diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.json
index 0d3c0b36a..3b3cc28e0 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.json
@@ -3,7 +3,7 @@
"type": "CODE_SMELL",
"code": {
"impacts": {
- "MAINTAINABILITY": "HIGH"
+ "MAINTAINABILITY": "BLOCKER"
},
"attribute": "CLEAR"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1314.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1314.json
index 66bbaf090..d7557e6e9 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1314.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1314.json
@@ -3,7 +3,7 @@
"type": "CODE_SMELL",
"code": {
"impacts": {
- "MAINTAINABILITY": "HIGH"
+ "MAINTAINABILITY": "BLOCKER"
},
"attribute": "CLEAR"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.json
index b6b4082f1..2ce435101 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.json
@@ -3,7 +3,7 @@
"type": "CODE_SMELL",
"code": {
"impacts": {
- "MAINTAINABILITY": "HIGH"
+ "MAINTAINABILITY": "BLOCKER"
},
"attribute": "LAWFUL"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1599.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1599.json
index f9c5245a9..75447271f 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1599.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1599.json
@@ -3,7 +3,7 @@
"type": "CODE_SMELL",
"code": {
"impacts": {
- "MAINTAINABILITY": "HIGH"
+ "MAINTAINABILITY": "BLOCKER"
},
"attribute": "CLEAR"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.json
index d2f7fbc76..c3bdbb939 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.json
@@ -3,7 +3,7 @@
"type": "BUG",
"code": {
"impacts": {
- "RELIABILITY": "HIGH"
+ "RELIABILITY": "BLOCKER"
},
"attribute": "CONVENTIONAL"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2007.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2007.json
index b0efbcee6..b92e54850 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2007.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2007.json
@@ -3,7 +3,7 @@
"type": "CODE_SMELL",
"code": {
"impacts": {
- "MAINTAINABILITY": "HIGH"
+ "MAINTAINABILITY": "BLOCKER"
},
"attribute": "MODULAR"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2014.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2014.json
index 88295059e..e41704ab5 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2014.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2014.json
@@ -3,7 +3,7 @@
"type": "BUG",
"code": {
"impacts": {
- "RELIABILITY": "HIGH"
+ "RELIABILITY": "BLOCKER"
},
"attribute": "LOGICAL"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html
index b29dcea16..10bb69236 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html
@@ -8,7 +8,6 @@
Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.
This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
strings, and for variable names that match any of the patterns from the provided list.
-It’s recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", …
Ask Yourself Whether
- Credentials allow access to a sensitive component like a database, a file storage, an API or a service.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.json
index 84ca11321..c23d4c83a 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.json
@@ -3,7 +3,7 @@
"type": "SECURITY_HOTSPOT",
"code": {
"impacts": {
- "SECURITY": "HIGH"
+ "SECURITY": "BLOCKER"
},
"attribute": "TRUSTWORTHY"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2187.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2187.json
index 47d868df5..a50a1de06 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2187.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2187.json
@@ -3,7 +3,7 @@
"type": "CODE_SMELL",
"code": {
"impacts": {
- "MAINTAINABILITY": "HIGH"
+ "MAINTAINABILITY": "BLOCKER"
},
"attribute": "TESTED"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html
index 2cf0ec73d..56c9e4d5b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html
@@ -1,45 +1,55 @@
-Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:
+PRNGs are algorithms that produce sequences of numbers that only approximate true randomness. While they are suitable for applications like
+simulations or modeling, they are not appropriate for security-sensitive contexts because their outputs can be predictable if the internal state is
+known.
+In contrast, cryptographically secure pseudorandom number generators (CSPRNGs) are designed to be secure against prediction attacks. CSPRNGs use
+cryptographic algorithms to ensure that the generated sequences are not only random but also unpredictable, even if part of the sequence or the
+internal state becomes known. This unpredictability is crucial for security-related tasks such as generating encryption keys, tokens, or any other
+values that must remain confidential and resistant to guessing attacks.
+For example, the use of non-cryptographic PRNGs has led to vulnerabilities such as:
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that
-will be generated, and use this guess to impersonate another user or access sensitive information.
-As the rand() and mt_rand() functions rely on a pseudorandom number generator, it should not be used for
-security-critical applications or for protecting sensitive data.
+will be generated, and use this guess to impersonate another user or access sensitive information. Therefore, it is critical to use CSPRNGs in any
+security-sensitive application to ensure the robustness and security of the system.
+As the rand() and mt_rand() functions are no CSPRNGs, they should not be used for security-critical applications or for
+protecting sensitive data.
Ask Yourself Whether
- the code using the generated value requires it to be unpredictable. It is the case for all encryption mechanisms or when a secret value, such
as a password, is hashed.
- - the function you use generates a value which can be predicted (pseudo-random).
+ - the function you use is a non-cryptographic PRNG.
- the generated value is used multiple times.
- an attacker can access the generated value.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- - Use functions which rely on a cryptographically strong random number generator such as
random_int() or random_bytes()
- or openssl_random_pseudo_bytes()
- - When using
openssl_random_pseudo_bytes(), provide and check the crypto_strong parameter
+ - Use functions which rely on a cryptographically secure pseudo random number generator (CSPRNG) such as
random_int() or
+ random_bytes() or openssl_random_pseudo_bytes().
