From d09e9b58dce45bfc64b2350d7952c68c0b00e631 Mon Sep 17 00:00:00 2001 From: Guillaume Dequenne Date: Wed, 10 Jun 2020 13:49:39 +0200 Subject: [PATCH 1/2] Update rules metadata --- .../l10n/py/rules/python/ClassComplexity.json | 2 +- .../py/rules/python/FunctionComplexity.json | 2 +- .../org/sonar/l10n/py/rules/python/S1313.html | 11 +- .../org/sonar/l10n/py/rules/python/S1523.html | 3 +- .../org/sonar/l10n/py/rules/python/S2068.html | 2 +- .../org/sonar/l10n/py/rules/python/S2077.html | 12 +- .../org/sonar/l10n/py/rules/python/S2092.html | 4 +- .../org/sonar/l10n/py/rules/python/S2245.html | 2 +- .../org/sonar/l10n/py/rules/python/S2275.html | 6 +- .../org/sonar/l10n/py/rules/python/S3330.html | 4 +- .../org/sonar/l10n/py/rules/python/S4423.json | 3 +- .../org/sonar/l10n/py/rules/python/S4502.html | 2 +- .../org/sonar/l10n/py/rules/python/S4507.html | 6 +- .../org/sonar/l10n/py/rules/python/S4721.html | 152 ++++++++---------- .../org/sonar/l10n/py/rules/python/S4784.html | 2 +- .../org/sonar/l10n/py/rules/python/S4787.html | 2 + .../org/sonar/l10n/py/rules/python/S4787.json | 25 +-- .../org/sonar/l10n/py/rules/python/S4790.html | 2 +- .../org/sonar/l10n/py/rules/python/S4792.html | 2 +- .../org/sonar/l10n/py/rules/python/S4823.html | 2 + .../org/sonar/l10n/py/rules/python/S4823.json | 17 +- .../org/sonar/l10n/py/rules/python/S4828.html | 2 +- .../org/sonar/l10n/py/rules/python/S4829.html | 2 + .../org/sonar/l10n/py/rules/python/S4829.json | 11 +- .../org/sonar/l10n/py/rules/python/S4830.json | 1 + .../org/sonar/l10n/py/rules/python/S5042.html | 2 +- .../org/sonar/l10n/py/rules/python/S5122.html | 15 +- .../org/sonar/l10n/py/rules/python/S5247.html | 2 +- .../org/sonar/l10n/py/rules/python/S5300.html | 2 + .../org/sonar/l10n/py/rules/python/S5300.json | 17 +- .../org/sonar/l10n/py/rules/python/S5332.html | 6 + .../org/sonar/l10n/py/rules/python/S5443.html | 2 +- .../org/sonar/l10n/py/rules/python/S5527.json | 1 + .../org/sonar/l10n/py/rules/python/S5542.json | 2 +- .../org/sonar/l10n/py/rules/python/S5547.json | 2 +- .../org/sonar/l10n/py/rules/python/S5799.html | 2 + .../py/rules/python/Sonar_way_profile.json | 4 - sonarpedia.json | 2 +- 38 files changed, 161 insertions(+), 177 deletions(-) diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/ClassComplexity.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/ClassComplexity.json index baa245b120..f8f0a7b929 100644 --- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/ClassComplexity.json +++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/ClassComplexity.json @@ -1,5 +1,5 @@ { - "title": "Classes should not be too complex", + "title": "Cyclomatic Complexity of classes should not be too high", "type": "CODE_SMELL", "status": "deprecated", "remediation": { diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/FunctionComplexity.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/FunctionComplexity.json index 1707f240ce..36e6871cc1 100644 --- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/FunctionComplexity.json +++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/FunctionComplexity.json @@ -1,5 +1,5 @@ { - "title": "Functions should not be too complex", + "title": "Cyclomatic Complexity of functions should not be too high", "type": "CODE_SMELL", "status": "ready", "remediation": { diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1313.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1313.html index f49c8a3158..c741911951 100644 --- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1313.html +++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1313.html @@ -13,11 +13,16 @@

Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially sensitive address. They can perform a Denial of Service attack on the service at this address or spoof the IP address. Such an attack is always possible, but in the case of a hardcoded IP address the fix will be much slower, which will increase an attack's impact.

