Update rspec before release (#8931)

analyzers/rspec/cs/S1312.html

@@ -18,9 +18,11 @@ <h2>Why is this an issue?</h2>
   <li> <a href="https://www.nuget.org/packages/NLog">NLog</a> </li>
   <li> <a href="https://www.nuget.org/packages/log4net">log4net</a> </li>
 </ul>
+<h3>Noncompliant code example</h3>
 <pre data-diff-id="1" data-diff-type="noncompliant">
 public Logger logger;
 </pre>
+<h3>Compliant solution</h3>
 <pre data-diff-id="1" data-diff-type="compliant">
 private static readonly Logger logger;
 </pre>

analyzers/rspec/cs/S1312.json

@@ -1,6 +1,12 @@
 {
   "title": "Logger fields should be \"private static readonly\"",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "LOW"
+    },
+    "attribute": "CONVENTIONAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S1696.html

@@ -39,6 +39,6 @@ <h3>Documentation</h3>
   </li>
   <li> Microsoft Learn - <a href="https://learn.microsoft.com/en-us/dotnet/api/system.nullreferenceexception">NullReferenceException class</a> </li>
   <li> Microsoft Learn - <a
-  href="https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/member-access-operators#null-conditional-operators—​and-">Null-conditional operators ?. and ?[</a>] </li>
+  href="https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/operators/member-access-operators#null-conditional-operators--and-">Null-conditional operators ?. and ?[]</a> </li>
 </ul>
 

analyzers/rspec/cs/S2053.html

@@ -19,6 +19,19 @@ <h3>What is the potential impact?</h3>
 of password hashes with identical salt that can then be attacked as explained before.</p>
 <p>With short salts, the probability of a collision between two users' passwords and salts couple might be low depending on the salt size. The shorter
 the salt, the higher the collision probability. In any case, using longer, cryptographically secure salt should be preferred.</p>
+<h3>Exceptions</h3>
+<p>To securely store password hashes, it is a recommended to rely on key derivation functions that are computationally intensive. Examples of such
+functions are:</p>
+<ul>
+  <li> Argon2 </li>
+  <li> PBKDF2 </li>
+  <li> Scrypt </li>
+  <li> Bcrypt </li>
+</ul>
+<p>When they are used for password storage, using a secure, random salt is required.</p>
+<p>However, those functions can also be used for other purposes such as master key derivation or password-based pre-shared key generation. In those
+cases, the implemented cryptographic protocol might require using a fixed salt to derive keys in a deterministic way. In such cases, using a fixed
+salt is safe and accepted.</p>
 <h2>How to fix it in .NET</h2>
 <h3>Code examples</h3>
 <p>The following code contains examples of hard-coded salts.</p>
@@ -43,7 +56,7 @@ <h4>Compliant solution</h4>
 </pre>
 <h3>How does this work?</h3>
 <p>This code ensures that each user’s password has a unique salt value associated with it. It generates a salt randomly and with a length that
-provides the required security level. It uses a salt length of at least 16 bytes (128 bits), as recommended by industry standards.</p>
+provides the required security level. It uses a salt length of at least 32 bytes (256 bits), as recommended by industry standards.</p>
 <p>In the case of the code sample, the class automatically takes care of generating a secure salt if none is specified.</p>
 <h2>Resources</h2>
 <h3>Standards</h3>

analyzers/rspec/cs/S2053.json

@@ -1,5 +1,5 @@
 {
-  "title": "Hashes should include an unpredictable salt",
+  "title": "Password hashing functions should use an unpredictable salt",
   "type": "VULNERABILITY",
   "code": {
     "impacts": {

analyzers/rspec/cs/S2629.json

@@ -1,6 +1,12 @@
 {
   "title": "Logging templates should be constant",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "EFFICIENT"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6664.json

@@ -1,6 +1,12 @@
 {
   "title": "The code block contains too many logging calls",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "LOW"
+    },
+    "attribute": "FOCUSED"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6667.json

@@ -1,6 +1,12 @@
 {
   "title": "Logging in a catch clause should pass the caught exception as a parameter.",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "COMPLETE"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6668.json

@@ -1,6 +1,12 @@
 {
   "title": "Logging arguments should be passed to the correct parameter",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "MEDIUM"
+    },
+    "attribute": "LOGICAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6669.json

