change owasp 2013 to owasp 2017

generate_profiles/BuildXmlFiles.groovy

@@ -122,7 +122,7 @@ def writeRules(String rulesSetName,List<Plugin> plugins,List<String> includedBug
                     configKey(pattern.attribute("type"))
                     description(pattern.Details.text().trim())
 
-                    //OWASP TOP 10 2013
+                    //OWASP TOP 10 2017
                     if (pattern.Details.text().toLowerCase().contains('injection') || pattern.Details.text().contains('A1-Injection')) {
                         tag("owasp-a1")
                         tag("injection")
@@ -131,32 +131,34 @@ def writeRules(String rulesSetName,List<Plugin> plugins,List<String> includedBug
                         tag("owasp-a2")
                     }
                     if (pattern.attribute("type").contains("XSS") || pattern.Details.text().contains('A3-Cross-Site_Scripting')) {
-                        tag("owasp-a3")
+                        tag("owasp-a7")
                     }
                     if (pattern.Details.text().contains('A4-Insecure_Direct_Object_References') || pattern.Details.text().contains('Path_Traversal')) {
-                        tag("owasp-a4")
+                        tag("owasp-a5")
                     }
                     if (pattern.Details.text().contains('A5-Security_Misconfiguration')) {
-                        tag("owasp-a5")
+                        tag("owasp-a6")
                     }
                     if (pattern.attribute('type').equals('HARD_CODE_PASSWORD') ||
                             pattern.attribute("type") in cryptoBugs ||
                             pattern.Details.text().contains('A6-Sensitive_Data_Exposure')) {
-                        tag("owasp-a6")
+                        tag("owasp-a3")
                         tag("cryptography")
                     }
                     if (pattern.Details.text().contains('A7-Missing_Function_Level_Access_Control')) {
-                        tag("owasp-a7")
-                    }
-                    if (pattern.Details.text().toLowerCase().contains('A8-Cross-Site_Request_Forgery')) {
-                        tag("owasp-a8")
+                        tag("owasp-a4")
                     }
+//                    no exist in owasp 2017
+//                    if (pattern.Details.text().toLowerCase().contains('A8-Cross-Site_Request_Forgery')) {
+//                        tag("owasp-a8")
+//                    }
                     if (pattern.Details.text().toLowerCase().contains('A9-Using_Components_with_Known_Vulnerabilities')) {
                         tag("owasp-a9")
                     }
-                    if (pattern.Details.text().toLowerCase().contains('A10-Unvalidated_Redirects_and_Forwards')) {
-                        tag("owasp-a10")
-                    }
+//                    no exist in owasp 2017
+//                    if (pattern.Details.text().toLowerCase().contains('A10-Unvalidated_Redirects_and_Forwards')) {
+//                        tag("owasp-a10")
+//                    }
 
                     //Misc tags
 

pom.xml

@@ -4,7 +4,7 @@
 
   <groupId>com.github.spotbugs</groupId>
   <artifactId>sonar-findbugs-plugin</artifactId>
-  <version>3.10.0-SNAPSHOT</version>
+  <version>3.11-SNAPSHOT</version>
   <packaging>sonar-plugin</packaging>
 
   <name>SonarQube SpotBugs Plugin</name>

src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml

@@ -150,7 +150,7 @@ If SpotBugs found <em>any</em>, you <em>almost certainly</e
 vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously
 consider using a commercial static analysis or pen-testing tool.
 &lt;/p&gt;</description>
-    <tag>owasp-a3</tag>
+    <tag>owasp-a7</tag>
     <tag>security</tag>
   </rule>
   <rule key='XSS_REQUEST_PARAMETER_TO_SEND_ERROR' priority='MAJOR'>
@@ -165,7 +165,7 @@ If SpotBugs found &lt;em&gt;any&lt;/em&gt;, you &lt;em&gt;almost certainly&lt;/e
 vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously
 consider using a commercial static analysis or pen-testing tool.
 &lt;/p&gt;</description>
-    <tag>owasp-a3</tag>
+    <tag>owasp-a7</tag>
     <tag>security</tag>
   </rule>
   <rule key='SW_SWING_METHODS_INVOKED_IN_SWING_THREAD' priority='MAJOR'>

