Update RSPEC before 9.26 release (#9358)

analyzers/rspec/cs/S2053.html

@@ -66,5 +66,7 @@ <h3>Standards</h3>
   Exposure</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/759">CWE-759 - Use of a One-Way Hash without a Salt</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/760">CWE-760 - Use of a One-Way Hash with a Predictable Salt</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542">Application Security and
+  Development: V-222542</a> - The application must only store cryptographic representations of passwords. </li>
 </ul>
 

analyzers/rspec/cs/S2053.json

@@ -35,6 +35,9 @@
     ],
     "PCI DSS 4.0": [
       "6.2.4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222542"
     ]
   },
   "quickfix": "unknown"

analyzers/rspec/cs/S2092.html

@@ -49,5 +49,7 @@ <h2>See</h2>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/311">CWE-311 - Missing Encryption of Sensitive Data</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/315">CWE-315 - Cleartext Storage of Sensitive Information in a Cookie</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/614">CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222576">Application Security and
+  Development: V-222576</a> - The application must set the secure flag on session cookies. </li>
 </ul>
 

analyzers/rspec/cs/S2092.json

@@ -44,6 +44,9 @@
       "6.1.1",
       "6.1.2",
       "6.1.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222576"
     ]
   }
 }

analyzers/rspec/cs/S2184.html

@@ -24,7 +24,10 @@ <h3>Compliant solution</h3>
 static void Method(float f) { }
 </pre>
 <h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/190">CWE-190 - Integer Overflow or Wraparound</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612">Application Security and
+  Development: V-222612</a> - The application must not be vulnerable to overflow attacks. </li>
 </ul>
 

analyzers/rspec/cs/S2184.json

@@ -26,6 +26,9 @@
     ],
     "ASVS 4.0": [
       "5.4.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
     ]
   },
   "quickfix": "unknown"

analyzers/rspec/cs/S2221.html

@@ -1,7 +1,7 @@
 <h2>Why is this an issue?</h2>
 <p>Catching <code>System.Exception</code> seems like an efficient way to handle multiple possible exceptions. Unfortunately, it traps all exception
-types, including the ones that were not intended to be caught. To prevent any misunderstandings, the exception filters should be used. Alternatively
-each exception type should be in a separate <code>catch</code> block.</p>
+types, including the ones that were not intended to be caught. To prevent any misunderstandings, exception filters should be used. Alternatively, each
+exception type should be in a separate <code>catch</code> block.</p>
 <h3>Noncompliant code example</h3>
 <pre>
 try
@@ -19,22 +19,22 @@ <h3>Compliant solution</h3>
 {
   // do something
 }
-catch (Exception e) when (e is FileNotFoundException || e is IOException)
+catch (Exception e) when (e is FileNotFoundException or IOException)
 {
   // do something
 }
 </pre>
 <h3>Exceptions</h3>
 <p>The final option is to catch <code>System.Exception</code> and <code>throw</code> it in the last statement in the <code>catch</code> block. This is
-the least-preferred option, as it is an old-style code, which also suffers from performance penalty compared to exception filters.</p>
+the least-preferred option, as it is an old-style code, which also suffers from performance penalties compared to exception filters.</p>
 <pre>
 try
 {
   // do something
 }
 catch (Exception e)
 {
-  if (e is FileNotFoundException || e is IOException)
+  if (e is FileNotFoundException or IOException)
   {
     // do something
   }

analyzers/rspec/cs/S2365.html

@@ -12,22 +12,21 @@ <h2>How to fix it</h2>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
-private List&lt;string&gt; _foo = new List&lt;string&gt; { "a", "b", "c" };
-public IEnumerable&lt;string&gt; Foo  // Noncompliant: expensive ToList call
-{
-    get
-    {
-        return (string[])_foo.Clone();
-    }
-}
+private List&lt;string&gt; foo = new List&lt;string&gt; { "a", "b", "c" };
+private string[] bar = new string[] { "a", "b", "c" };
+
+public IEnumerable&lt;string&gt; Foo =&gt; foo.ToList(); // Noncompliant: collection foo is copied
+
+public IEnumerable&lt;string&gt; Bar =&gt; (string[])bar.Clone(); // Noncompliant: array bar is copied
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
-private List&lt;string&gt; _foo = new List&lt;string&gt; { "a", "b", "c" };
-public IEnumerable&lt;string&gt; GetFoo()
-{
-    return (string[])_foo.Clone();
-}
+private List&lt;string&gt; foo = new List&lt;string&gt; { "a", "b", "c" };
+private string[] bar = new string[] { "a", "b", "c" };
+
+public IEnumerable&lt;string&gt; GetFoo() =&gt; foo.ToList();
+
+public IEnumerable&lt;string&gt; GetBar() =&gt; (string[])bar.Clone();
 </pre>
 <h2>Resources</h2>
 <h3>Documentation</h3>