-

Recommended Secure Coding Practices

+

Ask Yourself Whether

+

The disclosed IP address is sensitive, eg:

-

Noncompliant Code Example

+

There is a risk if you answered yes to any of these questions.

+

Recommended Secure Coding Practices

+

Don't hard-code the IP address in the source code, instead make it configurable.

+

Sensitive Code Example

 ip = '192.168.12.42'
 sock = socket.socket()
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1523.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1523.html
index b56d89b98c..6a1c678fb3 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1523.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S1523.html
@@ -14,8 +14,7 @@ 
Ask Yourself Whether

   
  •  the executed code may come from an untrusted source and hasn't been sanitized. 
    • 
   
  •  you really need to run code dynamically. 
    • 
 
-
    You are at risk if you answered yes to the first question. You are increasing the security risks for no reason if you answered yes to the second
-question.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
    Regarding the execution of unknown code, the best solution is to not run code provided by an untrusted source. If you really need to do it, run the
 code in a sandboxed environment. Use jails, firewalls and whatever means your
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.html
index ce609dea7b..cb013c638e 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.html
@@ -15,7 +15,7 @@ 
    Ask Yourself Whether
    
   
  •  Credentials are used in production environments. 
    • 
   
  •  Application re-distribution is required before updating the credentials. 
    • 
 
-
    You are at risk, if you answered yes to any of these questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
-
    You may be at risk if you answered yes to this question.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    +

    Compliant Solution

    +
    +cursor = connection.cursor(prepared=True)
+sql_insert_query = """ select col from sometable here mycol = %s and othercol = %s """
+
+select_tuple = (1, value)
+
+cursor.execute(sql_insert_query, select_tuple) # Compliant, the query is parameterized
+connection.commit()
+

    See

    -

    You are at risk if you answered yes to any of those questions.

    +

    There is a risk if you answered yes to any of those questions.

    Recommended Secure Coding Practices

    -

    Sensitive Code Examples

    +

    Sensitive Code Example

    Flask

     from flask import Response
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2245.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2245.html
index 5a3f1d410c..1638390a00 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2245.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2245.html
@@ -14,7 +14,7 @@ 
    Ask Yourself Whether
    
   
  •  the generated value is used multiple times. 
    • 
   
  •  an attacker can access the generated value. 
    • 
 
-
    You are at risk if you answered yes to the first question and any of the following ones.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    -

    See also

    +

    See

     diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3330.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3330.html index 66d810cf4e..abdfa59957 100644 --- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3330.html +++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3330.html @@ -9,13 +9,13 @@

    Ask Yourself Whether

  • the HttpOnly attribute offer an additional protection (not the case for an XSRF-TOKEN cookie / CSRF token for example)
    • -

    You are at risk if you answered yes to any of those questions.

    +

    There is a risk if you answered yes to any of those questions.

    Recommended Secure Coding Practices

    -

    Sensitive Code Examples

    +

    Sensitive Code Example

    Flask:

     from flask import Response
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.json
index e21dfea54d..82afcc7df2 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.json
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4423.json
@@ -20,7 +20,8 @@
   "securityStandards": {
     "CWE": [
       327,
-      326
+      326,
+      295
     ],
     "OWASP": [
       "A3",
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4502.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4502.html
index 74127be316..1cdb93be98 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4502.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4502.html
@@ -17,7 +17,7 @@ 
    Ask Yourself Whether
    
   
  •  The state / resources of the web application could be modified by doing HTTP POST or HTTP DELETE requests for example. 
    • 
   
  •  The web application is not only a public API designed to be requested by external websites. 
    • 
 
-
    You are at risk if you answered yes to any of those questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
-
    You are at risk if you answered yes to any of these questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
-
+
    Do not enable debug features on production servers.
    