+ - When using
openssl_random_pseudo_bytes(), provide and check the crypto_strong parameter.
- Use the generated random values only once.
- You should not expose the generated random value. If you have to store it, make sure that the database or file is secure.
Sensitive Code Example
-$random = rand();
-$random2 = mt_rand(0, 99);
+$random = rand(); // Sensitive
+$random2 = mt_rand(0, 99); // Sensitive
Compliant Solution
-$randomInt = random_int(0,99); // Compliant; generates a cryptographically secure random integer
+$randomInt = random_int(0,99);
See
+ - OWASP - Secure
+ Random Number Generation Cheat Sheet
- OWASP - Top 10 2021 Category A2 - Cryptographic Failures
- OWASP - Top 10 2017 Category A3 - Sensitive Data
Exposure
- - Mobile AppSec Verification Standard - Cryptography Requirements
+ - OWASP - Mobile AppSec Verification Standard - Cryptography Requirements
- OWASP - Mobile Top 10 2016 Category M5 -
Insufficient Cryptography
- CWE - CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2699.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2699.json
index 537285329..75ff9c139 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2699.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2699.json
@@ -3,7 +3,7 @@
"type": "CODE_SMELL",
"code": {
"impacts": {
- "MAINTAINABILITY": "HIGH"
+ "MAINTAINABILITY": "BLOCKER"
},
"attribute": "TESTED"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.json
index 7b21f8442..fe96d56e9 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.json
@@ -3,7 +3,7 @@
"type": "VULNERABILITY",
"code": {
"impacts": {
- "SECURITY": "HIGH"
+ "SECURITY": "BLOCKER"
},
"attribute": "CONVENTIONAL"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3334.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3334.json
index 312b5eb25..d0dc9182e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3334.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3334.json
@@ -3,7 +3,7 @@
"type": "VULNERABILITY",
"code": {
"impacts": {
- "SECURITY": "HIGH"
+ "SECURITY": "BLOCKER"
},
"attribute": "COMPLETE"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3336.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3336.json
index 7d78b18fd..901466dc2 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3336.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3336.json
@@ -3,7 +3,7 @@
"type": "VULNERABILITY",
"code": {
"impacts": {
- "SECURITY": "HIGH"
+ "SECURITY": "BLOCKER"
},
"attribute": "COMPLETE"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3337.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3337.json
index 4ddc551bf..1743c6d29 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3337.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3337.json
@@ -3,7 +3,7 @@
"type": "VULNERABILITY",
"code": {
"impacts": {
- "SECURITY": "HIGH"
+ "SECURITY": "BLOCKER"
},
"attribute": "COMPLETE"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3360.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3360.json
index 791f85b87..35bbc3d66 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3360.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3360.json
@@ -3,7 +3,7 @@
"type": "CODE_SMELL",
"code": {
"impacts": {
- "MAINTAINABILITY": "HIGH"
+ "MAINTAINABILITY": "BLOCKER"
},
"attribute": "IDENTIFIABLE"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5632.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5632.json
index 4b0897b6d..53db9110e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5632.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5632.json
@@ -3,7 +3,7 @@
"type": "BUG",
"code": {
"impacts": {
- "RELIABILITY": "HIGH"
+ "RELIABILITY": "BLOCKER"
},
"attribute": "LOGICAL"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5708.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5708.json
index 046c70663..6c78f6f86 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5708.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5708.json
@@ -3,7 +3,7 @@
"type": "BUG",
"code": {
"impacts": {
- "RELIABILITY": "HIGH"
+ "RELIABILITY": "BLOCKER"
},
"attribute": "LOGICAL"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5911.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5911.json
index edb0fa7f5..3925671b0 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5911.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5911.json
@@ -3,7 +3,7 @@
"type": "BUG",
"code": {
"impacts": {
- "RELIABILITY": "HIGH"
+ "RELIABILITY": "BLOCKER"
},
"attribute": "LOGICAL"
},
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.html
index ece38fff5..455f79a2d 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.html
@@ -6,9 +6,9 @@
- CVE-2021-42635
Secrets should be stored outside of the source code in a configuration file or a management service for secrets.
-This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a
-pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The
-randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.
+This rule detects {detections} having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom
+hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness
+sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.
Ask Yourself Whether
- The secret allows access to a sensitive component like a database, a file storage, an API, or a service.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.json
index 41d5aae9f..9c9a735b3 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S6418.json
@@ -3,7 +3,7 @@
"type": "SECURITY_HOTSPOT",
"code": {
"impacts": {
- "SECURITY": "HIGH"
+ "SECURITY": "BLOCKER"
},
"attribute": "TRUSTWORTHY"
},
diff --git a/sonarpedia.json b/sonarpedia.json
index f5f00aec2..c9432fd2a 100644
--- a/sonarpedia.json
+++ b/sonarpedia.json
@@ -3,7 +3,7 @@
"languages": [
"PHP"
],
- "latest-update": "2024-09-25T15:28:53.719860Z",
+ "latest-update": "2024-11-13T13:03:49.551706Z",
"options": {
"no-language-in-filenames": true,
"preserve-filenames": true