src/main/resources/org/sonar/plugins/findbugs/rules-findsecbugs.xml

@@ -267,7 +267,7 @@ public Response getImage(@javax.ws.rs.PathParam("image") String image) {
 <a href="http://capec.mitre.org/data/definitions/126.html">CAPEC-126: Path Traversal</a><br/>
 <a href="http://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a>
 &lt;/p&gt;</description>
-    <tag>owasp-a4</tag>
+    <tag>owasp-a5</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -287,7 +287,7 @@ by the user. If that is the case, the reported instance is a false positive.&lt;
 &lt;a href="http://capec.mitre.org/data/definitions/126.html"&gt;CAPEC-126: Path Traversal&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/22.html"&gt;CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a4</tag>
+    <tag>owasp-a5</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -397,7 +397,7 @@ sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(),null);
 &lt;a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection"&gt;WASC-04: Insufficient Transport Layer Protection&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/295.html"&gt;CWE-295: Improper Certificate Validation&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
@@ -446,7 +446,7 @@ sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(),null);
 &lt;a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection"&gt;WASC-04: Insufficient Transport Layer Protection&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/295.html"&gt;CWE-295: Improper Certificate Validation&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
@@ -612,7 +612,7 @@ mapped in this way are properly validated before they are used.&lt;/p&gt;
 &lt;a href="https://stackoverflow.com/q/22580853/89769"&gt;Stackoverflow: Reliable implementation of PBKDF2-HMAC-SHA256 for Java&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/327.html"&gt;CWE-327: Use of a Broken or Risky Cryptographic Algorithm&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -677,7 +677,7 @@ uses. &lt;b&gt;PBKDF2&lt;/b&gt; should be used to hash password for example.&lt;
 &lt;a href="https://stackoverflow.com/q/22580853/89769"&gt;Stackoverflow: Reliable implementation of PBKDF2-HMAC-SHA256 for Java&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/327.html"&gt;CWE-327: Use of a Broken or Risky Cryptographic Algorithm&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -729,7 +729,7 @@ Upgrade your implementation to use one of the recommended constructs and configu
 &lt;b&gt;References&lt;/b&gt;&lt;br/&gt;
 &lt;a href="https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https"&gt;Diagnosing TLS, SSL, and HTTPS&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>security</tag>
   </rule>
@@ -756,7 +756,7 @@ Upgrade your implementation to the following, and configure https.protocols JVM
 &lt;b&gt;References&lt;/b&gt;&lt;br/&gt;
 &lt;a href="https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https"&gt;Diagnosing TLS, SSL, and HTTPS&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>security</tag>
   </rule>
@@ -800,7 +800,7 @@ sha256Digest.update(password.getBytes());&lt;/pre&gt;
 &lt;a href="http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html"&gt;NIST Approved Hashing Algorithms&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/327.html"&gt;CWE-327: Use of a Broken or Risky Cryptographic Algorithm&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -827,7 +827,7 @@ contains no unauthorized path characters (e.g., / \), and refers to an authorize
 &lt;a href="http://capec.mitre.org/data/definitions/126.html"&gt;CAPEC-126: Path Traversal&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/22.html"&gt;CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a4</tag>
+    <tag>owasp-a5</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2362,7 +2362,7 @@ In this situation, the use of toHexString() should be replaced with String.forma
 &lt;a href="http://docs.hazelcast.org/docs/3.5/manual/html/encryption.html"&gt;Hazelcast Documentation: Encryption&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/326.html"&gt;CWE-326: Inadequate Encryption Strength&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
@@ -2391,7 +2391,7 @@ byte[] cipherText = c.doFinal(plainText);&lt;/pre&gt;
 &lt;b&gt;Reference&lt;/b&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/327.html"&gt;CWE-327: Use of a Broken or Risky Cryptographic Algorithm&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2425,7 +2425,7 @@ to do this correctly.
 &lt;a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection"&gt;WASC-04: Insufficient Transport Layer Protection&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/319.html"&gt;CWE-319: Cleartext Transmission of Sensitive Information&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
@@ -2460,7 +2460,7 @@ to do this correctly.
 &lt;a href="http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection"&gt;WASC-04: Insufficient Transport Layer Protection&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/319.html"&gt;CWE-319: Cleartext Transmission of Sensitive Information&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
@@ -2491,7 +2491,7 @@ byte[] cipherText = c.doFinal(plainText);&lt;/pre&gt;
 &lt;a href="http://www.nist.gov/itl/fips/060205_des.cfm"&gt;NIST Withdraws Outdated Data Encryption Standard&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/326.html"&gt;CWE-326: Inadequate Encryption Strength&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2521,7 +2521,7 @@ byte[] cipherText = c.doFinal(plainText);&lt;/pre&gt;