 
    Sensitive Code Example
    
 
    Django
    
 
    diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4721.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4721.html
index 55fcafbe39..e9d9f435d9 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4721.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4721.html
@@ -1,106 +1,94 @@
-
    OS commands are security-sensitive. For example, their use has led in the past to the following vulnerabilities:
    
+
    Arbitrary OS commands can be executed by an attacker when:
    
 
      
-  
    •  CVE-2018-12465 
      • 
-  
    •  CVE-2018-7187 
      • 
+  
    •  The OS command name to execute is user-controlled. 
      • 
+  
    •  A shell is spawn rather than a new process, in this case shell meta-chars can be used (when parameters are user-controlled for instance) to
+  inject OS commands. 
      • 
+  
    •  The executable is searched in the directories specified by the PATH variable (which can contain user-controlled or malicious directories).
+  
      • 
 
    
-
    Applications that execute operating system commands or execute commands that interact with the underlying system should neutralize any
-externally-provided input used to construct those commands. Failure to do so could allow an attacker to execute unexpected or dangerous commands,
-potentially leading to loss of confidentiality, integrity or availability.
    
-
     
    
-
    This rule flags code that specifies the name of the command to run. The goal is to guide security code reviews.
    
 
    Ask Yourself Whether
    
 
      
-  
    •  the executed command is constructed by input that is externally-influenced, for example, user input (attacker). (*) 
      • 
-  
    •  the command execution is not restricted to the right users. (*) 
      • 
-  
    •  the application can be redesigned to not rely on external input to execute the command. 
      • 
+  
    •  OS command name or parameters are user-controlled. 
      • 
+  
    •  The relative path of the OS command is specified. 
      • 
+  
    •  OS commands are not executed in an isolated/sandboxed environment. 
      • 
+  
    •  OS command are executed with high privileges. 
      • 
 
    
-
    (*) You are at risk if you answered yes to any of those questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
     
    
 
    Recommended Secure Coding Practices
    
-
    Restrict the control given to the user over the executed command:
    
-
      
-  
    •  make the executed command part of a whitelist and reject all commands not part of this list. 
      • 
-  
    •  sanitize the user input. 
      • 
-
    
-
     
    
-
    Restrict which users can have access to the command:
    
-
      
-  
    •  use a firewall to protect the process running the code, and to protect the network from the command. 
      • 
-  
    •  authenticate the user and allow only some users to run the command. 
      • 
-
    
-
    Reduce the damage the command can do:
    
 
      
-  
    •  execute the code in a sandbox environment that enforces strict boundaries between the operating system and the process. For example: a "jail".
-  
      • 
-  
    •  refuse to run the command if the process has too many privileges. For example: forbid running the code as "root". 
      • 
+  
    •  User-controlled inputs should not be used, for any reasons, to build a dynamically OS command (command name or even parameters when shell is
+  used). 
      • 
+  
    •  Fully qualified/absolute path should be used to specify the OS command to execute. 
      • 
+  
    •  If possible, set the lowest privileges to the new process/shell in which commands are executed. 
      • 
+  
    •  If possible, execute the OS commands in an isolated environment. 
      • 
 
    
-
     
    
 
    Sensitive Code Example
    
 
    Python 3
    
 
    -import subprocess
-import os
-
-params = ["ls", "-l"]
-
-subprocess.run(params)  # Sensitive
-subprocess.Popen(params)  # Sensitive
-
-# Older API
-
-subprocess.call(params)  # Sensitive
-subprocess.check_call(params)  # Sensitive
-subprocess.check_output(params)  # Sensitive
-
-cmd = "ls -l"
-os.system(cmd)  # Sensitive
-
-mode = os.P_WAIT
-file = "ls"
-path = "/bin/ls"
-env = os.environ
-os.spawnl(mode, path, *params)  # Sensitive
-os.spawnle(mode, path, *params, env)  # Sensitive
-os.spawnlp(mode, file, *params)  # Sensitive
-os.spawnlpe(mode, file, *params, env)  # Sensitive
-os.spawnv(mode, path, params)  # Sensitive
-os.spawnve(mode, path, params, env)  # Sensitive
-os.spawnvp(mode, file, params)  # Sensitive
-os.spawnvpe(mode, file, params, env)  # Sensitive
-
-mode = 'r'
-(child_stdout) = os.popen(cmd, mode, 1)  # Sensitive
-# print(child_stdout.read())
+subprocess.run(cmd, shell=True)  # Sensitive
+subprocess.Popen(cmd, shell=True)  # Sensitive
+subprocess.call(cmd, shell=True)  # Sensitive
+subprocess.check_call(cmd, shell=True)  # Sensitive
+subprocess.check_output(cmd, shell=True)  # Sensitive
+os.system(cmd)  # Sensitive: a shell is always spawn
+
    