@@ -1,12 +1,20 @@
 {
   "title": "Logger field or property name should comply with a naming convention",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "CONVENTIONAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "2min"
   },
-  "tags": ["logging"],
+  "tags": [
+    "logging"
+  ],
   "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-6669",
   "sqKey": "S6669",

analyzers/rspec/cs/S6670.json

@@ -1,6 +1,12 @@
 {
   "title": "\"Trace.Write\" and \"Trace.WriteLine\" should not be used",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "MEDIUM"
+    },
+    "attribute": "LOGICAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6672.json

@@ -1,6 +1,12 @@
 {
   "title": "Generic logger injection should match enclosing type",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "CONVENTIONAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6673.json

@@ -1,6 +1,12 @@
 {
   "title": "Log message template placeholders should be in the right order",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "CONVENTIONAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6674.json

@@ -1,6 +1,12 @@
 {
   "title": "Log message template should be syntactically correct",
   "type": "BUG",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "MEDIUM"
+    },
+    "attribute": "LOGICAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6675.html

@@ -9,21 +9,12 @@ <h2>Why is this an issue?</h2>
 <p>Using <code>Trace.WriteLineIf</code> with such properties should be avoided since it can lead to misinterpretation and produce confusion.</p>
 <p>In particular, <code>Trace.WriteLineIf</code> may appear as equivalent to the level-specific tracing methods provided by <code>Trace</code>, such
 as <a href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.trace.traceerror"><code>Trace.Error</code></a>, but it is not.</p>
-<h3>Code examples</h3>
-<h4>Noncompliant code example</h4>
-<pre data-diff-id="1" data-diff-type="noncompliant">
-public void Method(TraceSwitch traceSwitch)
-{
-    Trace.WriteIf(traceSwitch.TraceError, "Failed to log in!");
-}
-</pre>
-<h4>Compliant solution</h4>
-<pre data-diff-id="1" data-diff-type="compliant">
-public void Method(bool condition)
-{
-    Trace.WriteIf(condition, "Failed to log in!");
-}
-</pre>
+<p>The difference is that <code>Trace.WriteLineIf(switch.TraceError, …​)</code> conditionally writes the trace, based on the switch, whereas
+<code>Trace.TraceError</code> always writes the trace, no matter whether <code>switch.TraceError</code> is <code>true</code> or
+<code>false</code>.</p>
+<p>Moreover, unlike <code>Trace.TraceError</code>, <code>Trace.WriteLineIf(switch.TraceError, …​)</code> would behave like
+<code>Trace.WriteLine(…​)</code> when <code>switch.TraceError</code> is <code>true</code>, writing unfiltered to the underlying trace listeners and
+not categorizing the log entry by level, as described more in detail in {rule:csharpsquid:S6670}.</p>
 <h2>How to fix it</h2>
 <p>The fix depends on the intent behind the use of <a
 href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.traceswitch"><code>TraceSwitch</code></a> levels with <a

analyzers/rspec/cs/S6675.json

@@ -1,6 +1,12 @@
 {
   "title": "\"Trace.WriteLineIf\" should not be used with \"TraceSwitch\" levels",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "LOGICAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6677.json

@@ -1,6 +1,12 @@
 {
   "title": "Message template placeholders should be unique",
   "type": "BUG",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "MEDIUM"
+    },
+    "attribute": "LOGICAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6678.json

@@ -1,6 +1,12 @@
 {
   "title": "Use PascalCase for named placeholders",
   "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "LOW"
+    },
+    "attribute": "CONVENTIONAL"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

analyzers/rspec/cs/S6930.html

@@ -27,7 +27,7 @@ <h2>How to fix it</h2>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
-[Route(@"Something\[controller]")] // Noncompliant: Replace `\` with `/`.
+[Route(@"Something\[controller]")] // Noncompliant: Replace '\' with '/'.
 public class HomeController : Controller
 {
     [HttpGet]
@@ -36,7 +36,7 @@ <h4>Noncompliant code example</h4>
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
-[Route(@"Something/[controller]")] // `\` replaced with `/`
+[Route(@"Something/[controller]")] // '\' replaced with '/'
 public class HomeController : Controller
 {
     [HttpGet]
@@ -47,13 +47,13 @@ <h4>Noncompliant code example</h4>
 <pre data-diff-id="2" data-diff-type="noncompliant">
 app.MapControllerRoute(
     name: "default",
-    pattern: "{controller=Home}\\{action=Index}"); // Noncompliant: Replace `\` with `/`.
+    pattern: "{controller=Home}\\{action=Index}"); // Noncompliant: Replace '\' with '/'.
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="2" data-diff-type="compliant">
 app.MapControllerRoute(
     name: "default",
-    pattern: "{controller=Home}/{action=Index}"); // `\` replaced with `/`
+    pattern: "{controller=Home}/{action=Index}"); // '\' replaced with '/'
 </pre>
 <h2>Resources</h2>
 <h3>Documentation</h3>

