>
-<p> * <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Web Top 10 2017 Category A3</a> - Sensitive Data
-Exposure</p>
-<p> * <a href="https://cwe.mitre.org/data/definitions/250.html">CWE-250</a> - Execution with Unnecessary Privileges</p>
-<p> * <a href="https://cwe.mitre.org/data/definitions/359.html">CWE-359</a> - Exposure of Private Information</p>
-<p> * <a href="https://www.w3.org/TR/permissions/">W3C</a> - Permissions</p>
-<p> * <a href="https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites">Mozilla</a> - Does Firefox share my location with
-websites?</p>
-
+<ul>
+  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Web Top 10 2017 Category A3</a> - Sensitive Data
+  Exposure </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/250.html">CWE-250</a> - Execution with Unnecessary Privileges </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/359.html">CWE-359</a> - Exposure of Private Information </li>
+  <li> <a href="https://www.w3.org/TR/permissions/">W3C</a> - Permissions </li>
+  <li> <a href="https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites">Mozilla</a> - Does Firefox share my location with
+  websites? </li>
+</ul>

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5659.html

@@ -9,9 +9,9 @@ <h2>Noncompliant Code Example</h2>
 <pre>
 const jwt = require('jsonwebtoken');
 
-let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: JWT should include a signature
+let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: 'none' cipher doesn't sign the JWT (no signature will be included)
 
-jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: none algorithm should not be used when verifying JWT signature
+jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: 'none' cipher should not be used when verifying JWT signature
 </pre>
 <h2>Compliant Solution</h2>
 <p><a href="https://www.npmjs.com/package/jsonwebtoken">jsonwebtoken</a> library:</p>
@@ -28,4 +28,4 @@ <h2>See</h2>
   </li>
   <li> <a href="https://cwe.mitre.org/data/definitions/347.html">MITRE, CWE-347</a> - Improper Verification of Cryptographic Signature </li>
 </ul>
-
+

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5689.html

@@ -33,11 +33,12 @@ <h2>Compliant Solution</h2>
 app2.use(helmet.hidePoweredBy());
 </pre>
 <h2>See</h2>
-<p> * <a href="https://www.owasp.org/index.php/Fingerprint_Web_Application_Framework_(OTG-INFO-008)">OWASP Testing Guide - OTG-INFO-008</a> -
-Fingerprint Web Application Framework</p>
-<p> * <a href="https://www.owasp.org/index.php/Fingerprint_Web_Application_(OTG-INFO-009)">OWASP Testing Guide - OTG-INFO-009</a> - Fingerprint Web
-Application</p>
-<p> * <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
-Misconfiguration</p>
-<p> * <a href="https://cwe.mitre.org/data/definitions/200.html">MITRE, CWE-200</a> - Information Exposure</p>
-
+<ul>
+  <li> <a href="https://www.owasp.org/index.php/Fingerprint_Web_Application_Framework_(OTG-INFO-008)">OWASP Testing Guide - OTG-INFO-008</a> -
+  Fingerprint Web Application Framework </li>
+  <li> <a href="https://www.owasp.org/index.php/Fingerprint_Web_Application_(OTG-INFO-009)">OWASP Testing Guide - OTG-INFO-009</a> - Fingerprint Web
+  Application </li>
+  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
+  Misconfiguration </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/200.html">MITRE, CWE-200</a> - Information Exposure </li>
+</ul>

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5691.html

@@ -4,12 +4,16 @@
 <p>Outside of the user environment, hidden files are sensitive because they are used to store privacy-related information or even hard-coded
 secrets.</p>
 <h2>Ask Yourself Whether</h2>
-<p> * Hidden files may have been inadvertently uploaded to the static server's public directory and it accepts requests to hidden files.</p>
-<p> * There is no business use cases linked to serve files in <code>.name</code> format but the server is not configured to reject requests to this
-type of files. </p>
+<ul>
+  <li> Hidden files may have been inadvertently uploaded to the static server's public directory and it accepts requests to hidden files. </li>
+  <li> There is no business use cases linked to serve files in <code>.name</code> format but the server is not configured to reject requests to this
+  type of files. </li>
+</ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<p> * Disable the serving of hidden files.</p>
+<ul>
+  <li> Disable the serving of hidden files. </li>
+</ul>
 <h2>Sensitive Code Example</h2>
 <p><a href="https://www.npmjs.com/package/serve-static">Express.js serve-static</a> middleware:</p>
 <pre>
@@ -33,6 +37,7 @@ <h2>See</h2>
   </li>
   <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Web Top 10 2017 Category A6</a> - Security
   Misconfiguration. </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/538.html">CWE-538</a> - File and Directory Information Exposure </li>
 </ul>
 <p> * <a href="https://cwe.mitre.org/data/definitions/538.html">CWE-538</a> - File and Directory Information Exposure</p>
 