+
    Python 2
    
+
    +cmd = "when a string is passed through these function, a shell is spawn"
+(_, child_stdout, _) = os.popen2(cmd)  # Sensitive
+(_, child_stdout, _) = os.popen3(cmd)  # Sensitive
+(_, child_stdout) = os.popen4(cmd)  # Sensitive
 
-(_, output) = subprocess.getstatusoutput(cmd)  # Sensitive
 
-out = subprocess.getoutput(cmd)  # Sensitive
+(child_stdout, _) = popen2.popen2(cmd)  # Sensitive
+(child_stdout, _, _) = popen2.popen3(cmd)  # Sensitive
+(child_stdout, _) = popen2.popen4(cmd)  # Sensitive
+
    
+
    Compliant Solution
    
+
    Python 3
    
+
    +# by default shell=False, a shell is not spawn
+subprocess.run(cmd)  # Compliant
+subprocess.Popen(cmd)  # Compliant
+subprocess.call(cmd)  # Compliant
+subprocess.check_call(cmd)  # Compliant
+subprocess.check_output(cmd)  # Compliant
 
-os.startfile(path)  # Sensitive
+# always in a subprocess:
+os.spawnl(mode, path, *cmd)  # Compliant
+os.spawnle(mode, path, *cmd, env)  # Compliant
+os.spawnlp(mode, file, *cmd)  # Compliant
+os.spawnlpe(mode, file, *cmd, env)  # Compliant
+os.spawnv(mode, path, cmd)  # Compliant
+os.spawnve(mode, path, cmd, env)  # Compliant
+os.spawnvp(mode, file, cmd)  # Compliant
+os.spawnvpe(mode, file, cmd, env)  # Compliant
 
-os.execl(path, *params)  # Sensitive
-os.execle(path, *params, env)  # Sensitive
-os.execlp(file, *params)  # Sensitive
-os.execlpe(file, *params, env)  # Sensitive
-os.execv(path, params)  # Sensitive
-os.execve(path, params, env)  # Sensitive
-os.execvp(file, params)  # Sensitive
-os.execvpe(file, params, env)  # Sensitive
+(child_stdout) = os.popen(cmd, mode, 1)  # Compliant
+(_, output) = subprocess.getstatusoutput(cmd)  # Compliant
+out = subprocess.getoutput(cmd)  # Compliant
+os.startfile(path)  # Compliant
+os.execl(path, *cmd)  # Compliant
+os.execle(path, *cmd, env)  # Compliant
+os.execlp(file, *cmd)  # Compliant
+os.execlpe(file, *cmd, env)  # Compliant
+os.execv(path, cmd)  # Compliant
+os.execve(path, cmd, env)  # Compliant
+os.execvp(file, cmd)  # Compliant
+os.execvpe(file, cmd, env)  # Compliant
 
    
 
    Python 2
    
 
    -import os
-import popen2
+cmdsargs = ("use", "a", "sequence", "to", "directly", "start", "a", "subprocess")
 
-cmd = "ls -l"
-mode = "r"
-(_, child_stdout) = os.popen2(cmd, mode)  # Sensitive
-(_, child_stdout, _) = os.popen3(cmd, mode)  # Sensitive
-(_, child_stdout) = os.popen4(cmd, mode)  # Sensitive
+(_, child_stdout) = os.popen2(cmdsargs)  # Compliant
+(_, child_stdout, _) = os.popen3(cmdsargs)  # Compliant
+(_, child_stdout) = os.popen4(cmdsargs)  # Compliant
 
-(child_stdout, _) = popen2.popen2(cmd)  # Sensitive
-(child_stdout, _, _) = popen2.popen3(cmd)  # Sensitive
-(child_stdout, _) = popen2.popen4(cmd)  # Sensitive
+(child_stdout, _) = popen2.popen2(cmdsargs)  # Compliant
+(child_stdout, _, _) = popen2.popen3(cmdsargs)  # Compliant
+(child_stdout, _) = popen2.popen4(cmdsargs)  # Compliant
 