analyzers/rspec/cs/S2612.html

@@ -66,5 +66,7 @@ <h2>See</h2>
   href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission">OWASP File Permission</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/266">CWE-266 - Incorrect Privilege Assignment</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430">Application Security and
+  Development: V-222430</a> - The application must execute without excessive account permissions. </li>
 </ul>
 

analyzers/rspec/cs/S2612.json

@@ -39,6 +39,9 @@
     ],
     "ASVS 4.0": [
       "4.3.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222430"
     ]
   }
 }

analyzers/rspec/cs/S2696.html

@@ -38,4 +38,9 @@ <h3>Articles &amp; blog posts</h3>
 <ul>
   <li> <a href="https://www.c-sharpcorner.com/UploadFile/1d42da/race-conditions-in-threading-C-Sharp/">Race Conditions in C#</a> </li>
 </ul>
+<h3>Standards</h3>
+<ul>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567">Application Security and
+  Development: V-222567</a> - The application must not be vulnerable to race conditions. </li>
+</ul>
 

analyzers/rspec/cs/S2696.json

@@ -19,5 +19,10 @@
   "ruleSpecification": "RSPEC-2696",
   "sqKey": "S2696",
   "scope": "Main",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222567"
+    ]
+  },
   "quickfix": "infeasible"
 }

analyzers/rspec/cs/S2755.html

@@ -61,5 +61,7 @@ <h3>Standards</h3>
   Entities (XXE)</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/611">CWE-611 - Information Exposure Through XML External Entity Reference</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/827">CWE-827 - Improper Control of Document Type Definition</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608">Application Security and
+  Development: V-222608</a> - The application must not be vulnerable to XML-oriented attacks. </li>
 </ul>
 

analyzers/rspec/cs/S2755.json

@@ -38,6 +38,9 @@
     ],
     "ASVS 4.0": [
       "5.5.2"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608"
     ]
   },
   "quickfix": "unknown"

analyzers/rspec/cs/S3330.html

@@ -50,5 +50,7 @@ <h2>See</h2>
   (XSS)</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/1004">CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag</a> </li>
   <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE">HTTPONLY_COOKIE</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222575">Application Security and
+  Development: V-222575</a> - The application must set the HTTPOnly flag on session cookies. </li>
 </ul>
 

analyzers/rspec/cs/S3330.json

@@ -38,6 +38,9 @@
     ],
     "ASVS 4.0": [
       "3.4.2"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222575"
     ]
   }
 }

analyzers/rspec/cs/S3949.html

@@ -26,4 +26,10 @@ <h2>Compliant solution</h2>
     return number + value;
 }
 </pre>
+<h2>Resources</h2>
+<h3>Standards</h3>
+<ul>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612">Application Security and
+  Development: V-222612</a> - The application must not be vulnerable to overflow attacks. </li>
+</ul>
 

analyzers/rspec/cs/S3949.json

@@ -19,5 +19,10 @@
   "ruleSpecification": "RSPEC-3949",
   "sqKey": "S3949",
   "scope": "All",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222612"
+    ]
+  },
   "quickfix": "unknown"
 }

analyzers/rspec/cs/S4502.html

@@ -58,5 +58,7 @@ <h2>See</h2>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
   <li> <a href="https://owasp.org/www-community/attacks/csrf">OWASP: Cross-Site Request Forgery</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222603">Application Security and
+  Development: V-222603</a> - The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. </li>
 </ul>
 

analyzers/rspec/cs/S4502.json

@@ -38,6 +38,9 @@
     "ASVS 4.0": [
       "13.2.3",
       "4.2.2"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222603"
     ]
   }
 }

analyzers/rspec/cs/S4830.html

@@ -64,5 +64,7 @@ <h3>Standards</h3>
   <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements">Mobile AppSec
   Verification Standard - Network Communication Requirements</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/295">CWE-295 - Improper Certificate Validation</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550">Application Security and
+  Development: V-222550</a> - The application must validate certificates by constructing a certification path to an accepted trust anchor. </li>
 </ul>
 

analyzers/rspec/cs/S4830.json

@@ -52,6 +52,9 @@
     "ASVS 4.0": [
       "1.9.2",
       "9.2.1"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222550"
     ]
   },
   "quickfix": "unknown"

analyzers/rspec/cs/S5034.html

@@ -52,4 +52,9 @@ <h3>Documentation</h3>
   <li> <a href="https://blogs.msdn.microsoft.com/dotnet/2018/11/07/understanding-the-whys-whats-and-whens-of-valuetask">Understanding the Whys, Whats,
   and Whens of ValueTask</a> </li>
 </ul>
+<h3>Standards</h3>
+<ul>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567">Application Security and
+  Development: V-222567</a> - The application must not be vulnerable to race conditions. </li>
+</ul>
 

