Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914)

* Update JSON schema to include STIG ASD 2023-06-08 mapping * Update rules to add STIG metadata mappings --------- Co-authored-by: Loris Sierra <[email protected]>
SonarSource · May 6, 2024 · 9ee16da · 9ee16da
1 parent 9f471b6
commit 9ee16da
Show file tree

Hide file tree

Showing 321 changed files with 1,373 additions and 362 deletions.
diff --git a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json
@@ -218,6 +218,15 @@
             "pattern": "^\\d+\\.\\d+\\.\\d+$"
           },
           "uniqueItems": true 
+        },
+        "STIG ASD 2023-06-08": {
+          "type": "array",
+          "minItems": 0,
+          "items": {
+            "type": "string",
+            "pattern": "^V-\\d+$"
+          },
+          "uniqueItems": true
         }
       }
     },

diff --git a/rules/S1079/cfamily/metadata.json b/rules/S1079/cfamily/metadata.json
@@ -45,6 +45,9 @@
     "ASVS 4.0": [
       "14.1.2",
       "5.4.1"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S1079/cfamily/rule.adoc b/rules/S1079/cfamily/rule.adoc
@@ -50,6 +50,7 @@ If this code is given the word ``noncompliant`` as an input, ``noncompli␀`` wi
 * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities]
 * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input] ('Classic Buffer Overflow')
 * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
 
 
 ifdef::env-github,rspecator-view[]

diff --git a/rules/S1081/cfamily/metadata.json b/rules/S1081/cfamily/metadata.json
@@ -41,6 +41,9 @@
     ],
     "CERT": [
       "STR07-C."
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S1081/common/resources/standards.adoc b/rules/S1081/common/resources/standards.adoc
@@ -5,3 +5,5 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities]
 * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function]
 * CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+
diff --git a/rules/S1913/cfamily/metadata.json b/rules/S1913/cfamily/metadata.json
@@ -24,6 +24,11 @@
   "ruleSpecification": "RSPEC-1913",
   "sqKey": "S1913",
   "scope": "Main",
+  "securityStandards": {
+    "STIG ASD 2023-06-08": [
+      "V-222612"
+    ]
+  },
   "defaultQualityProfiles": [
     "Sonar way"
   ],

diff --git a/rules/S1913/cfamily/rule.adoc b/rules/S1913/cfamily/rule.adoc
@@ -45,6 +45,10 @@ void function() {
 
 * {cpp} reference - https://en.cppreference.com/w/cpp/language/sizeof[`sizeof` operator]
 
+=== Standards
+
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2053/common/resources/standards.adoc b/rules/S2053/common/resources/standards.adoc
@@ -4,4 +4,5 @@
 * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
 * CWE - https://cwe.mitre.org/data/definitions/759[CWE-759 - Use of a One-Way Hash without a Salt]
 * CWE - https://cwe.mitre.org/data/definitions/760[CWE-760 - Use of a One-Way Hash with a Predictable Salt]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords.
 
diff --git a/rules/S2053/metadata.json b/rules/S2053/metadata.json
@@ -43,6 +43,9 @@
     ],
     "PCI DSS 4.0": [
       "6.2.4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222542"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S2076/common/resources/standards.adoc b/rules/S2076/common/resources/standards.adoc
@@ -4,3 +4,6 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/78[CWE-78 - Improper Neutralization of Special Elements used in an OS Command]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222604[Application Security and Development: V-222604] - The application must protect from command injection.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
diff --git a/rules/S2076/metadata.json b/rules/S2076/metadata.json
@@ -49,6 +49,10 @@
       "5.1.3",
       "5.1.4",
       "5.3.8"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222604",
+      "V-222609"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S2078/common/resources/standards.adoc b/rules/S2078/common/resources/standards.adoc
@@ -6,3 +6,5 @@
 * https://www.ietf.org/rfc/rfc4515.txt[RFC 4515] - LDAP: String Representation of Search Filters
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/90[CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
diff --git a/rules/S2078/java/metadata.json b/rules/S2078/java/metadata.json
@@ -27,6 +27,9 @@
       "5.1.3",
       "5.1.4",
       "5.3.7"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
     ]
   }
 }
diff --git a/rules/S2078/metadata.json b/rules/S2078/metadata.json
@@ -48,6 +48,9 @@
       "5.1.3",
       "5.1.4",
       "5.3.7"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S2083/common/resources/standards.adoc b/rules/S2083/common/resources/standards.adoc
@@ -6,3 +6,5 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
diff --git a/rules/S2083/metadata.json b/rules/S2083/metadata.json
@@ -50,6 +50,9 @@
       "12.3.1",
       "5.1.3",
       "5.1.4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222609"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S2091/common/resources/standards.adoc b/rules/S2091/common/resources/standards.adoc
@@ -4,3 +4,6 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation]
 * CWE - https://cwe.mitre.org/data/definitions/643[CWE-643 - Improper Neutralization of Data within XPath Expressions]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities.
+
diff --git a/rules/S2091/java/metadata.json b/rules/S2091/java/metadata.json
@@ -27,6 +27,10 @@
       "5.1.3",
       "5.1.4",
       "5.3.10"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608",
+      "V-222609"
     ]
   }
 }
diff --git a/rules/S2091/metadata.json b/rules/S2091/metadata.json
@@ -48,6 +48,10 @@
       "5.1.3",
       "5.1.4",
       "5.3.10"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608",
+      "V-222609"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S2092/metadata.json b/rules/S2092/metadata.json
@@ -52,6 +52,9 @@
       "6.1.1",
       "6.1.2",
       "6.1.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222576"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S2092/see.adoc b/rules/S2092/see.adoc
@@ -6,3 +6,5 @@
 * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
 * CWE - https://cwe.mitre.org/data/definitions/315[CWE-315 - Cleartext Storage of Sensitive Information in a Cookie]
 * CWE - https://cwe.mitre.org/data/definitions/614[CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222576[Application Security and Development: V-222576] - The application must set the secure flag on session cookies.
+
diff --git a/rules/S2184/cfamily/metadata.json b/rules/S2184/cfamily/metadata.json
@@ -18,6 +18,9 @@
     ],
     "ASVS 4.0": [
       "5.4.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
     ]
   }
 }
diff --git a/rules/S2184/cfamily/rule.adoc b/rules/S2184/cfamily/rule.adoc
@@ -33,9 +33,13 @@ void compliant2() {
 