 &lt;a href="http://www.nist.gov/itl/fips/060205_des.cfm"&gt;NIST Withdraws Outdated Data Encryption Standard&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/326.html"&gt;CWE-326: Inadequate Encryption Strength&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2547,7 +2547,7 @@ The code should be replaced with:&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/780.html"&gt;CWE-780: Use of RSA Algorithm without OAEP&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/"&gt;Root Labs: Why RSA encryption padding is critical&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2573,7 +2573,7 @@ props.put(Context.SECURITY_CREDENTIALS, "p@ssw0rd");&lt;/pre&gt;
 &lt;b&gt;References&lt;/b&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/259.html"&gt;CWE-259: Use of Hard-coded Password&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2635,7 +2635,7 @@ if(MessageDigest.isEqual(userInput.getBytes(),actualHash.getBytes())) {
 &lt;b&gt;References&lt;/b&gt;&lt;br/&gt;
 &lt;a href="https://cwe.mitre.org/data/definitions/203.html"&gt;CWE-203: Information Exposure Through DiscrepancyKey&lt;/a&gt;&lt;br/&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2707,7 +2707,7 @@ the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet.
 &lt;a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29"&gt;OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/79.html"&gt;CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a3</tag>
+    <tag>owasp-a7</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2738,7 +2738,7 @@ keyGen.init(128);&lt;/pre&gt;
 &lt;a href="http://en.wikipedia.org/wiki/Blowfish_(cipher)"&gt;Blowfish (cipher)&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://cwe.mitre.org/data/definitions/326.html"&gt;CWE-326: Inadequate Encryption Strength&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2779,7 +2779,7 @@ keyGen.initialize(2048);
 &lt;a href="http://cwe.mitre.org/data/definitions/326.html"&gt;CWE-326: Inadequate Encryption Strength&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://www.keylength.com/en/compare/"&gt;Keylength.com (BlueKrypt): Aggregate key length recommendations.&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -2963,7 +2963,7 @@ which explains these defenses in significant detail.
 &lt;a href="http://cwe.mitre.org/data/definitions/79.html"&gt;CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')&lt;/a&gt;&lt;br/&gt;
 &lt;a href="https://code.google.com/p/owasp-java-encoder/"&gt;OWASP Java Encoder&lt;/a&gt;&lt;br/&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a3</tag>
+    <tag>owasp-a7</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -3051,7 +3051,7 @@ public void encrypt(String message) throws Exception {
 &lt;a href="http://cwe.mitre.org/data/definitions/329.html"&gt;CWE-329: Not Using a Random IV with CBC Mode&lt;/a&gt;&lt;br/&gt;
 &lt;a href="https://defuse.ca/cbcmodeiv.htm"&gt;Encryption - CBC Mode IV: Secret or Not?&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -3086,7 +3086,7 @@ byte[] cipherText = c.doFinal(plainText);&lt;/pre&gt;
 &lt;a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29"&gt;Wikipedia: Block cipher modes of operation&lt;/a&gt;&lt;br/&gt;
 &lt;a href="http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf"&gt;NIST: Recommendation for Block Cipher Modes of Operation&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>security</tag>
   </rule>
@@ -3119,7 +3119,7 @@ byte[] cipherText = c.doFinal(plainText);&lt;/pre&gt;
     &lt;a href="http://capec.mitre.org/data/definitions/463.html"&gt;CAPEC: Padding Oracle Crypto Attack&lt;/a&gt;&lt;br/&gt;
     &lt;a href="http://cwe.mitre.org/data/definitions/696.html"&gt;CWE-696: Incorrect Behavior Order&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -3173,7 +3173,7 @@ In the example solution above, the GCM mode introduces an HMAC into the resultin
     &lt;a href="http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/"&gt;Moxie Marlinspike's blog: The Cryptographic Doom Principle&lt;/a&gt;&lt;br/&gt;
     &lt;a href="http://cwe.mitre.org/data/definitions/353.html"&gt;CWE-353: Missing Support for Integrity Check&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>
@@ -3486,7 +3486,7 @@ function updateDescription(newDescription) {
     &lt;a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29"&gt;OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)&lt;/a&gt;&lt;br/&gt;
     &lt;a href="http://cwe.mitre.org/data/definitions/79.html"&gt;CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')&lt;/a&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a3</tag>
+    <tag>owasp-a7</tag>
     <tag>wasc</tag>
     <tag>cwe</tag>
     <tag>android</tag>
@@ -3840,7 +3840,7 @@ Path traversal &lt;sup&gt;[3][4]&lt;/sup&gt; are not possible.
 &lt;/p&gt;</description>
     <tag>owasp-a1</tag>
     <tag>injection</tag>
-    <tag>owasp-a4</tag>
+    <tag>owasp-a5</tag>
     <tag>wasc</tag>
     <tag>security</tag>
   </rule>
@@ -4102,6 +4102,7 @@ Avoid using those methods. If you are looking to encode a URL String or form par
 &lt;a href="https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management"&gt;OWASP Top 10 2010-A3-Broken Authentication and Session Management&lt;/a&gt;&lt;br/&gt;
 &lt;/p&gt;</description>
     <tag>security</tag>
+      <tag>owasp-a3</tag>
   </rule>
   <rule key='INSECURE_SMTP_SSL' priority='MAJOR'>
     <name>Security - Insecure SMTP SSL connection</name>
@@ -4134,7 +4135,7 @@ Please add the following check to verify the server cerfiticate:
 &lt;b&gt;References&lt;/b&gt;&lt;br/&gt;
 &lt;a href="https://cwe.mitre.org/data/definitions/297.html"&gt;CWE-297: Improper Validation of Certificate with Host Mismatch&lt;/a&gt;&lt;br/&gt;
 &lt;/p&gt;</description>
-    <tag>owasp-a6</tag>
+    <tag>owasp-a3</tag>
     <tag>cryptography</tag>
     <tag>cwe</tag>
     <tag>security</tag>