SONARJAVA-6194 Update rule metadata

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json

@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "BLOCKER"
+      "SECURITY": "MEDIUM"
     },
     "attribute": "TRUSTWORTHY"
   },
@@ -17,7 +17,7 @@
     "cwe",
     "cert"
   ],
-  "defaultSeverity": "Blocker",
+  "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-2068",
   "sqKey": "S2068",
   "scope": "Main",

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.html

@@ -1,16 +1,28 @@
+<h2>Why is this an issue?</h2>
 <p>In Unix file system permissions, the "<code>others</code>" category refers to all users except the owner of the file system resource and the
 members of the group assigned to this resource.</p>
 <p>Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive
 information, disrupt services or elevate privileges.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>The application is designed to be run on a multi-user environment.</li>
-  <li>Corresponding files and directories may contain confidential information.</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<p>The most restrictive possible permissions should be assigned to files and directories.</p>
-<h2>Sensitive Code Example</h2>
+<h3>What is the potential impact?</h3>
+<h4>Unauthorized access to sensitive information</h4>
+<p>When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models),
+attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords,
+personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive
+disadvantage.</p>
+<h4>Service disruption and data corruption</h4>
+<p>Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or
+compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete
+important resources, leading to service outages, system instability, data loss, and denial of service.</p>
+<h4>Privilege escalation</h4>
+<p>When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to
+execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious
+code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling
+them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.</p>
+<h2>How to fix it</h2>
+<p>Remove permissions for the "others" category by not adding OTHERS_READ, OTHERS_WRITE, or OTHERS_EXECUTE permissions to the permission set. If these
+permissions were previously added, explicitly remove them using the <code>remove()</code> method.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
     public void setPermissions(String filePath) throws IOException {
         Set&lt;PosixFilePermission&gt; perms = new HashSet&lt;PosixFilePermission&gt;();
@@ -22,20 +34,14 @@ <h2>Sensitive Code Example</h2>
         perms.add(PosixFilePermission.GROUP_READ);
         perms.add(PosixFilePermission.GROUP_EXECUTE);
         // others permissions
-        perms.add(PosixFilePermission.OTHERS_READ); // Sensitive
-        perms.add(PosixFilePermission.OTHERS_WRITE); // Sensitive
-        perms.add(PosixFilePermission.OTHERS_EXECUTE); // Sensitive
+        perms.add(PosixFilePermission.OTHERS_READ); // Noncompliant
+        perms.add(PosixFilePermission.OTHERS_WRITE); // Noncompliant
+        perms.add(PosixFilePermission.OTHERS_EXECUTE); // Noncompliant
 
         Files.setPosixFilePermissions(Paths.get(filePath), perms);
     }
 </pre>
-<pre data-diff-id="2" data-diff-type="noncompliant">
-    public void setOthersPermissionsHardCoded(String filePath ) {
-        Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwxrwx")); // Sensitive
-    }
-</pre>
-<h2>Compliant Solution</h2>
-<p>On operating systems that implement POSIX standard. This will throw a <code>UnsupportedOperationException</code> on Windows.</p>
+<h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
     public void setPermissions(String filePath) throws IOException {
         Set&lt;PosixFilePermission&gt; perms = new HashSet&lt;PosixFilePermission&gt;();
@@ -54,26 +60,23 @@ <h2>Compliant Solution</h2>
         Files.setPosixFilePermissions(Paths.get(filePath), perms);
     }
 </pre>
-<pre data-diff-id="2" data-diff-type="compliant">
-    public void setOthersPermissionsHardCoded(String filePath ) {
-        Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwx---"));
-    }
-</pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li>OWASP File Permission Testing Guide - <a
+  href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission">OWASP guidance on testing file permissions in web applications</a></li>
+</ul>
+<h3>Standards</h3>
 <ul>
-  <li>OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a></li>
-  <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
-  <li>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control">Top 10 2017 Category A5 - Broken Access
-  Control</a></li>
-  <li><a
-  href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission">OWASP File Permission</a></li>
-  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a></li>
   <li>CWE - <a href="https://cwe.mitre.org/data/definitions/266">CWE-266 - Incorrect Privilege Assignment</a></li>
-  <li><a href="https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions">CERT, FIO01-J.</a> - Create
-  files with appropriate access permissions</li>
-  <li><a href="https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions">CERT, FIO06-C.</a> - Create
-  files with appropriate access permissions</li>
+  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a></li>
   <li>STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222430">Application Security and
-  Development: V-222430</a> - The application must execute without excessive account permissions.</li>
+  Development: V-222430</a> - The application must execute without excessive account permissions</li>
+  <li>OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a></li>
+  <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
+  <li>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control">Top 10 2017 Category A5 - Broken Access Control -
+  OWASP Top 10 2017</a></li>
+  <li>CERT FIO01-J - <a href="https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions">CERT
+  guideline for creating files with appropriate access permissions in Java</a></li>
 </ul>
 

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.json

@@ -1,6 +1,6 @@
 {
-  "title": "Setting loose POSIX file permissions is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "File permissions should not be set to world-accessible values",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
       "SECURITY": "MEDIUM"