    
 
    See
    
 
      
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4784.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4784.html
index a132891dcf..de1770961a 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4784.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4784.html
@@ -19,7 +19,7 @@ 
      Ask Yourself Whether
      
   
    •  the executed regular expression is sensitive and a user can provide a string which will be analyzed by this regular expression. 
      • 
   
    •  your regular expression engine performance decrease with specially crafted inputs and regular expressions. 
      • 
 
    
-
    You may be at risk if you answered yes to any of those questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
    Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for
 vulnerability reports mentioning the one engine you're are using.
    
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.html
index 32b22841a6..bcedb35add 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.html
@@ -101,4 +101,6 @@ 
    See
    
   
  •  MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm 
    • 
   
  •  SANS Top 25 - Porous Defenses 
    • 
 
+
    Deprecated
    
+
    This rule is deprecated, and will eventually be removed.
    
 
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.json
index 168ca97bf9..5b617c7cdf 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.json
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4787.json
@@ -1,31 +1,12 @@
 {
   "title": "Encrypting data is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe",
-    "owasp-a6",
-    "sans-top25-porous",
-    "owasp-a3"
+    
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4787",
   "sqKey": "S4787",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      321,
-      322,
-      323,
-      324,
-      325,
-      326,
-      327,
-      522
-    ],
-    "OWASP": [
-      "A3",
-      "A6"
-    ]
-  }
+  "scope": "Main"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4790.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4790.html
index f465e4d91b..3e48ded6a7 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4790.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4790.html
@@ -9,7 +9,7 @@ 
    Ask Yourself Whether
    
   
  •  Security token generation (used to confirm e-mail when registering on a website, reset password, etc ...). 
    • 
   
  •  To compute some message integrity. 
    • 
 
-
    You are at risk if you answered yes to any of those questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
    Safer alternatives, such as SHA-256, SHA-512, SHA-3 or bcrypt are recommended, and for password
 hashing, it's even better to use algorithms that not compute too "quickly", like bcrypt instead of SHA-256, because it slows
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4792.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4792.html
index 4d4cec277e..5516c0f16e 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4792.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4792.html
@@ -25,7 +25,7 @@ 
    Ask Yourself Whether
    
   might filter out important information. They might not print contextual information like the precise time of events or the server hostname. 
   
  •  the logs are only stored locally instead of being backuped or replicated. 
    • 
 
-
    You are at risk if you answered yes to any of those questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
      
   
    •  Check that your production deployment doesn't have its loggers in "debug" mode as it might write sensitive information in logs. 
      • 
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4823.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4823.html
index 5aef7c8064..a13573683d 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4823.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4823.html
@@ -27,4 +27,6 @@ 
      See
      
   
    •  MITRE, CWE-214 - Information Exposure Through Process Environment 
      • 
   
    •  SANS Top 25 - Insecure Interaction Between Components 
      • 
 
    
+
    Deprecated
    
+
    This rule is deprecated, and will eventually be removed.
    
 
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4823.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4823.json
index 613caad9b5..e6601a6198 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4823.json
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4823.json
@@ -1,23 +1,12 @@
 {
   "title": "Using command line arguments is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe",
-    "owasp-a1",
-    "sans-top25-insecure"
+    
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4823",
   "sqKey": "S4823",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      88,
-      214
-    ],
-    "OWASP": [
-      "A1"
-    ]
-  }
+  "scope": "Main"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4828.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4828.html
index 1efb9ef1b1..03698927e9 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4828.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4828.html
@@ -7,7 +7,7 @@ 
    Ask Yourself Whether
    
 
     * the PID of the process to which the signal will be sent is coming from an untrusted source. It could for example come from a world-writable
 file.
    
 
     * users who are asking for the signal to be sent might not have the permission to send those signals.
    
-
    You are at risk if you answered yes to any of these questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
     * If the signal is sent because of a user's request. Check that the user is allowed to send this signal. You can for example forbid it if the user
 doesn't own the process.
    