analyzers/rspec/vbnet/S2053.html

@@ -19,6 +19,19 @@ <h3>What is the potential impact?</h3>
 of password hashes with identical salt that can then be attacked as explained before.</p>
 <p>With short salts, the probability of a collision between two users' passwords and salts couple might be low depending on the salt size. The shorter
 the salt, the higher the collision probability. In any case, using longer, cryptographically secure salt should be preferred.</p>
+<h3>Exceptions</h3>
+<p>To securely store password hashes, it is a recommended to rely on key derivation functions that are computationally intensive. Examples of such
+functions are:</p>
+<ul>
+  <li> Argon2 </li>
+  <li> PBKDF2 </li>
+  <li> Scrypt </li>
+  <li> Bcrypt </li>
+</ul>
+<p>When they are used for password storage, using a secure, random salt is required.</p>
+<p>However, those functions can also be used for other purposes such as master key derivation or password-based pre-shared key generation. In those
+cases, the implemented cryptographic protocol might require using a fixed salt to derive keys in a deterministic way. In such cases, using a fixed
+salt is safe and accepted.</p>
 <h2>How to fix it in .NET</h2>
 <h3>Code examples</h3>
 <p>The following code contains examples of hard-coded salts.</p>
@@ -41,7 +54,7 @@ <h4>Compliant solution</h4>
 </pre>
 <h3>How does this work?</h3>
 <p>This code ensures that each user’s password has a unique salt value associated with it. It generates a salt randomly and with a length that
-provides the required security level. It uses a salt length of at least 16 bytes (128 bits), as recommended by industry standards.</p>
+provides the required security level. It uses a salt length of at least 32 bytes (256 bits), as recommended by industry standards.</p>
 <p>In the case of the code sample, the class automatically takes care of generating a secure salt if none is specified.</p>
 <h2>Resources</h2>
 <h3>Standards</h3>

analyzers/rspec/vbnet/S2053.json

@@ -1,5 +1,5 @@
 {
-  "title": "Hashes should include an unpredictable salt",
+  "title": "Password hashing functions should use an unpredictable salt",
   "type": "VULNERABILITY",
   "code": {
     "impacts": {

analyzers/rspec/vbnet/S6930.html

@@ -27,7 +27,7 @@ <h2>How to fix it</h2>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
-&lt;Route("Something\[controller]")&gt; ' Noncompliant: Replace `\` with `/`.
+&lt;Route("Something\[controller]")&gt; ' Noncompliant: Replace '\' with '/'.
 Public Class HomeController
     Inherits Controller
 
@@ -39,7 +39,7 @@ <h4>Noncompliant code example</h4>
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
-&lt;Route("Something/[controller]")&gt; ' `\` replaced with `/`
+&lt;Route("Something/[controller]")&gt; ' '\' replaced with '/'
 Public Class HomeController
     Inherits Controller
 
@@ -53,13 +53,13 @@ <h4>Noncompliant code example</h4>
 <pre data-diff-id="2" data-diff-type="noncompliant">
 app.MapControllerRoute(
     name:="default",
-    pattern:="{controller=Home}\{action=Index}") ' Noncompliant: Replace `\` with `/`.
+    pattern:="{controller=Home}\{action=Index}") ' Noncompliant: Replace '\' with '/'.
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="2" data-diff-type="compliant">
 app.MapControllerRoute(
     name:="default",
-    pattern:="{controller=Home}/{action=Index}") ' `\` replaced with `/`
+    pattern:="{controller=Home}/{action=Index}") ' '\' replaced with '/'
 </pre>
 <h2>Resources</h2>
 <h3>Documentation</h3>

analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "CSH"
   ],
-  "latest-update": "2024-02-29T15:53:45.968501800Z",
+  "latest-update": "2024-03-15T12:11:31.487123200Z",
   "options": {
     "no-language-in-filenames": true
   }

analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "VBNET"
   ],
-  "latest-update": "2024-02-29T15:54:07.274928100Z",
+  "latest-update": "2024-03-15T12:11:49.495514500Z",
   "options": {
     "no-language-in-filenames": true
   }