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5194.html

@@ -2,49 +2,76 @@ <h2>Why is this an issue?</h2>
 <p>Many existing switch statements are essentially simulations of switch expressions, where each arm either assigns to a common target variable or
 returns a value. Expressing this as a statement is roundabout, repetitive, and error-prone.</p>
 <p>Java 14 added support for switch expressions, which provide more succinct and less error-prone version of switch.</p>
-<h3>Noncompliant code example</h3>
-<pre>
-void day_of_week(DoW day) {
-    int numLetters;
-    switch (day) {  // Noncompliant
-      case MONDAY:
-      case FRIDAY:
-      case SUNDAY:
-        numLetters = 6;
-        break;
-      case TUESDAY:
-        numLetters = 7;
-        break;
-      case THURSDAY:
-      case SATURDAY:
-        numLetters = 8;
-        break;
-      case WEDNESDAY:
-        numLetters = 9;
-        break;
-      default:
-        throw new IllegalStateException("Wat: " + day);
-    }
+<h3>Noncompliant code examples</h3>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+void countLetters(String day) {
+  int numLetters;
+  switch (day) {
+    case "Monday", "Friday", "Sunday":
+      numLetters = 6;
+      break;
+    case "Tuesday":
+      numLetters = 7;
+      break;
+    case "Thursday", "Saturday":
+      numLetters = 8;
+      break;
+    case "Wednesday":
+      numLetters = 9;
+      break;
+    default:
+      throw new IllegalArgumentException("Invalid day: " + day);
+  }
+  System.out.println(numLetters);
 }
-
-int return_switch(int x) {
-    switch (x) { // Noncompliant
-      case 1:
-        return 1;
-      case 2:
-        return 2;
-      default:
-        throw new IllegalStateException();
-    }
+</pre>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+Day dayOfWeek(String text) {
+  switch (text) {
+    case "Monday":
+      return Day.MONDAY;
+    case "Tuesday":
+      return Day.TUESDAY;
+    case "Wednesday":
+      return Day.WEDNESDAY;
+    case "Thursday":
+      return Day.THURSDAY;
+    case "Friday":
+      return Day.FRIDAY;
+    case "Saturday":
+      return Day.SATURDAY;
+    case "Sunday":
+      return Day.SUNDAY;
+    default:
+      throw new IllegalArgumentException("Invalid day: " + text);
+  }
+}
+</pre>
+<h3>Compliant solutions</h3>
+<pre data-diff-id="1" data-diff-type="compliant">
+void countLetters(String day) {
+  int numLetters = switch (day) {
+    case "Monday", "Friday", "Sunday" -&gt; 6;
+    case "Tuesday" -&gt; 7;
+    case "Thursday", "Saturday" -&gt; 8;
+    case "Wednesday" -&gt; 9;
+    default -&gt; throw new IllegalArgumentException("Invalid day: " + day);
+  };
+  System.out.println(numLetters);
 }
 </pre>
-<h3>Compliant solution</h3>
-<pre>
-int numLetters = switch (day) {
-    case MONDAY, FRIDAY, SUNDAY -&gt; 6;
-    case TUESDAY                -&gt; 7;
-    case THURSDAY, SATURDAY     -&gt; 8;
-    case WEDNESDAY              -&gt; 9;
-};
+<pre data-diff-id="2" data-diff-type="compliant">
+Day dayOfWeek(String text) {
+    return switch (text) {
+      case "Monday" -&gt; Day.MONDAY;
+      case "Tuesday" -&gt; Day.TUESDAY;
+      case "Wednesday" -&gt; Day.WEDNESDAY;
+      case "Thursday" -&gt; Day.THURSDAY;
+      case "Friday" -&gt; Day.FRIDAY;
+      case "Saturday" -&gt; Day.SATURDAY;
+      case "Sunday" -&gt; Day.SUNDAY;
+      default -&gt; throw new IllegalArgumentException("Invalid day: " + text);
+    };
+  }
 </pre>
 

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5838.json

@@ -1,5 +1,5 @@
 {
-  "title": "Chained AssertJ assertions should be simplified to the corresponding dedicated assertion",
+  "title": "AssertJ assertions should be simplified to the corresponding dedicated assertion",
   "type": "CODE_SMELL",
   "code": {
     "impacts": {

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7466.json

@@ -13,7 +13,7 @@
   "ruleSpecification": "RSPEC-7466",
   "sqKey": "S7466",
   "scope": "All",
-  "quickfix": "targeted",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "LOW"

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7467.json

@@ -13,7 +13,7 @@
   "ruleSpecification": "RSPEC-7467",
   "sqKey": "S7467",
   "scope": "All",
-  "quickfix": "targeted",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "LOW"

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7475.json

@@ -14,7 +14,7 @@
   "ruleSpecification": "RSPEC-7475",
   "sqKey": "S7475",
   "scope": "All",
-  "quickfix": "targeted",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "INFO"

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7477.json

@@ -13,7 +13,7 @@
   "ruleSpecification": "RSPEC-7477",
   "sqKey": "S7477",
   "scope": "All",
-  "quickfix": "targeted",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "LOW"

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S7629.json

@@ -13,7 +13,7 @@
   "ruleSpecification": "RSPEC-7629",
   "sqKey": "S7629",
   "scope": "All",
-  "quickfix": "unknown",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "LOW"

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2026-02-27T13:15:37.935044048Z",
+  "latest-update": "2026-03-12T13:07:16.598544876Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false