diff --git a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json index 7dd0ac04e2b..bd3e3705c81 100644 --- a/rspec-tools/rspec_tools/validation/rule-metadata-schema.json +++ b/rspec-tools/rspec_tools/validation/rule-metadata-schema.json @@ -218,6 +218,15 @@ "pattern": "^\\d+\\.\\d+\\.\\d+$" }, "uniqueItems": true + }, + "STIG ASD 2023-06-08": { + "type": "array", + "minItems": 0, + "items": { + "type": "string", + "pattern": "^V-\\d+$" + }, + "uniqueItems": true } } }, diff --git a/rules/S1079/cfamily/metadata.json b/rules/S1079/cfamily/metadata.json index d62a90d4149..53fee3ed70a 100644 --- a/rules/S1079/cfamily/metadata.json +++ b/rules/S1079/cfamily/metadata.json @@ -45,6 +45,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S1079/cfamily/rule.adoc b/rules/S1079/cfamily/rule.adoc index 07b6b758d12..6d36c0756cc 100644 --- a/rules/S1079/cfamily/rule.adoc +++ b/rules/S1079/cfamily/rule.adoc @@ -50,6 +50,7 @@ If this code is given the word ``noncompliant`` as an input, ``noncompliā€`` wi * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input] ('Classic Buffer Overflow') * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S1081/cfamily/metadata.json b/rules/S1081/cfamily/metadata.json index f265180921e..cc8f2cf7d07 100644 --- a/rules/S1081/cfamily/metadata.json +++ b/rules/S1081/cfamily/metadata.json @@ -41,6 +41,9 @@ ], "CERT": [ "STR07-C." + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S1081/common/resources/standards.adoc b/rules/S1081/common/resources/standards.adoc index fb1af91d6fd..3ed57bf2bdb 100644 --- a/rules/S1081/common/resources/standards.adoc +++ b/rules/S1081/common/resources/standards.adoc @@ -5,3 +5,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function] * CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + diff --git a/rules/S1913/cfamily/metadata.json b/rules/S1913/cfamily/metadata.json index 498aa2fbb76..99bee4bc6bd 100644 --- a/rules/S1913/cfamily/metadata.json +++ b/rules/S1913/cfamily/metadata.json @@ -24,6 +24,11 @@ "ruleSpecification": "RSPEC-1913", "sqKey": "S1913", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222612" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S1913/cfamily/rule.adoc b/rules/S1913/cfamily/rule.adoc index d0bc9cbf80f..c1fa544df1f 100644 --- a/rules/S1913/cfamily/rule.adoc +++ b/rules/S1913/cfamily/rule.adoc @@ -45,6 +45,10 @@ void function() { * {cpp} reference - https://en.cppreference.com/w/cpp/language/sizeof[`sizeof` operator] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2053/common/resources/standards.adoc b/rules/S2053/common/resources/standards.adoc index ebc61597dd1..a69aee6dd6a 100644 --- a/rules/S2053/common/resources/standards.adoc +++ b/rules/S2053/common/resources/standards.adoc @@ -4,4 +4,5 @@ * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/759[CWE-759 - Use of a One-Way Hash without a Salt] * CWE - https://cwe.mitre.org/data/definitions/760[CWE-760 - Use of a One-Way Hash with a Predictable Salt] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords. diff --git a/rules/S2053/metadata.json b/rules/S2053/metadata.json index 257da7c37e3..868fb1d0e06 100644 --- a/rules/S2053/metadata.json +++ b/rules/S2053/metadata.json @@ -43,6 +43,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222542" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2076/common/resources/standards.adoc b/rules/S2076/common/resources/standards.adoc index d216c2b89db..8ef32399e57 100644 --- a/rules/S2076/common/resources/standards.adoc +++ b/rules/S2076/common/resources/standards.adoc @@ -4,3 +4,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/78[CWE-78 - Improper Neutralization of Special Elements used in an OS Command] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222604[Application Security and Development: V-222604] - The application must protect from command injection. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2076/metadata.json b/rules/S2076/metadata.json index 6685700dc9f..d204efe493e 100644 --- a/rules/S2076/metadata.json +++ b/rules/S2076/metadata.json @@ -49,6 +49,10 @@ "5.1.3", "5.1.4", "5.3.8" + ], + "STIG ASD 2023-06-08": [ + "V-222604", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2078/common/resources/standards.adoc b/rules/S2078/common/resources/standards.adoc index 7642868defc..4359017f067 100644 --- a/rules/S2078/common/resources/standards.adoc +++ b/rules/S2078/common/resources/standards.adoc @@ -6,3 +6,5 @@ * https://www.ietf.org/rfc/rfc4515.txt[RFC 4515] - LDAP: String Representation of Search Filters * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/90[CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2078/java/metadata.json b/rules/S2078/java/metadata.json index f0e25b5ee81..f7e4b236ca3 100644 --- a/rules/S2078/java/metadata.json +++ b/rules/S2078/java/metadata.json @@ -27,6 +27,9 @@ "5.1.3", "5.1.4", "5.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] } } diff --git a/rules/S2078/metadata.json b/rules/S2078/metadata.json index 0364131ea49..8c473862b5b 100644 --- a/rules/S2078/metadata.json +++ b/rules/S2078/metadata.json @@ -48,6 +48,9 @@ "5.1.3", "5.1.4", "5.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2083/common/resources/standards.adoc b/rules/S2083/common/resources/standards.adoc index 2ae72b4f8d2..97a216c1077 100644 --- a/rules/S2083/common/resources/standards.adoc +++ b/rules/S2083/common/resources/standards.adoc @@ -6,3 +6,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2083/metadata.json b/rules/S2083/metadata.json index 79bfc729780..fcce89f7822 100644 --- a/rules/S2083/metadata.json +++ b/rules/S2083/metadata.json @@ -50,6 +50,9 @@ "12.3.1", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2091/common/resources/standards.adoc b/rules/S2091/common/resources/standards.adoc index 33a488a32ff..c9f79c9320c 100644 --- a/rules/S2091/common/resources/standards.adoc +++ b/rules/S2091/common/resources/standards.adoc @@ -4,3 +4,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/643[CWE-643 - Improper Neutralization of Data within XPath Expressions] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S2091/java/metadata.json b/rules/S2091/java/metadata.json index 10f231dce36..31db2b94826 100644 --- a/rules/S2091/java/metadata.json +++ b/rules/S2091/java/metadata.json @@ -27,6 +27,10 @@ "5.1.3", "5.1.4", "5.3.10" + ], + "STIG ASD 2023-06-08": [ + "V-222608", + "V-222609" ] } } diff --git a/rules/S2091/metadata.json b/rules/S2091/metadata.json index bcab2254681..a662530756c 100644 --- a/rules/S2091/metadata.json +++ b/rules/S2091/metadata.json @@ -48,6 +48,10 @@ "5.1.3", "5.1.4", "5.3.10" + ], + "STIG ASD 2023-06-08": [ + "V-222608", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2092/metadata.json b/rules/S2092/metadata.json index 8336c0d4840..ab9c49b5698 100644 --- a/rules/S2092/metadata.json +++ b/rules/S2092/metadata.json @@ -52,6 +52,9 @@ "6.1.1", "6.1.2", "6.1.3" + ], + "STIG ASD 2023-06-08": [ + "V-222576" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2092/see.adoc b/rules/S2092/see.adoc index 63cea736344..1a0ae5af63f 100644 --- a/rules/S2092/see.adoc +++ b/rules/S2092/see.adoc @@ -6,3 +6,5 @@ * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] * CWE - https://cwe.mitre.org/data/definitions/315[CWE-315 - Cleartext Storage of Sensitive Information in a Cookie] * CWE - https://cwe.mitre.org/data/definitions/614[CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222576[Application Security and Development: V-222576] - The application must set the secure flag on session cookies. + diff --git a/rules/S2184/cfamily/metadata.json b/rules/S2184/cfamily/metadata.json index 4f45fdc4f57..53d2bcf2711 100644 --- a/rules/S2184/cfamily/metadata.json +++ b/rules/S2184/cfamily/metadata.json @@ -18,6 +18,9 @@ ], "ASVS 4.0": [ "5.4.3" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S2184/cfamily/rule.adoc b/rules/S2184/cfamily/rule.adoc index 354c37a6031..48a934510cb 100644 --- a/rules/S2184/cfamily/rule.adoc +++ b/rules/S2184/cfamily/rule.adoc @@ -33,9 +33,13 @@ void compliant2() { == Resources +=== Standards + * MISRA {cpp}:2008, 5-0-8 - An explicit integral or floating-point conversion shall not increase the size of the underlying type of a cvalue expression. * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound] * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2184/csharp/rule.adoc b/rules/S2184/csharp/rule.adoc index 373567fdba6..54f1f9921ff 100644 --- a/rules/S2184/csharp/rule.adoc +++ b/rules/S2184/csharp/rule.adoc @@ -30,7 +30,10 @@ static void Method(float f) { } == Resources +=== Standards + * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S2184/java/metadata.json b/rules/S2184/java/metadata.json index feff987871e..66214ce145b 100644 --- a/rules/S2184/java/metadata.json +++ b/rules/S2184/java/metadata.json @@ -14,6 +14,9 @@ ], "ASVS 4.0": [ "5.4.3" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S2184/java/rule.adoc b/rules/S2184/java/rule.adoc index c375c9e65b7..1c64fc450e1 100644 --- a/rules/S2184/java/rule.adoc +++ b/rules/S2184/java/rule.adoc @@ -62,9 +62,13 @@ public float compute2(float factor){ == Resources +=== Standards + * CWE - https://cwe.mitre.org/data/definitions/190[CWE-190 - Integer Overflow or Wraparound] * https://wiki.sei.cmu.edu/confluence/x/AjdGBQ[CERT, NUM50-J.] - Convert integers to floating point for floating-point operations * https://wiki.sei.cmu.edu/confluence/x/I9cxBQ[CERT, INT18-C.] - Evaluate integer expressions in a larger size before comparing or assigning to that size +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2184/metadata.json b/rules/S2184/metadata.json index 96c978d2996..d417d1b2100 100644 --- a/rules/S2184/metadata.json +++ b/rules/S2184/metadata.json @@ -34,6 +34,9 @@ ], "ASVS 4.0": [ "5.4.3" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2226/java/metadata.json b/rules/S2226/java/metadata.json index 7c9ab04f3aa..355b10c598b 100644 --- a/rules/S2226/java/metadata.json +++ b/rules/S2226/java/metadata.json @@ -32,6 +32,9 @@ "securityStandards": { "CERT": [ "MSC11-J." + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2226/java/rule.adoc b/rules/S2226/java/rule.adoc index 42e5d9137dd..bfb00cc8622 100644 --- a/rules/S2226/java/rule.adoc +++ b/rules/S2226/java/rule.adoc @@ -169,6 +169,11 @@ public class MyServlet extends HttpServlet { * https://www.devinline.com/2013/08/how-to-make-thread-safe-servlet.html[Nikhil Ranjan: How to make thread safe servlet ?] * https://objectcomputing.com/resources/publications/sett/april-2000-tips-for-creating-thread-safe-code-avoiding-race-conditions[Object Computing: Tips for creating thread-safe code] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2254/java/metadata.json b/rules/S2254/java/metadata.json index a34fab19fba..ba48324b7d4 100644 --- a/rules/S2254/java/metadata.json +++ b/rules/S2254/java/metadata.json @@ -16,8 +16,12 @@ "cwe" ], "extra": { - "replacementRules": [], - "legacyKeys": [] + "replacementRules": [ + + ], + "legacyKeys": [ + + ] }, "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-2254", @@ -32,10 +36,13 @@ ], "OWASP Top 10 2021": [ "A4" + ], + "STIG ASD 2023-06-08": [ + "V-222582" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S2254/java/rule.adoc b/rules/S2254/java/rule.adoc index d56127cebfa..eeb1738fb05 100644 --- a/rules/S2254/java/rule.adoc +++ b/rules/S2254/java/rule.adoc @@ -64,6 +64,7 @@ The compliant example instead uses the server's session ID to verify if the sess * OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design] * OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] * CWE - https://cwe.mitre.org/data/definitions/807[CWE-807 - Reliance on Untrusted Inputs in a Security Decision] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs. ifdef::env-github,rspecator-view[] diff --git a/rules/S2435/cfamily/metadata.json b/rules/S2435/cfamily/metadata.json index 5cc7dc16681..b1318e59743 100644 --- a/rules/S2435/cfamily/metadata.json +++ b/rules/S2435/cfamily/metadata.json @@ -12,6 +12,9 @@ ], "OWASP Top 10 2021": [ "A3" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] } } diff --git a/rules/S2435/cfamily/rule.adoc b/rules/S2435/cfamily/rule.adoc index ec3c537453f..d0f9876a1c8 100644 --- a/rules/S2435/cfamily/rule.adoc +++ b/rules/S2435/cfamily/rule.adoc @@ -4,10 +4,14 @@ include::../rule-except-see.adoc[] == Resources +=== Standards + * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2435/java/metadata.json b/rules/S2435/java/metadata.json index 2eef90b9d72..df191137d97 100644 --- a/rules/S2435/java/metadata.json +++ b/rules/S2435/java/metadata.json @@ -15,6 +15,9 @@ ], "OWASP Top 10 2021": [ "A3" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] } } diff --git a/rules/S2435/java/rule.adoc b/rules/S2435/java/rule.adoc index a45117644e0..a85f38398be 100644 --- a/rules/S2435/java/rule.adoc +++ b/rules/S2435/java/rule.adoc @@ -4,11 +4,15 @@ include::../rule-except-see.adoc[] == Resources +=== Standards + * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] * https://wiki.sei.cmu.edu/confluence/x/7jdGBQ[CERT, IDS51-J.] - Properly encode or escape output +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2435/metadata.json b/rules/S2435/metadata.json index fea97bf128c..c1e9bb98433 100644 --- a/rules/S2435/metadata.json +++ b/rules/S2435/metadata.json @@ -7,6 +7,7 @@ "constantCost": "15min" }, "tags": [ + ], "extra": { "replacementRules": [ @@ -30,6 +31,9 @@ ], "OWASP Top 10 2021": [ "A3" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2612/cfamily/metadata.json b/rules/S2612/cfamily/metadata.json index 1647fe19119..89bd377d275 100644 --- a/rules/S2612/cfamily/metadata.json +++ b/rules/S2612/cfamily/metadata.json @@ -27,6 +27,9 @@ ], "ASVS 4.0": [ "4.3.3" + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] } } diff --git a/rules/S2612/cfamily/rule.adoc b/rules/S2612/cfamily/rule.adoc index ab62a575367..9e92e8b1334 100644 --- a/rules/S2612/cfamily/rule.adoc +++ b/rules/S2612/cfamily/rule.adoc @@ -64,6 +64,8 @@ umask(S_IRWXO); // Compliant: further created files or directories will not have * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] * https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2612/docker/metadata.json b/rules/S2612/docker/metadata.json index 461042dc3ec..8ecc9ba470c 100644 --- a/rules/S2612/docker/metadata.json +++ b/rules/S2612/docker/metadata.json @@ -5,19 +5,28 @@ ], "securityStandards": { "CERT": [ + ], "CWE": [ 732 ], "OWASP": [ + ], "OWASP Top 10 2021": [ + ], "PCI DSS 3.2": [ + ], "PCI DSS 4.0": [ + ], "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] }, "quickfix": "unknown" diff --git a/rules/S2612/docker/rule.adoc b/rules/S2612/docker/rule.adoc index 094423df3c5..fcdc84991db 100644 --- a/rules/S2612/docker/rule.adoc +++ b/rules/S2612/docker/rule.adoc @@ -45,6 +45,8 @@ RUN chmod +t resource * https://docs.docker.com/engine/reference/builder/#copy[COPY] - Docker COPY command * https://man.archlinux.org/man/core/man-pages/chmod.1p.en[chmod reference] - `chmod` command * https://man.archlinux.org/man/chown.1.en[chown reference] - `chown` command +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2612/java/metadata.json b/rules/S2612/java/metadata.json index d19d99bbb7b..5b0e3e6b33d 100644 --- a/rules/S2612/java/metadata.json +++ b/rules/S2612/java/metadata.json @@ -27,6 +27,9 @@ ], "ASVS 4.0": [ "4.3.3" + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] }, "quickfix": "unknown" diff --git a/rules/S2612/java/rule.adoc b/rules/S2612/java/rule.adoc index f273a72530e..0dea0afec3d 100644 --- a/rules/S2612/java/rule.adoc +++ b/rules/S2612/java/rule.adoc @@ -72,6 +72,8 @@ On operating systems that implement POSIX standard. This will throw a ``++Unsupp * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] * https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions[CERT, FIO01-J.] - Create files with appropriate access permissions * https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S2612/metadata.json b/rules/S2612/metadata.json index 581f40b637c..43ad9262f47 100644 --- a/rules/S2612/metadata.json +++ b/rules/S2612/metadata.json @@ -47,6 +47,9 @@ ], "ASVS 4.0": [ "4.3.3" + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2612/see.adoc b/rules/S2612/see.adoc index ac7db81e12b..1b512527ba7 100644 --- a/rules/S2612/see.adoc +++ b/rules/S2612/see.adoc @@ -6,3 +6,5 @@ * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission[OWASP File Permission] * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] * CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. + diff --git a/rules/S2631/common/resources/standards.adoc b/rules/S2631/common/resources/standards.adoc index 7322316fac7..4c60f6b3f15 100644 --- a/rules/S2631/common/resources/standards.adoc +++ b/rules/S2631/common/resources/standards.adoc @@ -5,3 +5,7 @@ * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] * CWE - https://cwe.mitre.org/data/definitions/1333[CWE-1333 - Inefficient Regular Expression Complexity] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222594[Application Security and Development: V-222594] - The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. + diff --git a/rules/S2631/metadata.json b/rules/S2631/metadata.json index bebe700f401..83825701811 100644 --- a/rules/S2631/metadata.json +++ b/rules/S2631/metadata.json @@ -50,6 +50,11 @@ "12.1.1", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222594", + "V-222609", + "V-222667" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2647/common/resources/standards.adoc b/rules/S2647/common/resources/standards.adoc index 5dfe721aea8..46331f40b54 100644 --- a/rules/S2647/common/resources/standards.adoc +++ b/rules/S2647/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html#user-authentication[OWASP Web Service Security Cheat Sheet] * CWE - https://cwe.mitre.org/data/definitions/522[CWE-522 - Insufficiently Protected Credentials] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222533[Application Security and Development: V-222533] - The application must authenticate all network connected endpoint devices before establishing any connection. + diff --git a/rules/S2647/metadata.json b/rules/S2647/metadata.json index a1129dfb330..3986933ca90 100644 --- a/rules/S2647/metadata.json +++ b/rules/S2647/metadata.json @@ -12,10 +12,16 @@ "func": "Constant\/Issue", "constantCost": "2h" }, - "tags": [], + "tags": [ + + ], "extra": { - "replacementRules": [], - "legacyKeys": [] + "replacementRules": [ + + ], + "legacyKeys": [ + + ] }, "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-2647", @@ -39,8 +45,13 @@ ], "ASVS 4.0": [ "2.10.3" + ], + "STIG ASD 2023-06-08": [ + "V-222533" ] }, - "defaultQualityProfiles": [], + "defaultQualityProfiles": [ + + ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S2696/common/resources/standards.adoc b/rules/S2696/common/resources/standards.adoc new file mode 100644 index 00000000000..a7d9d7297c9 --- /dev/null +++ b/rules/S2696/common/resources/standards.adoc @@ -0,0 +1,4 @@ +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + diff --git a/rules/S2696/csharp/rule.adoc b/rules/S2696/csharp/rule.adoc index 97aa75db8d3..2b28f0ccf3c 100644 --- a/rules/S2696/csharp/rule.adoc +++ b/rules/S2696/csharp/rule.adoc @@ -40,6 +40,9 @@ interface MyInterface * https://www.c-sharpcorner.com/UploadFile/1d42da/race-conditions-in-threading-C-Sharp/[Race Conditions in C#] +include::../common/resources/standards.adoc[] + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2696/java/rule.adoc b/rules/S2696/java/rule.adoc index 98f39bd7ba5..3ee004e063a 100644 --- a/rules/S2696/java/rule.adoc +++ b/rules/S2696/java/rule.adoc @@ -22,6 +22,11 @@ public class MyClass { ---- +== Resources + +include::../common/resources/standards.adoc[] + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2696/metadata.json b/rules/S2696/metadata.json index 1945fb9ad51..e6b224b511e 100644 --- a/rules/S2696/metadata.json +++ b/rules/S2696/metadata.json @@ -27,6 +27,11 @@ "ruleSpecification": "RSPEC-2696", "sqKey": "S2696", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S2755/common/resources/standards.adoc b/rules/S2755/common/resources/standards.adoc index fb7139b7a64..80624efb7b4 100644 --- a/rules/S2755/common/resources/standards.adoc +++ b/rules/S2755/common/resources/standards.adoc @@ -4,4 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Information Exposure Through XML External Entity Reference] * CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. diff --git a/rules/S2755/metadata.json b/rules/S2755/metadata.json index 615b0b807d8..e75faf0662c 100644 --- a/rules/S2755/metadata.json +++ b/rules/S2755/metadata.json @@ -46,6 +46,9 @@ ], "ASVS 4.0": [ "5.5.2" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2885/java/metadata.json b/rules/S2885/java/metadata.json index 5a2d39449ad..abe9fbcdb90 100644 --- a/rules/S2885/java/metadata.json +++ b/rules/S2885/java/metadata.json @@ -19,6 +19,11 @@ "ruleSpecification": "RSPEC-2885", "sqKey": "S2885", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S2885/java/rule.adoc b/rules/S2885/java/rule.adoc index a3cff65bb14..974403b094c 100644 --- a/rules/S2885/java/rule.adoc +++ b/rules/S2885/java/rule.adoc @@ -48,12 +48,18 @@ public class MyClass { ---- == Resources + === Articles & blog posts * https://web.mit.edu/6.005/www/fa14/classes/18-thread-safety/[MIT - Thread safety] * https://www.baeldung.com/java-thread-safety[Baeldung - Thread safety] * https://www.baeldung.com/java-static[Baeldung - Static] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S2886/java/metadata.json b/rules/S2886/java/metadata.json index 668868e5f33..64fe332607b 100644 --- a/rules/S2886/java/metadata.json +++ b/rules/S2886/java/metadata.json @@ -23,6 +23,9 @@ "securityStandards": { "CERT": [ "VNA01-J." + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S2886/java/rule.adoc b/rules/S2886/java/rule.adoc index a3aa269f6cc..6170b83ee74 100644 --- a/rules/S2886/java/rule.adoc +++ b/rules/S2886/java/rule.adoc @@ -82,15 +82,17 @@ public class Person { * https://docs.oracle.com/javase/tutorial/essential/concurrency/syncmeth.html[Oracle Java - Synchronized Methods] * https://docs.oracle.com/javase/specs/jls/se20/html/jls-8.html#jls-8.4.3.6[Oracle SE 20 - Synchronized Methods] -=== Standards - -* https://wiki.sei.cmu.edu/confluence/x/4jdGBQ[CERT, VNA01-J.] - Ensure visibility of shared references to immutable objects - === Articles & blog posts * https://web.mit.edu/6.005/www/fa14/classes/18-thread-safety/[MIT - Thread safety] * https://www.baeldung.com/java-thread-safety[Baeldung - Thread safety] +=== Standards + +* https://wiki.sei.cmu.edu/confluence/x/4jdGBQ[CERT, VNA01-J.] - Ensure visibility of shared references to immutable objects +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S3330/metadata.json b/rules/S3330/metadata.json index 6b84f415a99..e301f9a08bb 100644 --- a/rules/S3330/metadata.json +++ b/rules/S3330/metadata.json @@ -46,6 +46,9 @@ ], "ASVS 4.0": [ "3.4.2" + ], + "STIG ASD 2023-06-08": [ + "V-222575" ] }, "defaultQualityProfiles": [ diff --git a/rules/S3330/see.adoc b/rules/S3330/see.adoc index 53adae0386e..304a751f41d 100644 --- a/rules/S3330/see.adoc +++ b/rules/S3330/see.adoc @@ -4,4 +4,6 @@ * https://owasp.org/www-community/HttpOnly[OWASP HttpOnly] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] * CWE - https://cwe.mitre.org/data/definitions/1004[CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag] -* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE[HTTPONLY_COOKIE] \ No newline at end of file +* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE[HTTPONLY_COOKIE] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222575[Application Security and Development: V-222575] - The application must set the HTTPOnly flag on session cookies. + diff --git a/rules/S3518/cfamily/metadata.json b/rules/S3518/cfamily/metadata.json index ff48e09418e..434dead28ee 100644 --- a/rules/S3518/cfamily/metadata.json +++ b/rules/S3518/cfamily/metadata.json @@ -16,6 +16,9 @@ ], "CWE": [ 369 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S3518/cfamily/rule.adoc