From 1936c435302db0ed31a730f47d1703735748397f Mon Sep 17 00:00:00 2001 From: aurelien-coet-sonarsource Date: Thu, 12 Mar 2026 13:07:18 +0000 Subject: [PATCH] Update rule metadata --- .../org/sonar/l10n/java/rules/java/S2068.json | 4 +- .../org/sonar/l10n/java/rules/java/S2612.html | 77 +++++++------ .../org/sonar/l10n/java/rules/java/S2612.json | 4 +- .../org/sonar/l10n/java/rules/java/S5194.html | 109 +++++++++++------- .../org/sonar/l10n/java/rules/java/S5838.json | 2 +- .../org/sonar/l10n/java/rules/java/S7466.json | 2 +- .../org/sonar/l10n/java/rules/java/S7467.json | 2 +- .../org/sonar/l10n/java/rules/java/S7475.json | 2 +- .../org/sonar/l10n/java/rules/java/S7477.json | 2 +- .../org/sonar/l10n/java/rules/java/S7629.json | 2 +- sonarpedia.json | 2 +- 11 files changed, 119 insertions(+), 89 deletions(-) diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json index 407f07813da..2d7e1399f56 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json @@ -3,7 +3,7 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "BLOCKER" + "SECURITY": "MEDIUM" }, "attribute": "TRUSTWORTHY" }, @@ -17,7 +17,7 @@ "cwe", "cert" ], - "defaultSeverity": "Blocker", + "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2068", "sqKey": "S2068", "scope": "Main", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.html index a75baff3607..f858d9bfd48 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.html @@ -1,16 +1,28 @@ +

Why is this an issue?

In Unix file system permissions, the "others" category refers to all users except the owner of the file system resource and the members of the group assigned to this resource.

Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive information, disrupt services or elevate privileges.

-

Ask Yourself Whether

- -

There is a risk if you answered yes to any of those questions.

-

Recommended Secure Coding Practices

-

The most restrictive possible permissions should be assigned to files and directories.

-

Sensitive Code Example

+

What is the potential impact?

+

Unauthorized access to sensitive information

+

When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models), +attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords, +personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive +disadvantage.

+

Service disruption and data corruption

+

Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or +compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete +important resources, leading to service outages, system instability, data loss, and denial of service.

+

Privilege escalation

+

When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to +execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious +code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling +them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.

+

How to fix it

+

Remove permissions for the "others" category by not adding OTHERS_READ, OTHERS_WRITE, or OTHERS_EXECUTE permissions to the permission set. If these +permissions were previously added, explicitly remove them using the remove() method.

+

Code examples

+

Noncompliant code example

     public void setPermissions(String filePath) throws IOException {
         Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
@@ -22,20 +34,14 @@ 
Sensitive Code Example

         perms.add(PosixFilePermission.GROUP_READ);
         perms.add(PosixFilePermission.GROUP_EXECUTE);
         // others permissions
-        perms.add(PosixFilePermission.OTHERS_READ); // Sensitive
-        perms.add(PosixFilePermission.OTHERS_WRITE); // Sensitive
-        perms.add(PosixFilePermission.OTHERS_EXECUTE); // Sensitive
+        perms.add(PosixFilePermission.OTHERS_READ); // Noncompliant
+        perms.add(PosixFilePermission.OTHERS_WRITE); // Noncompliant
+        perms.add(PosixFilePermission.OTHERS_EXECUTE); // Noncompliant
 
         Files.setPosixFilePermissions(Paths.get(filePath), perms);
     }
-
-    public void setOthersPermissionsHardCoded(String filePath ) {
-        Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwxrwx")); // Sensitive
-    }
-
-

Compliant Solution

-

On operating systems that implement POSIX standard. This will throw a UnsupportedOperationException on Windows.

+

Compliant solution

     public void setPermissions(String filePath) throws IOException {
         Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
@@ -54,26 +60,23 @@ 
Compliant Solution

         Files.setPosixFilePermissions(Paths.get(filePath), perms);
     }
-
-    public void setOthersPermissionsHardCoded(String filePath ) {
-        Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwx---"));
-    }
-
-

See

+

Resources

+

Documentation

+ +

Standards

diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.json index 948fea4ccb3..49909d4f519 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.json @@ -1,6 +1,6 @@ { - "title": "Setting loose POSIX file permissions is security-sensitive", - "type": "SECURITY_HOTSPOT", + "title": "File permissions should not be set to world-accessible values", + "type": "VULNERABILITY", "code": { "impacts": { "SECURITY": "MEDIUM" diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5194.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5194.html index c613eb5da37..5d356e033b9 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5194.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5194.html @@ -2,49 +2,76 @@

Why is this an issue?

Many existing switch statements are essentially simulations of switch expressions, where each arm either assigns to a common target variable or returns a value. Expressing this as a statement is roundabout, repetitive, and error-prone.

Java 14 added support for switch expressions, which provide more succinct and less error-prone version of switch.