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5693.html

@@ -9,10 +9,12 @@ <h2>Ask Yourself Whether</h2>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
-  <li> For most of the features of an application, it is recommended to limit the size of requests to: </li>
+  <li> For most of the features of an application, it is recommended to limit the size of requests to:
+    <ul>
+      <li> lower or equal to 8mb for file uploads. </li>
+      <li> lower or equal to 2mb for other requests. </li>
+    </ul> </li>
 </ul>
-<p> <strong></strong> lower or equal to 8mb for file uploads.</p>
-<p> <strong></strong> lower or equal to 2mb for other requests.</p>
 <p>It is recommended to customize the rule with the limit values that correspond to the web application.</p>
 <h2>Sensitive Code Example</h2>
 <p><a href="https://www.npmjs.com/package/formidable">formidable</a> file upload module:</p>

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5728.html

@@ -20,10 +20,8 @@ <h2>Ask Yourself Whether</h2>
 </ul>
 <p>There is a risk if you answered yes to this question.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li> Implement content security policy fetch directives, in particular <em>default-src</em> directive and continue to properly sanitize and validate
-  all inputs of the application, indeed CSP fetch directives is only a tool to reduce +the impact+ of cross site scripting attacks. </li>
-</ul>
+<p>Implement content security policy fetch directives, in particular <em>default-src</em> directive and continue to properly sanitize and validate all
+inputs of the application, indeed CSP fetch directives is only a tool to reduce the impact of cross site scripting attacks.</p>
 <h2>Sensitive Code Example</h2>
 <p>In a Express.js application, the code is sensitive if the <a href="https://www.npmjs.com/package/helmet">helmet</a> contentSecurityPolicy
 middleware is disabled:</p>

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5730.html

@@ -14,10 +14,8 @@ <h2>Ask Yourself Whether</h2>
 </ul>
 <p>There is a risk if you answered yes to this question.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li> Implement content security policy <em>block-all-mixed-content</em> directive which is supported by all modern browsers and will block loading
-  of mixed-contents. </li>
-</ul>
+<p>Implement content security policy <em>block-all-mixed-content</em> directive which is supported by all modern browsers and will block loading of
+mixed-contents.</p>
 <h2>Sensitive Code Example</h2>
 <p>In Express.js application the code is sensitive if the <a href="https://www.npmjs.com/package/helmet-csp">helmet-csp</a> or <a
 href="https://www.npmjs.com/package/helmet">helmet</a> middleware is used without the <code>blockAllMixedContent</code> directive:</p>

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5732.html

@@ -1,6 +1,6 @@
 <p><a href="https://en.wikipedia.org/wiki/Clickjacking">Clickjacking</a> attacks occur when an attacker try to trick an user to click on certain
 buttons/links of a legit website. This attack can take place with malicious HTML frames well hidden in an attacker website. </p>
-<p>For instance, suppose a safe and authentic page of a social network (https://socialnetworkexample.com/make_myprofil_public) which allows an user to
+<p>For instance, suppose a safe and authentic page of a social network (https://socialnetworkexample.com/makemyprofilpublic) which allows an user to
 change the visibility of his profile by clicking on a button. This is a critical feature with high privacy concerns. Users are generally well informed
 on the social network of the consequences of this action. An attacker can trick users, without their consent, to do this action with the below
 embedded code added on a malicious website:</p>
@@ -12,19 +12,17 @@
 &lt;/html&gt;
 </pre>
 <p>Playing with the size of the iframe it's sometimes possible to display only the critical parts of a page, in this case the button of the
-<em>make</em>myprofil_public_ page.</p>
+<em>makemyprofilpublic</em> page.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> <a href="https://en.wikipedia.org/wiki/Clickjacking#Clickjacking_categories">Critical actions</a> of the application are prone to clickjacking
   attacks because a simple click on a link or a button can trigger them. </li>
 </ul>
 <p>There is a risk if you answered yes to this question.</p>
 <h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li> Implement content security policy <em>frame-ancestors</em> directive which is supported by all modern browsers and will specify the origins of
-  frame allowed to be loaded by the browser (this directive deprecates <a
-  href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">X-Frame-Options</a>). </li>
-</ul>
+<p>Implement content security policy <em>frame-ancestors</em> directive which is supported by all modern browsers and will specify the origins of
+frame allowed to be loaded by the browser (this directive deprecates <a
+href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">X-Frame-Options</a>).</p>
 <h2>Sensitive Code Example</h2>
 <p>In Express.js application the code is sensitive if the <a href="https://www.npmjs.com/package/helmet-csp">helmet-csp</a> or <a
 href="https://www.npmjs.com/package/helmet">helmet</a> middleware is used without the <code>frameAncestors</code> directive (or if