b/rules/S3518/cfamily/rule.adoc index 6e076e5d428..e6b8c397326 100644 --- a/rules/S3518/cfamily/rule.adoc +++ b/rules/S3518/cfamily/rule.adoc @@ -138,6 +138,7 @@ std::optional safe_division(int a, int b) { * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow[INT32-C. Ensure that operations on signed integers do not result in overflow] * CERT - https://wiki.sei.cmu.edu/confluence/x/ftYxBQ[INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors] * CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. === External coding guidelines diff --git a/rules/S3518/java/metadata.json b/rules/S3518/java/metadata.json index 0909f01266a..f25f18a967d 100644 --- a/rules/S3518/java/metadata.json +++ b/rules/S3518/java/metadata.json @@ -12,6 +12,9 @@ ], "CWE": [ 369 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S3518/java/rule.adoc b/rules/S3518/java/rule.adoc index ef36009df98..ac83eff1552 100644 --- a/rules/S3518/java/rule.adoc +++ b/rules/S3518/java/rule.adoc @@ -59,16 +59,15 @@ void test_divide() { === Documentation * https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/ArithmeticException.html[ArithmeticException] +* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.2[The Division Operator in the JLS] +* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.3[The Remainder Operator in the JLS] -=== Articles & blog posts +=== Standards * CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] * https://wiki.sei.cmu.edu/confluence/x/CTZGBQ[CERT, NUM02-J.] - Ensure that division and remainder operations do not result in divide-by-zero errors +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. -=== Standards - -* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.2[The Division Operator in the JLS] -* https://docs.oracle.com/javase/specs/jls/se17/html/jls-15.html#jls-15.17.3[The Remainder Operator in the JLS] ifdef::env-github,rspecator-view[] diff --git a/rules/S3518/metadata.json b/rules/S3518/metadata.json index 559015907b8..22adfa10c79 100644 --- a/rules/S3518/metadata.json +++ b/rules/S3518/metadata.json @@ -31,6 +31,9 @@ "securityStandards": { "CWE": [ 369 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S3518/python/metadata.json b/rules/S3518/python/metadata.json index 5ba48ac266f..e4e73e9907c 100644 --- a/rules/S3518/python/metadata.json +++ b/rules/S3518/python/metadata.json @@ -11,6 +11,9 @@ ], "CWE": [ 369 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S3518/python/rule.adoc b/rules/S3518/python/rule.adoc index 441c4e23275..ee1998773ab 100644 --- a/rules/S3518/python/rule.adoc +++ b/rules/S3518/python/rule.adoc @@ -104,10 +104,8 @@ if the denominator is zero. * https://docs.python.org/3/reference/expressions.html#binary-arithmetic-operations[Binary arithmetic operations] * https://docs.python.org/3/library/exceptions.html#ZeroDivisionError[ZeroDivisionError] -=== Articles & blog posts +=== Standards * CWE - https://cwe.mitre.org/data/definitions/369[CWE-369 - Divide by zero] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. -//=== Articles & blog posts -//=== Conference presentations -//=== Standards diff --git a/rules/S3519/cfamily/metadata.json b/rules/S3519/cfamily/metadata.json index 3a6f5a53b9b..375ed579dbd 100644 --- a/rules/S3519/cfamily/metadata.json +++ b/rules/S3519/cfamily/metadata.json @@ -47,6 +47,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S3519/cfamily/rule.adoc b/rules/S3519/cfamily/rule.adoc index 7ff911a1a38..716a2e17541 100644 --- a/rules/S3519/cfamily/rule.adoc +++ b/rules/S3519/cfamily/rule.adoc @@ -389,6 +389,7 @@ void tar(std::string const &s) { * CWE - https://cwe.mitre.org/data/definitions/131[CWE-131 Incorrect Calculation of Buffer Size] * CWE - https://cwe.mitre.org/data/definitions/193[CWE-193 Off-by-one Error] * CWE - https://cwe.mitre.org/data/definitions/788[CWE-788 Access of Memory Location After End of Buffer] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. === Related rules diff --git a/rules/S3649/common/resources/standards.adoc b/rules/S3649/common/resources/standards.adoc index 024b19cc62b..a382d152ef2 100644 --- a/rules/S3649/common/resources/standards.adoc +++ b/rules/S3649/common/resources/standards.adoc @@ -5,3 +5,6 @@ * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/89[CWE-89 - Improper Neutralization of Special Elements used in an SQL Command] * https://wiki.sei.cmu.edu/confluence/x/ITdGBQ[CERT, IDS00-J.] - Prevent SQL injection +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222607[Application Security and Development: V-222607] - The application must not be vulnerable to SQL Injection. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S3649/metadata.json b/rules/S3649/metadata.json index ed79a6082ad..9953d4cf81b 100644 --- a/rules/S3649/metadata.json +++ b/rules/S3649/metadata.json @@ -50,6 +50,10 @@ "5.1.4", "5.3.4", "5.3.5" + ], + "STIG ASD 2023-06-08": [ + "V-222607", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S3687/cfamily/metadata.json b/rules/S3687/cfamily/metadata.json index 9040a6a6bd2..c015ce44531 100644 --- a/rules/S3687/cfamily/metadata.json +++ b/rules/S3687/cfamily/metadata.json @@ -31,6 +31,11 @@ "ruleSpecification": "RSPEC-3687", "sqKey": "S3687", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S3687/cfamily/rule.adoc b/rules/S3687/cfamily/rule.adoc index 85469009fe5..3b28c22d438 100644 --- a/rules/S3687/cfamily/rule.adoc +++ b/rules/S3687/cfamily/rule.adoc @@ -38,8 +38,11 @@ User volatile * pvUser; == Resources +=== Standards + * https://wiki.sei.cmu.edu/confluence/display/c/CON02-C.+Do+not+use+volatile+as+a+synchronization+primitive[CERT CON02-C] - Do not use volatile as a synchronization primitive * {cpp} Core Guidelines - https://github.com/isocpp/CppCoreGuidelines/blob/e49158a/CppCoreGuidelines.md#cp200-use-volatile-only-to-talk-to-non-c-memory[CP.200: Use `volatile` only to talk to non-{cpp} memory] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. ifdef::env-github,rspecator-view[] diff --git a/rules/S3949/cfamily/metadata.json b/rules/S3949/cfamily/metadata.json index 6cb3eaa5dfb..28d1b2db254 100644 --- a/rules/S3949/cfamily/metadata.json +++ b/rules/S3949/cfamily/metadata.json @@ -13,6 +13,9 @@ "securityStandards": { "CERT": [ "INT30-C." + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] } } diff --git a/rules/S3949/cfamily/rule.adoc b/rules/S3949/cfamily/rule.adoc index 0cef8f70153..dc285d77b69 100644 --- a/rules/S3949/cfamily/rule.adoc +++ b/rules/S3949/cfamily/rule.adoc @@ -20,6 +20,11 @@ void test(char c) { } ---- +== Resources + +include::../common/resources/standards.adoc[] + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S3949/common/resources/standards.adoc b/rules/S3949/common/resources/standards.adoc new file mode 100644 index 00000000000..c80df97e74c --- /dev/null +++ b/rules/S3949/common/resources/standards.adoc @@ -0,0 +1,4 @@ +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + diff --git a/rules/S3949/csharp/rule.adoc b/rules/S3949/csharp/rule.adoc index 6da585919c0..f22ebc9cb0f 100644 --- a/rules/S3949/csharp/rule.adoc +++ b/rules/S3949/csharp/rule.adoc @@ -33,4 +33,10 @@ public long Transform(int value) } ---- + +== Resources + +include::../common/resources/standards.adoc[] + + include::../rspecator.adoc[] diff --git a/rules/S3949/metadata.json b/rules/S3949/metadata.json index d8d5a6c6287..e379f1435cd 100644 --- a/rules/S3949/metadata.json +++ b/rules/S3949/metadata.json @@ -27,6 +27,11 @@ "ruleSpecification": "RSPEC-3949", "sqKey": "S3949", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222612" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S3949/vbnet/rule.adoc b/rules/S3949/vbnet/rule.adoc index b51d6c8dc79..b31a4df1aef 100644 --- a/rules/S3949/vbnet/rule.adoc +++ b/rules/S3949/vbnet/rule.adoc @@ -24,4 +24,10 @@ Public Function Transform(Value As Integer) As Long End Function ---- + +== Resources + +include::../common/resources/standards.adoc[] + + include::../rspecator.adoc[] diff --git a/rules/S4502/metadata.json b/rules/S4502/metadata.json index b31f461b7e2..78252c54fd0 100644 --- a/rules/S4502/metadata.json +++ b/rules/S4502/metadata.json @@ -46,6 +46,9 @@ "ASVS 4.0": [ "13.2.3", "4.2.2" + ], + "STIG ASD 2023-06-08": [ + "V-222603" ] }, "defaultQualityProfiles": [ diff --git a/rules/S4502/see.adoc b/rules/S4502/see.adoc index a8ff3555b21..93793bdc7c7 100644 --- a/rules/S4502/see.adoc +++ b/rules/S4502/see.adoc @@ -4,3 +4,5 @@ * CWE - https://cwe.mitre.org/data/definitions/352[CWE-352 - Cross-Site Request Forgery (CSRF)] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * https://owasp.org/www-community/attacks/csrf[OWASP: Cross-Site Request Forgery] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222603[Application Security and Development: V-222603] - The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. + diff --git a/rules/S4830/cfamily/metadata.json b/rules/S4830/cfamily/metadata.json index 2e2c906e105..570e9f22d01 100644 --- a/rules/S4830/cfamily/metadata.json +++ b/rules/S4830/cfamily/metadata.json @@ -41,6 +41,9 @@ "ASVS 4.0": [ "1.9.2", "9.2.1" + ], + "STIG ASD 2023-06-08": [ + "V-222550" ] } } diff --git a/rules/S4830/common/resources/standards.adoc b/rules/S4830/common/resources/standards.adoc index 37b356eba7d..d1a14eae155 100644 --- a/rules/S4830/common/resources/standards.adoc +++ b/rules/S4830/common/resources/standards.adoc @@ -8,3 +8,5 @@ * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] * OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] * CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. + diff --git a/rules/S4830/java/metadata.json b/rules/S4830/java/metadata.json index c432d942d7f..17b25528ef5 100644 --- a/rules/S4830/java/metadata.json +++ b/rules/S4830/java/metadata.json @@ -39,6 +39,9 @@ "ASVS 4.0": [ "1.9.2", "9.2.1" + ], + "STIG ASD 2023-06-08": [ + "V-222550" ] } } diff --git a/rules/S4830/metadata.json b/rules/S4830/metadata.json index 24703cc8dbe..c15e3680ac9 100644 --- a/rules/S4830/metadata.json +++ b/rules/S4830/metadata.json @@ -60,6 +60,9 @@ "ASVS 4.0": [ "1.9.2", "9.2.1" + ], + "STIG ASD 2023-06-08": [ + "V-222550" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5034/metadata.json b/rules/S5034/metadata.json index 414adf12e99..672f28e1c3e 100644 --- a/rules/S5034/metadata.json +++ b/rules/S5034/metadata.json @@ -27,6 +27,11 @@ "ruleSpecification": "RSPEC-5034", "sqKey": "S5034", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S5034/rule.adoc b/rules/S5034/rule.adoc index 67e45ccd3d8..5b3e789b77c 100644 --- a/rules/S5034/rule.adoc +++ b/rules/S5034/rule.adoc @@ -49,4 +49,9 @@ int value = await ComputeAsync().AsTask(); * https://learn.microsoft.com/en-us/dotnet/api/system.threading.tasks.valuetask[ValueTask] * https://learn.microsoft.com/en-us/dotnet/api/system.threading.tasks.valuetask-1[ValueTask] -* https://blogs.msdn.microsoft.com/dotnet/2018/11/07/understanding-the-whys-whats-and-whens-of-valuetask[Understanding the Whys, Whats, and Whens of ValueTask] \ No newline at end of file +* https://blogs.msdn.microsoft.com/dotnet/2018/11/07/understanding-the-whys-whats-and-whens-of-valuetask[Understanding the Whys, Whats, and Whens of ValueTask] + +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + diff --git a/rules/S5131/common/resources/standards.adoc b/rules/S5131/common/resources/standards.adoc index a0aa59a2802..ac12800c343 100644 --- a/rules/S5131/common/resources/standards.adoc +++ b/rules/S5131/common/resources/standards.adoc @@ -3,3 +3,6 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222602[Application Security and Development: V-222602] - The application must protect from Cross-Site Scripting (XSS) vulnerabilities. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5131/metadata.json b/rules/S5131/metadata.json index df793c7d178..3b674d5a385 100644 --- a/rules/S5131/metadata.json +++ b/rules/S5131/metadata.json @@ -45,6 +45,10 @@ ], "ASVS 4.0": [ "5.3.3" + ], + "STIG ASD 2023-06-08": [ + "V-222602", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5135/common/resources/standards.adoc b/rules/S5135/common/resources/standards.adoc index 1d615280940..bc3b43bdd59 100644 --- a/rules/S5135/common/resources/standards.adoc +++ b/rules/S5135/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5135/metadata.json b/rules/S5135/metadata.json index 5a862458adb..698e3ce55ea 100644 --- a/rules/S5135/metadata.json +++ b/rules/S5135/metadata.json @@ -50,6 +50,9 @@ "5.1.4", "5.5.1", "5.5.3" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5144/common/resources/standards.adoc b/rules/S5144/common/resources/standards.adoc index d27d2e47c1b..76326f58595 100644 --- a/rules/S5144/common/resources/standards.adoc +++ b/rules/S5144/common/resources/standards.adoc @@ -4,3 +4,4 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/918[CWE-918 - Server-Side Request Forgery (SSRF)] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S5144/metadata.json b/rules/S5144/metadata.json index 9f42531ba87..4712bfb1953 100644 --- a/rules/S5144/metadata.json +++ b/rules/S5144/metadata.json @@ -49,6 +49,9 @@ "5.1.3", "5.1.4", "5.2.6" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5145/common/resources/standards.adoc b/rules/S5145/common/resources/standards.adoc index bbd930e59e5..89dffd6cb95 100644 --- a/rules/S5145/common/resources/standards.adoc +++ b/rules/S5145/common/resources/standards.adoc @@ -5,4 +5,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring[Top 10 2017 Category A10 - Insufficient Logging & Monitoring] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/117[CWE-117 - Improper Output Neutralization for Logs] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/117[CWE-117 - Improper Output Neutralization for Logs] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5145/metadata.json b/rules/S5145/metadata.json index c63c7ae8673..8355bf49f9a 100644 --- a/rules/S5145/metadata.json +++ b/rules/S5145/metadata.json @@ -45,6 +45,9 @@ "5.1.4", "7.3.1", "7.3.2" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5147/common/resources/standards.adoc b/rules/S5147/common/resources/standards.adoc index 90ee3426598..db880041c74 100644 --- a/rules/S5147/common/resources/standards.adoc +++ b/rules/S5147/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/943[CWE-943 - Improper Neutralization of Special Elements in Data Query Logic] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5147/metadata.json b/rules/S5147/metadata.json index 99ff72cad59..65c9df48e1d 100644 --- a/rules/S5147/metadata.json +++ b/rules/S5147/metadata.json @@ -48,6 +48,9 @@ "5.1.3", "5.1.4", "5.3.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5273/cfamily/metadata.json b/rules/S5273/cfamily/metadata.json index 0ea948ddfdd..e44df73a45c 100644 --- a/rules/S5273/cfamily/metadata.json +++ b/rules/S5273/cfamily/metadata.json @@ -17,8 +17,12 @@ "suspicious" ], "extra": { - "replacementRules": [], - "legacyKeys": [] + "replacementRules": [ + + ], + "legacyKeys": [ + + ] }, "defaultSeverity": "Major", "ruleSpecification": "RSPEC-5273", @@ -32,6 +36,9 @@ 121, 122, 676 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5273/cfamily/rule.adoc b/rules/S5273/cfamily/rule.adoc index d5db22fc0e4..50876a925d5 100644 --- a/rules/S5273/cfamily/rule.adoc +++ b/rules/S5273/cfamily/rule.adoc @@ -141,7 +141,7 @@ void bar(const char *src) { * CWE - https://cwe.mitre.org/data/definitions/121[CWE-121 Stack-based Buffer Overflow] * CWE - https://cwe.mitre.org/data/definitions/122[CWE-122 Heap-based Buffer Overflow] * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 Use of Potentially Dangerous Function] - +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5283/cfamily/metadata.json b/rules/S5283/cfamily/metadata.json index e80436d5bd6..1b354d86252 100644 --- a/rules/S5283/cfamily/metadata.json +++ b/rules/S5283/cfamily/metadata.json @@ -31,9 +31,11 @@ "securityStandards": { "CERT": [ "ARR32-C." + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, - "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S5283/cfamily/rule.adoc b/rules/S5283/cfamily/rule.adoc index 0c527edd16e..b0156446fac 100644 --- a/rules/S5283/cfamily/rule.adoc +++ b/rules/S5283/cfamily/rule.adoc @@ -208,6 +208,8 @@ and the {cpp} standard never supported it, however, they are commonly accepted a === Standards * CERT - https://wiki.sei.cmu.edu/confluence/display/c/ARR32-C.+Ensure+size+arguments+for+variable+length+arrays+are+in+a+valid+range[ARR32-C. Ensure size arguments for variable length arrays are in a valid range] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S5314/cfamily/metadata.json b/rules/S5314/cfamily/metadata.json index b630715dc71..87c0e165a7f 100644 --- a/rules/S5314/cfamily/metadata.json +++ b/rules/S5314/cfamily/metadata.json @@ -32,6 +32,9 @@ "securityStandards": { "CWE": [ 367 + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5314/cfamily/rule.adoc b/rules/S5314/cfamily/rule.adoc index 71a5a0c3db8..02ce11d7425 100644 --- a/rules/S5314/cfamily/rule.adoc +++ b/rules/S5314/cfamily/rule.adoc @@ -198,6 +198,10 @@ the ABA problem, where `A` and `B` refers to the values of the resource. == Resources +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + === External coding guidelines * {cpp} Core Guidelines - https://github.com/isocpp/CppCoreGuidelines/blob/e49158a/CppCoreGuidelines.md#cp43-minimize-time-spent-in-a-critical-section[CP.43: Minimize time spent in a critical section] diff --git a/rules/S5328/php/metadata.json b/rules/S5328/php/metadata.json index 023887eceef..afb763ce958 100644 --- a/rules/S5328/php/metadata.json +++ b/rules/S5328/php/metadata.json @@ -49,6 +49,10 @@ "2.3.1", "2.6.2", "2.9.2" + ], + "STIG ASD 2023-06-08": [ + "V-222579", + "V-222582" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5328/php/rule.adoc b/rules/S5328/php/rule.adoc index 95dc9743eb4..ac348c535b4 100644 --- a/rules/S5328/php/rule.adoc +++ b/rules/S5328/php/rule.adoc @@ -43,6 +43,8 @@ session_id(bin2hex(random_bytes(16))); // Compliant * CWE - https://cwe.mitre.org/data/definitions/340[CWE-340 - Generation of Predictable Numbers or Identifiers] * https://www.php.net/random-bytes[PHP: random_bytes()] * https://www.php.net/session-regenerate-id[PHP: session_regenerate_id()] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222579[Application Security and Development: V-222579] - Applications must use system-generated session identifiers that protect against session fixation. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs. ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/apex/rule.adoc b/rules/S5332/apex/rule.adoc index 59a629934dd..bb53c790e3f 100644 --- a/rules/S5332/apex/rule.adoc +++ b/rules/S5332/apex/rule.adoc @@ -32,11 +32,9 @@ public class MyClient { include::../exceptions.adoc[] -== See +include::../see.adoc[] + -* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Information Exposure] ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/azureresourcemanager/metadata.json b/rules/S5332/azureresourcemanager/metadata.json index 6908a72ec74..2d5d0465240 100644 --- a/rules/S5332/azureresourcemanager/metadata.json +++ b/rules/S5332/azureresourcemanager/metadata.json @@ -1,29 +1,45 @@ { - "tags": [ - "cwe" - ], - "securityStandards": { - "CWE": [ - 200, - 319 - ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], - "PCI DSS 3.2": [ - "4.1", - "6.5.4" - ], - "PCI DSS 4.0": [ - "4.2.1", - "6.2.4" - ], - "ASVS 4.0": [ - ] - } + "tags": [ + "cwe" + ], + "securityStandards": { + "CWE": [ + 200, + 319 + ], + "OWASP": [ + + ], + "OWASP Mobile": [ + + ], + "MASVS": [ + + ], + "OWASP Top 10 2021": [ + + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + } } diff --git a/rules/S5332/azureresourcemanager/rule.adoc b/rules/S5332/azureresourcemanager/rule.adoc index d18db095380..76faf748d86 100644 --- a/rules/S5332/azureresourcemanager/rule.adoc +++ b/rules/S5332/azureresourcemanager/rule.adoc @@ -421,7 +421,14 @@ resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = { ---- -include::see.adoc[] +== See + +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/azureresourcemanager/see.adoc b/rules/S5332/azureresourcemanager/see.adoc deleted file mode 100644 index a517da6d6db..00000000000 --- a/rules/S5332/azureresourcemanager/see.adoc +++ /dev/null @@ -1,6 +0,0 @@ -== See - -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] diff --git a/rules/S5332/cfamily/rule.adoc b/rules/S5332/cfamily/rule.adoc index da41f3e947c..77f3f63803a 100644 --- a/rules/S5332/cfamily/rule.adoc +++ b/rules/S5332/cfamily/rule.adoc @@ -50,6 +50,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/cloudformation/metadata.json b/rules/S5332/cloudformation/metadata.json index f44d6ea83fb..a063ff0f7b1 100644 --- a/rules/S5332/cloudformation/metadata.json +++ b/rules/S5332/cloudformation/metadata.json @@ -1,4 +1,4 @@ -{ +{ "tags": [ "aws", "cwe" @@ -9,12 +9,16 @@ 319 ], "OWASP": [ + ], "OWASP Mobile": [ + ], "MASVS": [ + ], "OWASP Top 10 2021": [ + ], "PCI DSS 3.2": [ "4.1", @@ -25,6 +29,18 @@ "6.2.4" ], "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" ] } } diff --git a/rules/S5332/cloudformation/rule.adoc b/rules/S5332/cloudformation/rule.adoc index cc595670526..19888f42001 100644 --- a/rules/S5332/cloudformation/rule.adoc +++ b/rules/S5332/cloudformation/rule.adoc @@ -193,14 +193,15 @@ Resources: InCluster: true ---- + == See -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] -* https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers -* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[AWS Documentation] - Stream Encryption +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/common/resources/articles.adoc b/rules/S5332/common/resources/articles.adoc new file mode 100644 index 00000000000..b79594625da --- /dev/null +++ b/rules/S5332/common/resources/articles.adoc @@ -0,0 +1,4 @@ +=== Articles & blog posts + +* Google - https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Moving towards more secure web] +* Mozilla - https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Deprecating non secure http] diff --git a/rules/S5332/common/resources/documentation.adoc b/rules/S5332/common/resources/documentation.adoc new file mode 100644 index 00000000000..9868f6083d5 --- /dev/null +++ b/rules/S5332/common/resources/documentation.adoc @@ -0,0 +1,4 @@ +=== Documentation + +* AWS Documentation - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[Listeners for your Application Load Balancers] +* AWS Documentation - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[Stream Encryption] diff --git a/rules/S5332/common/resources/standards-iac.adoc b/rules/S5332/common/resources/standards-iac.adoc new file mode 100644 index 00000000000..6515aaea448 --- /dev/null +++ b/rules/S5332/common/resources/standards-iac.adoc @@ -0,0 +1,13 @@ +=== Standards + +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397[Application Security and Development: V-222397] - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222534[Application Security and Development: V-222534] - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562[Application Security and Development: V-222562] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563[Application Security and Development: V-222563] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222577[Application Security and Development: V-222577] - The application must not expose session IDs. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222596[Application Security and Development: V-222596] - The application must protect the confidentiality and integrity of transmitted information. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222597[Application Security and Development: V-222597] - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598[Application Security and Development: V-222598] - The application must maintain the confidentiality and integrity of information during preparation for transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599[Application Security and Development: V-222599] - The application must maintain the confidentiality and integrity of information during reception. diff --git a/rules/S5332/common/resources/standards.adoc b/rules/S5332/common/resources/standards.adoc new file mode 100644 index 00000000000..0375902247f --- /dev/null +++ b/rules/S5332/common/resources/standards.adoc @@ -0,0 +1,17 @@ +=== Standards + +* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] +* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] +* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] +* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] +* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222397[Application Security and Development: V-222397] - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222534[Application Security and Development: V-222534] - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562[Application Security and Development: V-222562] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563[Application Security and Development: V-222563] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222577[Application Security and Development: V-222577] - The application must not expose session IDs. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222596[Application Security and Development: V-222596] - The application must protect the confidentiality and integrity of transmitted information. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222597[Application Security and Development: V-222597] - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598[Application Security and Development: V-222598] - The application must maintain the confidentiality and integrity of information during preparation for transmission. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599[Application Security and Development: V-222599] - The application must maintain the confidentiality and integrity of information during reception. diff --git a/rules/S5332/docker/metadata.json b/rules/S5332/docker/metadata.json index adb9b0cae35..7ddff439a88 100644 --- a/rules/S5332/docker/metadata.json +++ b/rules/S5332/docker/metadata.json @@ -1,31 +1,46 @@ { - "tags": [ - "dockerfile", - "cwe" - ], - "securityStandards": { - "CWE": [ - 200, - 319 - ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], - "PCI DSS 3.2": [ - "4.1", - "6.5.4" - ], - "PCI DSS 4.0": [ - "4.2.1", - "6.2.4" - ], - "ASVS 4.0": [ - ] - } + "tags": [ + "dockerfile", + "cwe" + ], + "securityStandards": { + "CWE": [ + 200, + 319 + ], + "OWASP": [ + + ], + "OWASP Mobile": [ + + ], + "MASVS": [ + + ], + "OWASP Top 10 2021": [ + + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + } } - \ No newline at end of file diff --git a/rules/S5332/docker/rule.adoc b/rules/S5332/docker/rule.adoc index 12a70aa0298..c53149edfd6 100644 --- a/rules/S5332/docker/rule.adoc +++ b/rules/S5332/docker/rule.adoc @@ -34,12 +34,15 @@ RUN curl http://www.example.com/ RUN curl https://www.example.com/ ---- + == See -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/go/rule.adoc b/rules/S5332/go/rule.adoc index 06c1702040c..c3e69d0d25f 100644 --- a/rules/S5332/go/rule.adoc +++ b/rules/S5332/go/rule.adoc @@ -54,6 +54,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/java/rule.adoc b/rules/S5332/java/rule.adoc index 6ddd1d2fcfe..70e14c40c01 100644 --- a/rules/S5332/java/rule.adoc +++ b/rules/S5332/java/rule.adoc @@ -85,6 +85,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/javascript/rule.adoc b/rules/S5332/javascript/rule.adoc index cb44dd7e9ac..9c73957b8cd 100644 --- a/rules/S5332/javascript/rule.adoc +++ b/rules/S5332/javascript/rule.adoc @@ -471,6 +471,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/kotlin/rule.adoc b/rules/S5332/kotlin/rule.adoc index ce0d68895d5..b799c268041 100644 --- a/rules/S5332/kotlin/rule.adoc +++ b/rules/S5332/kotlin/rule.adoc @@ -85,6 +85,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/kubernetes/metadata.json b/rules/S5332/kubernetes/metadata.json index 6908a72ec74..2d5d0465240 100644 --- a/rules/S5332/kubernetes/metadata.json +++ b/rules/S5332/kubernetes/metadata.json @@ -1,29 +1,45 @@ { - "tags": [ - "cwe" - ], - "securityStandards": { - "CWE": [ - 200, - 319 - ], - "OWASP": [ - ], - "OWASP Mobile": [ - ], - "MASVS": [ - ], - "OWASP Top 10 2021": [ - ], - "PCI DSS 3.2": [ - "4.1", - "6.5.4" - ], - "PCI DSS 4.0": [ - "4.2.1", - "6.2.4" - ], - "ASVS 4.0": [ - ] - } + "tags": [ + "cwe" + ], + "securityStandards": { + "CWE": [ + 200, + 319 + ], + "OWASP": [ + + ], + "OWASP Mobile": [ + + ], + "MASVS": [ + + ], + "OWASP Top 10 2021": [ + + ], + "PCI DSS 3.2": [ + "4.1", + "6.5.4" + ], + "PCI DSS 4.0": [ + "4.2.1", + "6.2.4" + ], + "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" + ] + } } diff --git a/rules/S5332/kubernetes/rule.adoc b/rules/S5332/kubernetes/rule.adoc index 91d2f1aa32b..314f8d540c4 100644 --- a/rules/S5332/kubernetes/rule.adoc +++ b/rules/S5332/kubernetes/rule.adoc @@ -53,12 +53,15 @@ spec: args: ["https://example.com/"] ---- + == See -* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor -* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/metadata.json b/rules/S5332/metadata.json index 8713039f0ca..c72b7c8fa58 100644 --- a/rules/S5332/metadata.json +++ b/rules/S5332/metadata.json @@ -52,6 +52,17 @@ "1.9.1", "9.1.1", "9.2.2" + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5332/php/rule.adoc b/rules/S5332/php/rule.adoc index e10f9fb7ce7..11c909e49de 100644 --- a/rules/S5332/php/rule.adoc +++ b/rules/S5332/php/rule.adoc @@ -47,6 +47,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/python/rule.adoc b/rules/S5332/python/rule.adoc index 6c346b32a72..ef62497939f 100644 --- a/rules/S5332/python/rule.adoc +++ b/rules/S5332/python/rule.adoc @@ -636,6 +636,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/see.adoc b/rules/S5332/see.adoc index fe90c2dc7b9..43075beb207 100644 --- a/rules/S5332/see.adoc +++ b/rules/S5332/see.adoc @@ -1,12 +1,7 @@ == See -* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures] -* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure ] -* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] -* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] -* https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers -* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[AWS Documentation] - Stream Encryption +include::common/resources/documentation.adoc[] + +include::common/resources/articles.adoc[] + +include::common/resources/standards.adoc[] diff --git a/rules/S5332/terraform/metadata.json b/rules/S5332/terraform/metadata.json index d53d8bf22df..db9a4e06e08 100644 --- a/rules/S5332/terraform/metadata.json +++ b/rules/S5332/terraform/metadata.json @@ -1,22 +1,26 @@ { - "tags": [ - "aws", - "azure", - "gcp", - "cwe" - ], + "tags": [ + "aws", + "azure", + "gcp", + "cwe" + ], "securityStandards": { "CWE": [ 200, 319 ], "OWASP": [ + ], "OWASP Mobile": [ + ], "MASVS": [ + ], "OWASP Top 10 2021": [ + ], "PCI DSS 3.2": [ "4.1", @@ -27,6 +31,18 @@ "6.2.4" ], "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222397", + "V-222534", + "V-222562", + "V-222563", + "V-222577", + "V-222596", + "V-222597", + "V-222598", + "V-222599" ] } } diff --git a/rules/S5332/terraform/rule.adoc b/rules/S5332/terraform/rule.adoc index 5276b6734d1..2c7063b2111 100644 --- a/rules/S5332/terraform/rule.adoc +++ b/rules/S5332/terraform/rule.adoc @@ -210,14 +210,15 @@ resource "google_compute_region_backend_service" "example" { include::../exceptions.adoc[] + == See -* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor] -* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information] -* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] -* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] -* https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers -* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[AWS Documentation] - Stream Encryption +include::../common/resources/documentation.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/standards-iac.adoc[] + ifdef::env-github,rspecator-view[] diff --git a/rules/S5332/vbnet/rule.adoc b/rules/S5332/vbnet/rule.adoc index 15d5366a6cf..6926bef17cb 100644 --- a/rules/S5332/vbnet/rule.adoc +++ b/rules/S5332/vbnet/rule.adoc @@ -42,6 +42,7 @@ include::../exceptions.adoc[] include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5332/xml/rule.adoc b/rules/S5332/xml/rule.adoc index ec09b844688..c828a96be9c 100644 --- a/rules/S5332/xml/rule.adoc +++ b/rules/S5332/xml/rule.adoc @@ -33,6 +33,7 @@ is implicitely set to ``++true++``. include::../see.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5334/common/resources/standards.adoc b/rules/S5334/common/resources/standards.adoc index 19d4ffcbe69..b9c1a912cec 100644 --- a/rules/S5334/common/resources/standards.adoc +++ b/rules/S5334/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5334/metadata.json b/rules/S5334/metadata.json index 09ecfc45030..0ca7bc491b6 100644 --- a/rules/S5334/metadata.json +++ b/rules/S5334/metadata.json @@ -49,6 +49,9 @@ "5.1.4", "5.2.4", "5.5.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5335/php/metadata.json b/rules/S5335/php/metadata.json index 03f84d26024..dfb13627d37 100644 --- a/rules/S5335/php/metadata.json +++ b/rules/S5335/php/metadata.json @@ -52,6 +52,9 @@ "12.3.6", "5.1.3", "5.3.9" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5335/php/rule.adoc b/rules/S5335/php/rule.adoc index 60c46fb758c..877e948207d 100644 --- a/rules/S5335/php/rule.adoc +++ b/rules/S5335/php/rule.adoc @@ -96,6 +96,8 @@ client-side front-ends. == Resources +=== Standards + * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] @@ -103,6 +105,7 @@ client-side front-ends. * CWE - https://cwe.mitre.org/data/definitions/97[CWE-97 - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page] * CWE - https://cwe.mitre.org/data/definitions/98[CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')] * CWE - https://cwe.mitre.org/data/definitions/829[CWE-829 - Inclusion of Functionality from Untrusted Control Sphere] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. ifdef::env-github,rspecator-view[] diff --git a/rules/S5344/common/resources/standards.adoc b/rules/S5344/common/resources/standards.adoc index cd23c7d9f7b..ee360d15d97 100644 --- a/rules/S5344/common/resources/standards.adoc +++ b/rules/S5344/common/resources/standards.adoc @@ -5,4 +5,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/256[CWE-256 - Plaintext Storage of a Password] * CWE - https://cwe.mitre.org/data/definitions/916[CWE-916 - Use of Password Hash With Insufficient Computational Effort] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222542[Application Security and Development: V-222542] - The application must only store cryptographic representations of passwords. diff --git a/rules/S5344/metadata.json b/rules/S5344/metadata.json index dc7b98eaa2f..c51506f2a95 100644 --- a/rules/S5344/metadata.json +++ b/rules/S5344/metadata.json @@ -53,6 +53,9 @@ "2.4.3", "2.4.4", "2.4.5" + ], + "STIG ASD 2023-06-08": [ + "V-222542" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5421/cfamily/metadata.json b/rules/S5421/cfamily/metadata.json index b756f25f132..8e9e337da75 100644 --- a/rules/S5421/cfamily/metadata.json +++ b/rules/S5421/cfamily/metadata.json @@ -29,6 +29,11 @@ "ruleSpecification": "RSPEC-5421", "sqKey": "S5421", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S5421/cfamily/rule.adoc b/rules/S5421/cfamily/rule.adoc index 252336c6857..be6993aa29f 100644 --- a/rules/S5421/cfamily/rule.adoc +++ b/rules/S5421/cfamily/rule.adoc @@ -46,7 +46,10 @@ int main() { == Resources +=== Standards + * {cpp} Core Guidelines - https://github.com/isocpp/CppCoreGuidelines/blob/e49158a/CppCoreGuidelines.md#i2-avoid-non-const-global-variables[I.2: Avoid non-`const` global variables] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. ifdef::env-github,rspecator-view[] diff --git a/rules/S5443/metadata.json b/rules/S5443/metadata.json index 33d4492cb3e..532a5ee58c9 100644 --- a/rules/S5443/metadata.json +++ b/rules/S5443/metadata.json @@ -40,6 +40,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5443/python/rule.adoc b/rules/S5443/python/rule.adoc