-

Noncompliant code example

-
-void day_of_week(DoW day) {
-    int numLetters;
-    switch (day) {  // Noncompliant
-      case MONDAY:
-      case FRIDAY:
-      case SUNDAY:
-        numLetters = 6;
-        break;
-      case TUESDAY:
-        numLetters = 7;
-        break;
-      case THURSDAY:
-      case SATURDAY:
-        numLetters = 8;
-        break;
-      case WEDNESDAY:
-        numLetters = 9;
-        break;
-      default:
-        throw new IllegalStateException("Wat: " + day);
-    }
+
Noncompliant code examples

+
+void countLetters(String day) {
+  int numLetters;
+  switch (day) {
+    case "Monday", "Friday", "Sunday":
+      numLetters = 6;
+      break;
+    case "Tuesday":
+      numLetters = 7;
+      break;
+    case "Thursday", "Saturday":
+      numLetters = 8;
+      break;
+    case "Wednesday":
+      numLetters = 9;
+      break;
+    default:
+      throw new IllegalArgumentException("Invalid day: " + day);
+  }
+  System.out.println(numLetters);
 }
-
-int return_switch(int x) {
-    switch (x) { // Noncompliant
-      case 1:
-        return 1;
-      case 2:
-        return 2;
-      default:
-        throw new IllegalStateException();
-    }
+

+
+Day dayOfWeek(String text) {
+  switch (text) {
+    case "Monday":
+      return Day.MONDAY;
+    case "Tuesday":
+      return Day.TUESDAY;
+    case "Wednesday":
+      return Day.WEDNESDAY;
+    case "Thursday":
+      return Day.THURSDAY;
+    case "Friday":
+      return Day.FRIDAY;
+    case "Saturday":
+      return Day.SATURDAY;
+    case "Sunday":
+      return Day.SUNDAY;
+    default:
+      throw new IllegalArgumentException("Invalid day: " + text);
+  }
+}
+

+
Compliant solutions

+
+void countLetters(String day) {
+  int numLetters = switch (day) {
+    case "Monday", "Friday", "Sunday" -> 6;
+    case "Tuesday" -> 7;
+    case "Thursday", "Saturday" -> 8;
+    case "Wednesday" -> 9;
+    default -> throw new IllegalArgumentException("Invalid day: " + day);
+  };
+  System.out.println(numLetters);
 }
 

-
Compliant solution

-
-int numLetters = switch (day) {
-    case MONDAY, FRIDAY, SUNDAY -> 6;
-    case TUESDAY                -> 7;
-    case THURSDAY, SATURDAY     -> 8;
-    case WEDNESDAY              -> 9;
-};
+
+Day dayOfWeek(String text) {
+    return switch (text) {
+      case "Monday" -> Day.MONDAY;
+      case "Tuesday" -> Day.TUESDAY;
+      case "Wednesday" -> Day.WEDNESDAY;
+      case "Thursday" -> Day.THURSDAY;
+      case "Friday" -> Day.FRIDAY;
+      case "Saturday" -> Day.SATURDAY;
+      case "Sunday" -> Day.SUNDAY;
+      default -> throw new IllegalArgumentException("Invalid day: " + text);
+    };
+  }
 

 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5838.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5838.json
index cfb63bee278..a9b5fbc265b 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5838.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5838.json
@@ -1,5 +1,5 @@
 {
-  "title": "Chained AssertJ assertions should be simplified to the corresponding dedicated assertion",
+  "title": "AssertJ assertions should be simplified to the corresponding dedicated assertion",
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7466.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7466.json
index 449dea80e60..ba038c971b3 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7466.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7466.json
@@ -13,7 +13,7 @@
   "ruleSpecification": "RSPEC-7466",
   "sqKey": "S7466",
   "scope": "All",
-  "quickfix": "targeted",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "LOW"
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7467.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7467.json
index c39749e444a..fdc30b28e5a 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7467.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7467.json
@@ -13,7 +13,7 @@
   "ruleSpecification": "RSPEC-7467",
   "sqKey": "S7467",
   "scope": "All",
-  "quickfix": "targeted",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "LOW"
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7475.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7475.json
index d7657540a53..7caabaf5bab 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7475.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7475.json
@@ -14,7 +14,7 @@
   "ruleSpecification": "RSPEC-7475",
   "sqKey": "S7475",
   "scope": "All",
-  "quickfix": "targeted",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "INFO"
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7477.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7477.json
index 9ae4a8d810b..0f90dcf241c 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7477.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7477.json
@@ -13,7 +13,7 @@
   "ruleSpecification": "RSPEC-7477",
   "sqKey": "S7477",
   "scope": "All",
-  "quickfix": "targeted",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "LOW"
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7629.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7629.json
index c393c62c9fc..d5e42e1a273 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7629.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7629.json
@@ -13,7 +13,7 @@
   "ruleSpecification": "RSPEC-7629",
   "sqKey": "S7629",
   "scope": "All",
-  "quickfix": "unknown",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "LOW"
diff --git a/sonarpedia.json b/sonarpedia.json
index 25454a0501f..2046b338a4b 100644
--- a/sonarpedia.json
+++ b/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2026-02-27T13:15:37.935044048Z",
+  "latest-update": "2026-03-12T13:07:16.598544876Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false