Update static RSPEC files

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "CLEAR"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1314.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "CLEAR"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "LAWFUL"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1599.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "CLEAR"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2007.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "MODULAR"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2014.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html

@@ -8,7 +8,6 @@
 <p>Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.</p>
 <p>This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
 strings, and for variable names that match any of the patterns from the provided list.</p>
-<p>It’s recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", …​</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> Credentials allow access to a sensitive component like a database, a file storage, an API or a service. </li>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "TRUSTWORTHY"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2187.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "TESTED"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html

@@ -1,45 +1,55 @@
-<p>Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:</p>
+<p>PRNGs are algorithms that produce sequences of numbers that only approximate true randomness. While they are suitable for applications like
+simulations or modeling, they are not appropriate for security-sensitive contexts because their outputs can be predictable if the internal state is
+known.</p>
+<p>In contrast, cryptographically secure pseudorandom number generators (CSPRNGs) are designed to be secure against prediction attacks. CSPRNGs use
+cryptographic algorithms to ensure that the generated sequences are not only random but also unpredictable, even if part of the sequence or the
+internal state becomes known. This unpredictability is crucial for security-related tasks such as generating encryption keys, tokens, or any other
+values that must remain confidential and resistant to guessing attacks.</p>
+<p>For example, the use of non-cryptographic PRNGs has led to vulnerabilities such as:</p>
 <ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386">CVE-2013-6386</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419">CVE-2006-3419</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102">CVE-2008-4102</a> </li>
+  <li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386">CVE-2013-6386</a> </li>
+  <li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419">CVE-2006-3419</a> </li>
+  <li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102">CVE-2008-4102</a> </li>
 </ul>
 <p>When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that
-will be generated, and use this guess to impersonate another user or access sensitive information.</p>
-<p>As the <code>rand()</code> and <code>mt_rand()</code> functions rely on a pseudorandom number generator, it should not be used for
-security-critical applications or for protecting sensitive data.</p>
+will be generated, and use this guess to impersonate another user or access sensitive information. Therefore, it is critical to use CSPRNGs in any
+security-sensitive application to ensure the robustness and security of the system.</p>
+<p>As the <code>rand()</code> and <code>mt_rand()</code> functions are no CSPRNGs, they should not be used for security-critical applications or for
+protecting sensitive data.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> the code using the generated value requires it to be unpredictable. It is the case for all encryption mechanisms or when a secret value, such
   as a password, is hashed. </li>
-  <li> the function you use generates a value which can be predicted (pseudo-random). </li>
+  <li> the function you use is a non-cryptographic PRNG. </li>
   <li> the generated value is used multiple times. </li>
   <li> an attacker can access the generated value. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
-  <li> Use functions which rely on a cryptographically strong random number generator such as <code>random_int()</code> or <code>random_bytes()</code>
-  or <code>openssl_random_pseudo_bytes()</code> </li>
-  <li> When using <code>openssl_random_pseudo_bytes()</code>, provide and check the <code>crypto_strong</code> parameter </li>
+  <li> Use functions which rely on a cryptographically secure pseudo random number generator (CSPRNG) such as <code>random_int()</code> or
+  <code>random_bytes()</code> or <code>openssl_random_pseudo_bytes()</code>. </li>
+  <li> When using <code>openssl_random_pseudo_bytes()</code>, provide and check the <code>crypto_strong</code> parameter. </li>
   <li> Use the generated random values only once. </li>
   <li> You should not expose the generated random value. If you have to store it, make sure that the database or file is secure. </li>
 </ul>
 <h2>Sensitive Code Example</h2>
 <pre>
-$random = rand();
-$random2 = mt_rand(0, 99);
+$random = rand(); // Sensitive
+$random2 = mt_rand(0, 99); // Sensitive
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
-$randomInt = random_int(0,99); // Compliant; generates a cryptographically secure random integer
+$randomInt = random_int(0,99);
 </pre>
 <h2>See</h2>
 <ul>
+  <li> OWASP - <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation">Secure
+  Random Number Generation Cheat Sheet</a> </li>
   <li> OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10 2021 Category A2 - Cryptographic Failures</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
   Exposure</a> </li>
-  <li> <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/338">CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)</a>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2699.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "TESTED"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.json

@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "CONVENTIONAL"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3334.json

@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3336.json

@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3337.json

@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3360.json

@@ -3,7 +3,7 @@
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "IDENTIFIABLE"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5632.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5708.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5911.json

@@ -3,7 +3,7 @@
   "type": "BUG",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "BLOCKER"
     },
     "attribute": "LOGICAL"
   },

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.html

@@ -6,9 +6,9 @@
   <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42635">CVE-2021-42635</a> </li>
 </ul>
 <p>Secrets should be stored outside of the source code in a configuration file or a management service for secrets.</p>
-<p>This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a
-pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The
-randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.</p>
+<p>This rule detects {detections} having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom
+hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness
+sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> The secret allows access to a sensitive component like a database, a file storage, an API, or a service. </li>

php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.json

@@ -3,7 +3,7 @@
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "BLOCKER"
     },
     "attribute": "TRUSTWORTHY"
   },

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "PHP"
   ],
-  "latest-update": "2024-09-25T15:28:53.719860Z",
+  "latest-update": "2024-11-13T13:03:49.551706Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true