 == Resources
 
+=== Standards
+
 * MISRA {cpp}:2008, 5-0-8 - An explicit integral or floating-point conversion shall not increase the size of the underlying type of a cvalue expression.
 * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound]
 * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2184/csharp/rule.adoc b/rules/S2184/csharp/rule.adoc
@@ -30,7 +30,10 @@ static void Method(float f) { }
 
 == Resources
 
+=== Standards
+
 * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
 
 
 ifdef::env-github,rspecator-view[]

diff --git a/rules/S2184/java/metadata.json b/rules/S2184/java/metadata.json
@@ -14,6 +14,9 @@
     ],
     "ASVS 4.0": [
       "5.4.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
     ]
   }
 }
diff --git a/rules/S2184/java/rule.adoc b/rules/S2184/java/rule.adoc
@@ -62,9 +62,13 @@ public float compute2(float factor){
 
 == Resources
 
+=== Standards
+
 * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound]
 * https://wiki.sei.cmu.edu/confluence/x/AjdGBQ[CERT, NUM50-J.] - Convert integers to floating point for floating-point operations
 * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks.
+
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2184/metadata.json b/rules/S2184/metadata.json
@@ -34,6 +34,9 @@
     ],
     "ASVS 4.0": [
       "5.4.3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222612"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S2226/java/metadata.json b/rules/S2226/java/metadata.json
@@ -32,6 +32,9 @@
   "securityStandards": {
     "CERT": [
       "MSC11-J."
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222567"
     ]
   },
   "defaultQualityProfiles": [

diff --git a/rules/S2226/java/rule.adoc b/rules/S2226/java/rule.adoc
@@ -169,6 +169,11 @@ public class MyServlet extends HttpServlet {
 * https://www.devinline.com/2013/08/how-to-make-thread-safe-servlet.html[Nikhil Ranjan: How to make thread safe servlet ?]
 * https://objectcomputing.com/resources/publications/sett/april-2000-tips-for-creating-thread-safe-code-avoiding-race-conditions[Object Computing: Tips for creating thread-safe code]
 
+=== Standards
+
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions.
+
+
 ifdef::env-github,rspecator-view[]
 
 '''

diff --git a/rules/S2254/java/metadata.json b/rules/S2254/java/metadata.json
@@ -16,8 +16,12 @@
     "cwe"
   ],
   "extra": {
-    "replacementRules": [],
-    "legacyKeys": []
+    "replacementRules": [
+
+    ],
+    "legacyKeys": [
+
+    ]
   },
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-2254",
@@ -32,10 +36,13 @@
     ],
     "OWASP Top 10 2021": [
       "A4"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222582"
     ]
   },
   "defaultQualityProfiles": [
     "Sonar way"
   ],
   "quickfix": "unknown"
-}
+}
diff --git a/rules/S2254/java/rule.adoc b/rules/S2254/java/rule.adoc
@@ -64,6 +64,7 @@ The compliant example instead uses the server's session ID to verify if the sess
 * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
 * CWE - https://cwe.mitre.org/data/definitions/807[CWE-807 - Reliance on Untrusted Inputs in a Security Decision]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs.
 
 
 ifdef::env-github,rspecator-view[]

diff --git a/rules/S2435/cfamily/metadata.json b/rules/S2435/cfamily/metadata.json
@@ -12,6 +12,9 @@
     ],
     "OWASP Top 10 2021": [
       "A3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608"
     ]
   }
 }
diff --git a/rules/S2435/cfamily/rule.adoc b/rules/S2435/cfamily/rule.adoc
@@ -4,10 +4,14 @@ include::../rule-except-see.adoc[]
 
 == Resources
 
+=== Standards
+
 * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)]
 * CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.
+
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2435/java/metadata.json b/rules/S2435/java/metadata.json
@@ -15,6 +15,9 @@
     ],
     "OWASP Top 10 2021": [
       "A3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608"
     ]
   }
 }
diff --git a/rules/S2435/java/rule.adoc b/rules/S2435/java/rule.adoc
@@ -4,11 +4,15 @@ include::../rule-except-see.adoc[]
 
 == Resources
 
+=== Standards
+
 * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)]
 * CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)]
 * https://wiki.sei.cmu.edu/confluence/x/7jdGBQ[CERT, IDS51-J.] - Properly encode or escape output
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.
+
 
 ifdef::env-github,rspecator-view[]
 

diff --git a/rules/S2435/metadata.json b/rules/S2435/metadata.json
@@ -7,6 +7,7 @@
     "constantCost": "15min"
   },
   "tags": [
+
   ],
   "extra": {
     "replacementRules": [
@@ -30,6 +31,9 @@
     ],
     "OWASP Top 10 2021": [
       "A3"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222608"
     ]
   },
   "defaultQualityProfiles": [