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4829.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4829.html
index 51387a6dc9..2b2770dadc 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4829.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4829.html
@@ -63,4 +63,6 @@ 
    See:
    
 
+
    Deprecated
    
+
    This rule is deprecated, and will eventually be removed.
    
 
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4829.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4829.json
index 2c84dee673..56c25bda46 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4829.json
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4829.json
@@ -1,17 +1,12 @@
 {
   "title": "Reading the Standard Input is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe"
+    
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-4829",
   "sqKey": "S4829",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      20
-    ]
-  }
+  "scope": "Main"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4830.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4830.json
index a5efd016de..519217b807 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4830.json
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S4830.json
@@ -10,6 +10,7 @@
     "cwe",
     "privacy",
     "owasp-a6",
+    "sans-top25-porous",
     "ssl",
     "owasp-a3"
   ],
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5042.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5042.html
index c24823bfbe..67fb27781d 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5042.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5042.html
@@ -16,7 +16,7 @@ 
    Ask Yourself Whether
    
   
  •  there is no validation of the size of the expanded archive entry 
    • 
   
  •  there is no validation of the ratio between the compressed and uncompressed archive entry 
    • 
 
-
    You are at risk if you answered yes to any of those questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
     
    
 
    Recommended Secure Coding Practices
    
 
    Validate the full path of the extracted file against the full path of the directory where files are expanded:
    
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5122.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5122.html
index 78d6c82299..8373ecfd35 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5122.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5122.html
@@ -15,7 +15,7 @@ 
    Ask Yourself Whether
    
   
  •  You access control policy is dynamically defined by a user-controlled input like origin header. 
    • 
 
-
    You are at risk if you answered yes to any of those questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
      
   
    •  The Access-Control-Allow-Origin header should be set only for a trusted origin and for specific resources. 
      • 
@@ -33,6 +33,19 @@ 
      Sensitive Code Example
      
 app = Flask(__name__)
 CORS(app, resources={r"/*": {"origins": "*", "send_wildcard": "True"}}) # Sensitive
 
    
+
    Compliant Solution
    
+
    Django
    
+
    +CORS_ORIGIN_ALLOW_ALL = False # Compliant
+
    
+
    Flask
    
+
    +from flask import Flask
+from flask_cors import CORS
+
+app = Flask(__name__)
+CORS(app, resources={r"/*": {"origins": "*", "send_wildcard": "False"}}) # Compliant
+
    
 
    See
    
  
 
-
    You are at risk if you answered yes to any of those questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
+
    Deprecated
    
+
    This rule is deprecated, and will eventually be removed.
    
 
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5300.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5300.json
index 95eea24af0..36fc46eaf6 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5300.json
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5300.json
@@ -1,23 +1,12 @@
 {
   "title": "Sending emails is security-sensitive",
   "type": "SECURITY_HOTSPOT",
-  "status": "ready",
+  "status": "deprecated",
   "tags": [
-    "cwe",
-    "owasp-a1",
-    "sans-top25-insecure"
+    
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5300",
   "sqKey": "S5300",
-  "scope": "Main",
-  "securityStandards": {
-    "CWE": [
-      93,
-      80
-    ],
-    "OWASP": [
-      "A1"
-    ]
-  }
+  "scope": "Main"
 }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5332.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5332.html
index 253b16c6e5..df79d84bb1 100644
--- a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5332.html
+++ b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5332.html
@@ -16,6 +16,12 @@
   
  •  CVE-2019-12327 
    • 
   
  •  CVE-2019-11065 
    • 
 
+
    Ask Yourself Whether
    
+
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    
 
-
    You are at risk if you answered yes to any of those questions.
    
+
    There is a risk if you answered yes to any of those questions.
    
 
    Recommended Secure Coding Practices
    @@ -31,10 +26,6 @@

    Compliant Solution

    "Error: User {} has not been able to access {}".format("Alice", "MyFile") -user = "Alice" -resource = "MyFile" -message = f"Error: User {user} has not been able to access {resource}" - import logging logging.error("Error: User %s has not been able to access %s", "Alice", "MyFile")