index fda36cb1b70..bdd80bd2f16 100644 --- a/rules/S5443/python/rule.adoc +++ b/rules/S5443/python/rule.adoc @@ -33,6 +33,8 @@ file = tempfile.TemporaryFile(dir="/tmp/my_subdirectory", mode='"w+") # Complian * CWE - https://cwe.mitre.org/data/definitions/379[CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions] * https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File[OWASP, Insecure Temporary File] * https://docs.python.org/3/library/tempfile.html[Python tempfile module] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S5443/see.adoc b/rules/S5443/see.adoc index af5a0ffc22a..5db191a61de 100644 --- a/rules/S5443/see.adoc +++ b/rules/S5443/see.adoc @@ -5,4 +5,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] * CWE - https://cwe.mitre.org/data/definitions/379[CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions] -* https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File[OWASP, Insecure Temporary File] \ No newline at end of file +* https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File[OWASP, Insecure Temporary File] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + diff --git a/rules/S5445/common/resources/standards.adoc b/rules/S5445/common/resources/standards.adoc index 037e90b8e69..36de23d3859 100644 --- a/rules/S5445/common/resources/standards.adoc +++ b/rules/S5445/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] * CWE - https://cwe.mitre.org/data/definitions/379[CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + diff --git a/rules/S5445/metadata.json b/rules/S5445/metadata.json index ff1315c89b7..18c11c97072 100644 --- a/rules/S5445/metadata.json +++ b/rules/S5445/metadata.json @@ -43,6 +43,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5486/cfamily/metadata.json b/rules/S5486/cfamily/metadata.json index 64db0b317c5..8f2cfbbe91b 100644 --- a/rules/S5486/cfamily/metadata.json +++ b/rules/S5486/cfamily/metadata.json @@ -32,6 +32,9 @@ "securityStandards": { "CWE": [ 764 + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5486/cfamily/rule.adoc b/rules/S5486/cfamily/rule.adoc index 04dae45dc96..c09be4ca2be 100644 --- a/rules/S5486/cfamily/rule.adoc +++ b/rules/S5486/cfamily/rule.adoc @@ -169,6 +169,7 @@ void locks(bool calcFib, int n) { * CWE - https://cwe.mitre.org/data/definitions/764[CWE-764 Multiple Locks of a Critical Resource] * CWE - https://cwe.mitre.org/data/definitions/362[CWE-362 Multiple Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. === Related rules diff --git a/rules/S5487/cfamily/metadata.json b/rules/S5487/cfamily/metadata.json index 3cc799da76f..97a8a437ee7 100644 --- a/rules/S5487/cfamily/metadata.json +++ b/rules/S5487/cfamily/metadata.json @@ -28,6 +28,11 @@ "ruleSpecification": "RSPEC-5487", "sqKey": "S5487", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222567" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S5487/cfamily/rule.adoc b/rules/S5487/cfamily/rule.adoc index 45b212ef801..ee44574be31 100644 --- a/rules/S5487/cfamily/rule.adoc +++ b/rules/S5487/cfamily/rule.adoc @@ -213,6 +213,10 @@ void use_and_destroy_initialized() * CppCon 2020 - https://youtu.be/A7sVFJLJM-A?si=v76jhmv3XnHExZYU[An Introduction to Multithreading in {cpp}20] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + === Related rules * S5486 enforces the proper locking and unlocking of `pthread` mutexes. diff --git a/rules/S5496/java/rule.adoc b/rules/S5496/java/rule.adoc index de3eb44cbd7..5bd3608afd2 100644 --- a/rules/S5496/java/rule.adoc +++ b/rules/S5496/java/rule.adoc @@ -17,10 +17,9 @@ include::how-to-fix-it/groovy.adoc[] * https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/[Exploiting SSTI in Thymeleaf] -=== Standards - include::../standards.adoc[] + ifdef::env-github,rspecator-view[] ''' @@ -32,4 +31,4 @@ ifdef::env-github,rspecator-view[] include::../message.adoc[] ''' -endif::env-github,rspecator-view[] \ No newline at end of file +endif::env-github,rspecator-view[] diff --git a/rules/S5496/metadata.json b/rules/S5496/metadata.json index 0393965dde1..fda9d998c94 100644 --- a/rules/S5496/metadata.json +++ b/rules/S5496/metadata.json @@ -48,6 +48,9 @@ "ASVS 4.0": [ "5.2.5", "5.2.8" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5496/python/rule.adoc b/rules/S5496/python/rule.adoc index 3609ff01343..6c75cbd379c 100644 --- a/rules/S5496/python/rule.adoc +++ b/rules/S5496/python/rule.adoc @@ -59,10 +59,9 @@ of the initially intended template logic. * https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2] -=== Standards - include::../standards.adoc[] + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S5496/standards.adoc b/rules/S5496/standards.adoc index c9fa05d325d..861a87a7f9a 100644 --- a/rules/S5496/standards.adoc +++ b/rules/S5496/standards.adoc @@ -1,3 +1,7 @@ +=== Standards + * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] -* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5527/common/resources/standards.adoc b/rules/S5527/common/resources/standards.adoc index f94cf27d193..bb305579ce3 100644 --- a/rules/S5527/common/resources/standards.adoc +++ b/rules/S5527/common/resources/standards.adoc @@ -8,3 +8,5 @@ * OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements[Mobile AppSec Verification Standard - Network Communication Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication] * CWE - https://cwe.mitre.org/data/definitions/297[CWE-297 - Improper Validation of Certificate with Host Mismatch] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550[Application Security and Development: V-222550] - The application must validate certificates by constructing a certification path to an accepted trust anchor. + diff --git a/rules/S5527/metadata.json b/rules/S5527/metadata.json index a6cb1e0853e..17c4566fab4 100644 --- a/rules/S5527/metadata.json +++ b/rules/S5527/metadata.json @@ -56,6 +56,9 @@ "PCI DSS 4.0": [ "4.2.1", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222550" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5547/cfamily/metadata.json b/rules/S5547/cfamily/metadata.json index 7f87e8b9d4f..cfc09907198 100644 --- a/rules/S5547/cfamily/metadata.json +++ b/rules/S5547/cfamily/metadata.json @@ -39,6 +39,9 @@ "6.2.3", "6.2.5", "8.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222396" ] } } diff --git a/rules/S5547/common/resources/standards.adoc b/rules/S5547/common/resources/standards.adoc index 938a3f6b34e..2823320464e 100644 --- a/rules/S5547/common/resources/standards.adoc +++ b/rules/S5547/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/327[CWE-327 - Use of a Broken or Risky Cryptographic Algorithm] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222396[Application Security and Development: V-222396] - The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. + diff --git a/rules/S5547/java/metadata.json b/rules/S5547/java/metadata.json index 29fd7c98135..299134becc5 100644 --- a/rules/S5547/java/metadata.json +++ b/rules/S5547/java/metadata.json @@ -34,6 +34,9 @@ "6.2.3", "6.2.5", "8.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222396" ] } } diff --git a/rules/S5547/metadata.json b/rules/S5547/metadata.json index 2dfbef097a4..9222c87f2aa 100644 --- a/rules/S5547/metadata.json +++ b/rules/S5547/metadata.json @@ -60,6 +60,9 @@ "6.2.3", "6.2.5", "8.3.7" + ], + "STIG ASD 2023-06-08": [ + "V-222396" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5696/common/resources/standards.adoc b/rules/S5696/common/resources/standards.adoc index a0aa59a2802..6e42c2c04a4 100644 --- a/rules/S5696/common/resources/standards.adoc +++ b/rules/S5696/common/resources/standards.adoc @@ -3,3 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)] * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S5696/metadata.json b/rules/S5696/metadata.json index fe2a89cb0bf..7bd1b1995ce 100644 --- a/rules/S5696/metadata.json +++ b/rules/S5696/metadata.json @@ -1,50 +1,57 @@ { - "title": "DOM updates should not lead to cross-site scripting (XSS) attacks", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "COMPLETE" + "title": "DOM updates should not lead to cross-site scripting (XSS) attacks", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "30min" - }, - "tags": [ - "cwe" + "attribute": "COMPLETE" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe" + ], + "extra": { + "replacementRules": [ + ], - "extra": { - "replacementRules": [], - "legacyKeys": [] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-5696", - "sqKey": "S5696", - "scope": "Tests", - "securityStandards": { - "CWE": [ - 79 - ], - "OWASP": [ - "A7" - ], - "OWASP Top 10 2021": [ - "A3" - ], - "PCI DSS 3.2": [ - "6.5.7" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.3.3" - ] - }, - "defaultQualityProfiles": [ - "Sonar way" + "legacyKeys": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-5696", + "sqKey": "S5696", + "scope": "Tests", + "securityStandards": { + "CWE": [ + 79 + ], + "OWASP": [ + "A7" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "PCI DSS 3.2": [ + "6.5.7" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.3.3" ], - "quickfix": "unknown" -} \ No newline at end of file + "STIG ASD 2023-06-08": [ + "V-222609" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S5782/cfamily/metadata.json b/rules/S5782/cfamily/metadata.json index 8c235ce644d..39ad3f4f79e 100644 --- a/rules/S5782/cfamily/metadata.json +++ b/rules/S5782/cfamily/metadata.json @@ -51,6 +51,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5782/common/resources/standards.adoc b/rules/S5782/common/resources/standards.adoc index 8c418f8af07..fe2f1d6d310 100644 --- a/rules/S5782/common/resources/standards.adoc +++ b/rules/S5782/common/resources/standards.adoc @@ -5,4 +5,5 @@ * CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer] * CWE - https://cwe.mitre.org/data/definitions/131[CWE-131 - Incorrect Calculation of Buffer Size] * CWE - https://cwe.mitre.org/data/definitions/788[CWE-788 - Access of Memory Location After End of Buffer] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. diff --git a/rules/S5801/cfamily/metadata.json b/rules/S5801/cfamily/metadata.json index a6f73dc76c2..acefea6ea4b 100644 --- a/rules/S5801/cfamily/metadata.json +++ b/rules/S5801/cfamily/metadata.json @@ -50,6 +50,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5801/cfamily/rule.adoc b/rules/S5801/cfamily/rule.adoc index f9f030eec1d..2aab61b073a 100644 --- a/rules/S5801/cfamily/rule.adoc +++ b/rules/S5801/cfamily/rule.adoc @@ -54,6 +54,7 @@ int f(char *src) { * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5813/cfamily/metadata.json b/rules/S5813/cfamily/metadata.json index 355de6bb19c..b8bedaabf7f 100644 --- a/rules/S5813/cfamily/metadata.json +++ b/rules/S5813/cfamily/metadata.json @@ -44,6 +44,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5813/cfamily/rule.adoc b/rules/S5813/cfamily/rule.adoc index f8b4aa5a2a8..ee7aafdbca3 100644 --- a/rules/S5813/cfamily/rule.adoc +++ b/rules/S5813/cfamily/rule.adoc @@ -56,6 +56,7 @@ size_t f(char *src) { * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5814/cfamily/metadata.json b/rules/S5814/cfamily/metadata.json index 53d461beb7b..b28b1836a2e 100644 --- a/rules/S5814/cfamily/metadata.json +++ b/rules/S5814/cfamily/metadata.json @@ -50,6 +50,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5814/cfamily/rule.adoc b/rules/S5814/cfamily/rule.adoc index 9287864578e..0cef868260c 100644 --- a/rules/S5814/cfamily/rule.adoc +++ b/rules/S5814/cfamily/rule.adoc @@ -57,6 +57,7 @@ int f(char *src) { * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5815/cfamily/metadata.json b/rules/S5815/cfamily/metadata.json index 467d12be3f1..948d5aa2199 100644 --- a/rules/S5815/cfamily/metadata.json +++ b/rules/S5815/cfamily/metadata.json @@ -50,6 +50,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5815/cfamily/rule.adoc b/rules/S5815/cfamily/rule.adoc index 11e48999337..3b7f7d54eab 100644 --- a/rules/S5815/cfamily/rule.adoc +++ b/rules/S5815/cfamily/rule.adoc @@ -55,6 +55,7 @@ int f(char *src) { * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5816/cfamily/metadata.json b/rules/S5816/cfamily/metadata.json index 81c72e6e62b..7e573706418 100644 --- a/rules/S5816/cfamily/metadata.json +++ b/rules/S5816/cfamily/metadata.json @@ -50,6 +50,9 @@ "ASVS 4.0": [ "14.1.2", "5.