analyzers/rspec/cs/S5034.json

@@ -19,5 +19,10 @@
   "ruleSpecification": "RSPEC-5034",
   "sqKey": "S5034",
   "scope": "All",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222567"
+    ]
+  },
   "quickfix": "infeasible"
 }

analyzers/rspec/cs/S5332.html

@@ -78,21 +78,51 @@ <h2>Exceptions</h2>
   <li> Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or <code>localhost</code>. </li>
 </ul>
 <h2>See</h2>
+<h3>Documentation</h3>
 <ul>
+  <li> AWS Documentation - <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html">Listeners for
+  your Application Load Balancers</a> </li>
+  <li> AWS Documentation - <a
+  href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html">Stream Encryption</a>
+  </li>
+</ul>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li> Google - <a href="https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html">Moving towards more secure web</a> </li>
+  <li> Mozilla - <a href="https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/">Deprecating non secure http</a> </li>
+</ul>
+<h3>Standards</h3>
+<ul>
+  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
+  Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10 2021 Category A2 - Cryptographic Failures</a> </li>
-  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data Exposure
-  </a> </li>
   <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements">Mobile AppSec
   Verification Standard - Network Communication Requirements</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication">Mobile Top 10 2016 Category M3 - Insecure
   Communication</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/200">CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/319">CWE-319 - Cleartext Transmission of Sensitive Information</a> </li>
-  <li> <a href="https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html">Google, Moving towards more secure web</a> </li>
-  <li> <a href="https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/">Mozilla, Deprecating non secure http</a> </li>
-  <li> <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html">AWS Documentation</a> - Listeners
-  for your Application Load Balancers </li>
-  <li> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html">AWS
-  Documentation</a> - Stream Encryption </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397">Application Security and
+  Development: V-222397</a> - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222534">Application Security and
+  Development: V-222534</a> - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562">Application Security and
+  Development: V-222562</a> - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of
+  maintenance and diagnostic communications. </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563">Application Security and
+  Development: V-222563</a> - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of
+  maintenance and diagnostic communications. </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222577">Application Security and
+  Development: V-222577</a> - The application must not expose session IDs. </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222596">Application Security and
+  Development: V-222596</a> - The application must protect the confidentiality and integrity of transmitted information. </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222597">Application Security and
+  Development: V-222597</a> - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect
+  changes to information during transmission. </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598">Application Security and
+  Development: V-222598</a> - The application must maintain the confidentiality and integrity of information during preparation for transmission.
+  </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599">Application Security and
+  Development: V-222599</a> - The application must maintain the confidentiality and integrity of information during reception. </li>
 </ul>
 

analyzers/rspec/cs/S5332.json

@@ -44,6 +44,17 @@
       "1.9.1",
       "9.1.1",
       "9.2.2"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222397",
+      "V-222534",
+      "V-222562",
+      "V-222563",
+      "V-222577",
+      "V-222596",
+      "V-222597",
+      "V-222598",
+      "V-222599"
     ]
   }
 }

analyzers/rspec/cs/S5344.html

@@ -229,7 +229,7 @@ <h4>Select the correct Bcrypt parameters</h4>
 <p>When bcrypt’s hashing function is used, it is important to select a round count that is high enough to make the function slow enough to prevent
 brute force: More than 12 rounds.</p>
 <p>For bcrypt’s key derivation function, the number of rounds should likewise be high enough to make the function slow enough to prevent brute force:
-More than 4096 rounds <code>(2**12)</code>.<br> This number is not the same coefficient as the first one because it uses a different algorithm.</p>
+More than 4096 rounds <code>(2^12)</code>.<br> This number is not the same coefficient as the first one because it uses a different algorithm.</p>
 <h4>Select the correct Scrypt parameters</h4>
 <p>If scrypt must be used, the default values of scrypt are considered secure.</p>
 <p>Like Argon2id, scrypt has three different parameters that can be configured. N is the CPU/memory cost parameter and must be a power of two. r is

analyzers/rspec/cs/S5443.html

@@ -71,5 +71,7 @@ <h2>See</h2>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/379">CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions</a>
   </li>
   <li> <a href="https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File">OWASP, Insecure Temporary File</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567">Application Security and
+  Development: V-222567</a> - The application must not be vulnerable to race conditions. </li>
 </ul>
 

analyzers/rspec/cs/S5443.json

@@ -32,6 +32,9 @@
     ],
     "PCI DSS 4.0": [
       "6.2.4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222567"
     ]
   }
 }

analyzers/rspec/cs/S5445.html

@@ -88,5 +88,7 @@ <h3>Standards</h3>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/377">CWE-377 - Insecure Temporary File</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/379">CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions</a>
   </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567">Application Security and
+  Development: V-222567</a> - The application must not be vulnerable to race conditions. </li>
 </ul>