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5816/cfamily/rule.adoc b/rules/S5816/cfamily/rule.adoc index 5ad6aef9670..4cc2d8a0759 100644 --- a/rules/S5816/cfamily/rule.adoc +++ b/rules/S5816/cfamily/rule.adoc @@ -67,6 +67,7 @@ int f(char *src) { * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/120[CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')] * https://wiki.sei.cmu.edu/confluence/x/HdcxBQ[CERT, STR07-C.] - Use the bounds-checking interfaces for string manipulation +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5824/cfamily/metadata.json b/rules/S5824/cfamily/metadata.json index b71d214ecf5..736ab637d12 100644 --- a/rules/S5824/cfamily/metadata.json +++ b/rules/S5824/cfamily/metadata.json @@ -49,6 +49,10 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222567", + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5824/cfamily/rule.adoc b/rules/S5824/cfamily/rule.adoc index 733ba2c30b8..53d6a84b6bd 100644 --- a/rules/S5824/cfamily/rule.adoc +++ b/rules/S5824/cfamily/rule.adoc @@ -58,7 +58,8 @@ int f(char *tempData) { * CWE - https://cwe.mitre.org/data/definitions/377[CWE-377 - Insecure Temporary File] * https://wiki.sei.cmu.edu/confluence/display/c/CON33-C.+Avoid+race+conditions+when+using+library+functions[CERT, CON33-C.] - Avoid race conditions when using library functions * https://wiki.sei.cmu.edu/confluence/display/c/FIO21-C.+Do+not+create+temporary+files+in+shared+directories[CERT, FIO21-C.] - Do not create temporary files in shared directories - +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S5847/cfamily/metadata.json b/rules/S5847/cfamily/metadata.json index 6258dcc4116..2499ae82a14 100644 --- a/rules/S5847/cfamily/metadata.json +++ b/rules/S5847/cfamily/metadata.json @@ -24,6 +24,9 @@ ], "ASVS 4.0": [ "11.1.6" + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] } } diff --git a/rules/S5847/cfamily/rule.adoc b/rules/S5847/cfamily/rule.adoc index 3d0f990e632..03f82b42687 100644 --- a/rules/S5847/cfamily/rule.adoc +++ b/rules/S5847/cfamily/rule.adoc @@ -64,6 +64,8 @@ check for its existence beforehand. * OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control] * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/367[CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222567[Application Security and Development: V-222567] - The application must not be vulnerable to race conditions. + ifdef::env-github,rspecator-view[] diff --git a/rules/S5847/metadata.json b/rules/S5847/metadata.json index ee58b6dc207..59ec93d61cb 100644 --- a/rules/S5847/metadata.json +++ b/rules/S5847/metadata.json @@ -45,6 +45,9 @@ ], "ASVS 4.0": [ "11.1.6" + ], + "STIG ASD 2023-06-08": [ + "V-222567" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5876/common/resources/standards.adoc b/rules/S5876/common/resources/standards.adoc index 4160d48988a..c7309aaacc4 100644 --- a/rules/S5876/common/resources/standards.adoc +++ b/rules/S5876/common/resources/standards.adoc @@ -4,3 +4,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] * https://owasp.org/www-community/attacks/Session_fixation[OWASP Sesssion Fixation] * CWE - https://cwe.mitre.org/data/definitions/384[CWE-384 - Session Fixation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222579[Application Security and Development: V-222579] - Applications must use system-generated session identifiers that protect against session fixation. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs. + diff --git a/rules/S5876/metadata.json b/rules/S5876/metadata.json index c97cbd85d8c..81f081fd57f 100644 --- a/rules/S5876/metadata.json +++ b/rules/S5876/metadata.json @@ -45,6 +45,10 @@ ], "ASVS 4.0": [ "3.2.1" + ], + "STIG ASD 2023-06-08": [ + "V-222579", + "V-222582" ] }, "defaultQualityProfiles": [ diff --git a/rules/S5883/common/resources/standards.adoc b/rules/S5883/common/resources/standards.adoc index cc226e06ac8..187f8e7ab49 100644 --- a/rules/S5883/common/resources/standards.adoc +++ b/rules/S5883/common/resources/standards.adoc @@ -4,4 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/88[CWE-88 - Argument Injection or Modification] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S5883/metadata.json b/rules/S5883/metadata.json index 643c76019b9..b2bda79d6cb 100644 --- a/rules/S5883/metadata.json +++ b/rules/S5883/metadata.json @@ -47,6 +47,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6069/cfamily/metadata.json b/rules/S6069/cfamily/metadata.json index 7575d756e1f..571280ccbbe 100644 --- a/rules/S6069/cfamily/metadata.json +++ b/rules/S6069/cfamily/metadata.json @@ -47,6 +47,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6069/cfamily/rule.adoc b/rules/S6069/cfamily/rule.adoc index f1c1734549d..d0bb7061d07 100644 --- a/rules/S6069/cfamily/rule.adoc +++ b/rules/S6069/cfamily/rule.adoc @@ -53,6 +53,7 @@ sprintf(buf, "%s", message);{code} * OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities] * CWE - https://cwe.mitre.org/data/definitions/676[CWE-676 - Use of Potentially Dangerous Function] * CWE - https://cwe.mitre.org/data/definitions/119[CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S6096/common/resources/standards.adoc b/rules/S6096/common/resources/standards.adoc index 2ae72b4f8d2..97a216c1077 100644 --- a/rules/S6096/common/resources/standards.adoc +++ b/rules/S6096/common/resources/standards.adoc @@ -6,3 +6,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6096/metadata.json b/rules/S6096/metadata.json index 31c45688d11..7708d22a39d 100644 --- a/rules/S6096/metadata.json +++ b/rules/S6096/metadata.json @@ -51,6 +51,9 @@ "12.3.4", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6105/common/resources/standards.adoc b/rules/S6105/common/resources/standards.adoc index 0e28ee0f961..4f27cf9e317 100644 --- a/rules/S6105/common/resources/standards.adoc +++ b/rules/S6105/common/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/601[CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6105/metadata.json b/rules/S6105/metadata.json index 6b3d12be7c0..ed5956e8ce3 100644 --- a/rules/S6105/metadata.json +++ b/rules/S6105/metadata.json @@ -1,53 +1,60 @@ { - "title": "DOM updates should not lead to open redirect vulnerabilities", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "COMPLETE" + "title": "DOM updates should not lead to open redirect vulnerabilities", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "30min" - }, - "tags": [ - "cwe" + "attribute": "COMPLETE" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe" + ], + "extra": { + "replacementRules": [ + ], - "extra": { - "replacementRules": [], - "legacyKeys": [] - }, - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-6105", - "sqKey": "S6105", - "scope": "Main", - "securityStandards": { - "CWE": [ - 20, - 601 - ], - "OWASP": [ - "A5" - ], - "OWASP Top 10 2021": [ - "A1" - ], - "PCI DSS 3.2": [ - "6.5.8" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.1.3", - "5.1.4", - "5.1.5" - ] - }, - "defaultQualityProfiles": [ - "Sonar way" + "legacyKeys": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6105", + "sqKey": "S6105", + "scope": "Main", + "securityStandards": { + "CWE": [ + 20, + 601 + ], + "OWASP": [ + "A5" + ], + "OWASP Top 10 2021": [ + "A1" + ], + "PCI DSS 3.2": [ + "6.5.8" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.1.3", + "5.1.4", + "5.1.5" ], - "quickfix": "unknown" -} \ No newline at end of file + "STIG ASD 2023-06-08": [ + "V-222609" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6173/common/resources/standards.adoc b/rules/S6173/common/resources/standards.adoc index cdaedc45fb5..20895759781 100644 --- a/rules/S6173/common/resources/standards.adoc +++ b/rules/S6173/common/resources/standards.adoc @@ -3,3 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/470[CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6173/metadata.json b/rules/S6173/metadata.json index 1d1e40ebe73..dc6a2ea0d08 100644 --- a/rules/S6173/metadata.json +++ b/rules/S6173/metadata.json @@ -42,6 +42,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6179/cfamily/metadata.json b/rules/S6179/cfamily/metadata.json index 538bfa56659..521cc57a654 100644 --- a/rules/S6179/cfamily/metadata.json +++ b/rules/S6179/cfamily/metadata.json @@ -29,6 +29,11 @@ "ruleSpecification": "RSPEC-6179", "sqKey": "S6179", "scope": "All", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222612" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], diff --git a/rules/S6179/cfamily/rule.adoc b/rules/S6179/cfamily/rule.adoc index f6ff5b32ac2..f4cee388fac 100644 --- a/rules/S6179/cfamily/rule.adoc +++ b/rules/S6179/cfamily/rule.adoc @@ -33,9 +33,16 @@ auto third = std::lerp(a, b, 0.3f); == Resources +=== Documentation + * {cpp} reference - https://en.cppreference.com/w/cpp/numeric/midpoint[std::midpoint] * {cpp} reference - https://en.cppreference.com/w/cpp/numeric/lerp[std::lerp] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S6183/cfamily/metadata.json b/rules/S6183/cfamily/metadata.json index bb2b08f286b..d5256e546a7 100644 --- a/rules/S6183/cfamily/metadata.json +++ b/rules/S6183/cfamily/metadata.json @@ -37,6 +37,9 @@ ], "CWE": [ 195 + ], + "STIG ASD 2023-06-08": [ + "V-222612" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6183/cfamily/rule.adoc b/rules/S6183/cfamily/rule.adoc index 1f341b2b3a0..75d132bacd1 100644 --- a/rules/S6183/cfamily/rule.adoc +++ b/rules/S6183/cfamily/rule.adoc @@ -176,6 +176,7 @@ void foo() { * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules[INT02-C. Understand integer conversion rules] * CERT - https://wiki.sei.cmu.edu/confluence/display/c/INT31-C.+Ensure+that+integer+conversions+do+not+result+in+lost+or+misinterpreted+data[INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data] * CWE - https://cwe.mitre.org/data/definitions/195[CWE-195 Signed to Unsigned Conversion Error] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222612[Application Security and Development: V-222612] - The application must not be vulnerable to overflow attacks. === Related rules diff --git a/rules/S6270/metadata.json b/rules/S6270/metadata.json index fdae780b9fd..1f1d6f93ce2 100644 --- a/rules/S6270/metadata.json +++ b/rules/S6270/metadata.json @@ -38,6 +38,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6270/see.adoc b/rules/S6270/see.adoc index 0d9741b7da4..d2aed85fbfd 100644 --- a/rules/S6270/see.adoc +++ b/rules/S6270/see.adoc @@ -3,3 +3,5 @@ * https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege[AWS Documentation] - Grant least privilege * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. + diff --git a/rules/S6281/metadata.json b/rules/S6281/metadata.json index b369a8e553b..4ed18e2f869 100644 --- a/rules/S6281/metadata.json +++ b/rules/S6281/metadata.json @@ -37,6 +37,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6281/see.adoc b/rules/S6281/see.adoc index e1ffb8f5cf0..e4e36b22c4e 100644 --- a/rules/S6281/see.adoc +++ b/rules/S6281/see.adoc @@ -2,3 +2,5 @@ * https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html[AWS Documentation] - Blocking public access to your Amazon S3 storage * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. + diff --git a/rules/S6287/common/resources/standards.adoc b/rules/S6287/common/resources/standards.adoc index a819004c9b5..c64ed9e868a 100644 --- a/rules/S6287/common/resources/standards.adoc +++ b/rules/S6287/common/resources/standards.adoc @@ -4,3 +4,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/384[CWE-384 - Session Fixation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222582[Application Security and Development: V-222582] - The application must not re-use or recycle session IDs. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6287/metadata.json b/rules/S6287/metadata.json index b07a270100f..a8c9441c4c2 100644 --- a/rules/S6287/metadata.json +++ b/rules/S6287/metadata.json @@ -47,6 +47,10 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222582", + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6290/secrets/metadata.json b/rules/S6290/secrets/metadata.json index 178bb00f0f8..2f20b266ae1 100644 --- a/rules/S6290/secrets/metadata.json +++ b/rules/S6290/secrets/metadata.json @@ -52,6 +52,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6292/secrets/metadata.json b/rules/S6292/secrets/metadata.json index 8039ca052d4..824adf58a87 100644 --- a/rules/S6292/secrets/metadata.json +++ b/rules/S6292/secrets/metadata.json @@ -52,6 +52,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6303/metadata.json b/rules/S6303/metadata.json index 33404758f11..f3908938a5e 100644 --- a/rules/S6303/metadata.json +++ b/rules/S6303/metadata.json @@ -39,6 +39,9 @@ "PCI DSS 4.0": [ "2.2", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6303/see.adoc b/rules/S6303/see.adoc index 1256a7452c2..035465c64fa 100644 --- a/rules/S6303/see.adoc +++ b/rules/S6303/see.adoc @@ -2,3 +2,5 @@ * https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html[AWS Documentation] - Encrypting Amazon RDS resources * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. + diff --git a/rules/S6308/elasticsearch_see.adoc b/rules/S6308/elasticsearch_see.adoc index 7734481e721..f66398deadc 100644 --- a/rules/S6308/elasticsearch_see.adoc +++ b/rules/S6308/elasticsearch_see.adoc @@ -2,3 +2,5 @@ * https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html[AWS Documentation] - Encryption of data at rest for Amazon Elasticsearch Service * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. + diff --git a/rules/S6308/metadata.json b/rules/S6308/metadata.json index 6a31d27fae8..434c43a44a9 100644 --- a/rules/S6308/metadata.json +++ b/rules/S6308/metadata.json @@ -39,6 +39,9 @@ "PCI DSS 4.0": [ "2.2", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6308/opensearch_see.adoc b/rules/S6308/opensearch_see.adoc index 1dc1403dfa1..062b89830ea 100644 --- a/rules/S6308/opensearch_see.adoc +++ b/rules/S6308/opensearch_see.adoc @@ -2,3 +2,5 @@ * https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html[AWS Documentation] - Encryption of data at rest for Amazon OpenSearch Service * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. + diff --git a/rules/S6319/metadata.json b/rules/S6319/metadata.json index 9bbe2be4054..d10be0ebc47 100644 --- a/rules/S6319/metadata.json +++ b/rules/S6319/metadata.json @@ -39,6 +39,9 @@ "PCI DSS 4.0": [ "2.2", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6319/see.adoc b/rules/S6319/see.adoc index dcf8b809146..0d37d1c494c 100644 --- a/rules/S6319/see.adoc +++ b/rules/S6319/see.adoc @@ -2,3 +2,4 @@ * https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html[Protect Data at Rest Using Encryption] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. diff --git a/rules/S6327/metadata.json b/rules/S6327/metadata.json index 7fadad9bb57..a9e3bd44f18 100644 --- a/rules/S6327/metadata.json +++ b/rules/S6327/metadata.json @@ -41,6 +41,9 @@ "2.2", "4.2.1", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6327/see.adoc b/rules/S6327/see.adoc index f0838c4c71a..d43a57148f0 100644 --- a/rules/S6327/see.adoc +++ b/rules/S6327/see.adoc @@ -3,3 +3,4 @@ * https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html[AWS Documentation] - Encryption at rest * https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/[Encrypting messages published to Amazon SNS with AWS KMS] * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. diff --git a/rules/S6329/metadata.json b/rules/S6329/metadata.json index 3aa2e9e7891..a265bd5ad21 100644 --- a/rules/S6329/metadata.json +++ b/rules/S6329/metadata.json @@ -38,6 +38,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6329/see.adoc b/rules/S6329/see.adoc index 37db6d8d8db..a96400fb9eb 100644 --- a/rules/S6329/see.adoc +++ b/rules/S6329/see.adoc @@ -5,3 +5,4 @@ * https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html[AWS Documentation] - VPC Peering * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] * CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. diff --git a/rules/S6330/metadata.json b/rules/S6330/metadata.json index 3010a0458e1..cea2e88d0fb 100644 --- a/rules/S6330/metadata.json +++ b/rules/S6330/metadata.json @@ -39,6 +39,9 @@ "PCI DSS 4.0": [ "2.2", "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222588" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6330/see.adoc b/rules/S6330/see.adoc index deaeec859bc..f9f1b360441 100644 --- a/rules/S6330/see.adoc +++ b/rules/S6330/see.adoc @@ -2,3 +2,4 @@ * https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html[AWS Documentation] - Encryption at rest * CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222588[Application Security and Development: V-222588] - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest. diff --git a/rules/S6333/metadata.json b/rules/S6333/metadata.json index 79491b684f4..32a6de07287 100644 --- a/rules/S6333/metadata.json +++ b/rules/S6333/metadata.json @@ -37,6 +37,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6333/see.adoc b/rules/S6333/see.adoc index 3378ed41560..9ebc9b06bf3 100644 --- a/rules/S6333/see.adoc +++ b/rules/S6333/see.adoc @@ -2,3 +2,4 @@ * https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html[AWS Documentation] - Controlling and managing access to a REST API in API Gateway * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. diff --git a/rules/S6334/secrets/metadata.json b/rules/S6334/secrets/metadata.json index 158b1dfa56c..f9af772d7b9 100644 --- a/rules/S6334/secrets/metadata.json +++ b/rules/S6334/secrets/metadata.json @@ -44,6 +44,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6335/secrets/metadata.json b/rules/S6335/secrets/metadata.json index f46c6ad252b..d94a22f1d7a 100644 --- a/rules/S6335/secrets/metadata.json +++ b/rules/S6335/secrets/metadata.json @@ -44,6 +44,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6336/secrets/metadata.json b/rules/S6336/secrets/metadata.json index 198028bd790..39968f3163d 100644 --- a/rules/S6336/secrets/metadata.json +++ b/rules/S6336/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6337/secrets/metadata.json b/rules/S6337/secrets/metadata.json index 3758e338d29..46883548f87 100644 --- a/rules/S6337/secrets/metadata.json +++ b/rules/S6337/secrets/metadata.json @@ -44,6 +44,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6338/secrets/metadata.json b/rules/S6338/secrets/metadata.json index 7f036648c48..7fc4f670114 100644 --- a/rules/S6338/secrets/metadata.json +++ b/rules/S6338/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6350/metadata.json b/rules/S6350/metadata.json index a03f79e7fda..d6104d198f1 100644 --- a/rules/S6350/metadata.json +++ b/rules/S6350/metadata.json @@ -30,6 +30,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "extra": { diff --git a/rules/S6350/see.adoc b/rules/S6350/see.adoc index 00a3434a09e..aa9dcc2e3f3 100644 --- a/rules/S6350/see.adoc +++ b/rules/S6350/see.adoc @@ -4,3 +4,4 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/88[CWE-88 - Argument Injection or Modification] * https://blog.sonarsource.com/php-supply-chain-attack-on-composer[CVE-2021-29472] - PHP Supply Chain Attack on Composer +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6373/java/rule.adoc b/rules/S6373/java/rule.adoc index 02c9d0c9f09..a7bf04128f2 100644 --- a/rules/S6373/java/rule.adoc +++ b/rules/S6373/java/rule.adoc @@ -75,6 +75,7 @@ property to `false`. * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 - Category A5 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/611[CWE-611 - Improper Restriction of XML External Entity Reference] * CWE - https://cwe.mitre.org/data/definitions/827[CWE-827 - Improper Control of Document Type Definition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. ifdef::env-github,rspecator-view[] diff --git a/rules/S6373/metadata.json b/rules/S6373/metadata.json index e9671a4f1fe..af13ed42db2 100644 --- a/rules/S6373/metadata.json +++ b/rules/S6373/metadata.json @@ -46,6 +46,9 @@ ], "ASVS 4.0": [ "5.5.2" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6376/java/rule.adoc b/rules/S6376/java/rule.adoc index 6ace43e6738..d596252e367 100644 --- a/rules/S6376/java/rule.adoc +++ b/rules/S6376/java/rule.adoc @@ -40,6 +40,10 @@ include::how-to-fix-it/jdom2.adoc[] * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)] * CWE - https://cwe.mitre.org/data/definitions/776[CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222593[Application Security and Development: V-222593] - XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. + ifdef::env-github,rspecator-view[] diff --git a/rules/S6376/metadata.json b/rules/S6376/metadata.json index caac9fed78e..d7f8b4903ac 100644 --- a/rules/S6376/metadata.json +++ b/rules/S6376/metadata.json @@ -13,6 +13,7 @@ "constantCost": "15min" }, "tags": [ + ], "extra": { "replacementRules": [ @@ -35,6 +36,11 @@ ], "OWASP Top 10 2021": [ "A5" + ], + "STIG ASD 2023-06-08": [ + "V-222593", + "V-222608", + "V-222667" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6377/common/resources/standards.adoc b/rules/S6377/common/resources/standards.adoc index 5bd590f1e06..65e0a7babde 100644 --- a/rules/S6377/common/resources/standards.adoc +++ b/rules/S6377/common/resources/standards.adoc @@ -3,3 +3,4 @@ * OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10:2021 A02:2021 - Cryptographic Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/347[CWE-347 - Improper Verification of Cryptographic Signature] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. diff --git a/rules/S6377/metadata.json b/rules/S6377/metadata.json index 47f76c253ac..5c6103d1408 100644 --- a/rules/S6377/metadata.json +++ b/rules/S6377/metadata.json @@ -35,6 +35,9 @@ ], "OWASP Top 10 2021": [ "A2" + ], + "STIG ASD 2023-06-08": [ + "V-222608" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6384/common/resources/standards.adoc b/rules/S6384/common/resources/standards.adoc index 1089a1dcfc4..98742adc318 100644 --- a/rules/S6384/common/resources/standards.adoc +++ b/rules/S6384/common/resources/standards.adoc @@ -2,4 +2,5 @@ * OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements] * OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage] -* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6384/metadata.json b/rules/S6384/metadata.json index 92f9a480148..90cb487c18a 100644 --- a/rules/S6384/metadata.json +++ b/rules/S6384/metadata.json @@ -40,6 +40,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6390/common/resources/standards.adoc b/rules/S6390/common/resources/standards.adoc index 355aa7a6c9e..45b75363f88 100644 --- a/rules/S6390/common/resources/standards.adoc +++ b/rules/S6390/common/resources/standards.adoc @@ -3,3 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6390/metadata.json b/rules/S6390/metadata.json index d988a515529..ad0308a7643 100644 --- a/rules/S6390/metadata.json +++ b/rules/S6390/metadata.json @@ -37,6 +37,10 @@ "12.1.1", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609", + "V-222667" ] }, "defaultSeverity": "Critical", diff --git a/rules/S6398/common/resources/standards.adoc b/rules/S6398/common/resources/standards.adoc index 17c9ee19d57..7c797513009 100644 --- a/rules/S6398/common/resources/standards.adoc +++ b/rules/S6398/common/resources/standards.adoc @@ -3,4 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/76[CWE-76 - Improper Neutralization of Equivalent Special Elements] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/76[CWE-76 - Improper Neutralization of Equivalent Special Elements] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6398/java/metadata.json b/rules/S6398/java/metadata.json index fda4c996d41..233dd54a427 100644 --- a/rules/S6398/java/metadata.json +++ b/rules/S6398/java/metadata.json @@ -35,6 +35,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultSeverity": "Major", diff --git a/rules/S6399/common/resources/standards.adoc b/rules/S6399/common/resources/standards.adoc index e3be73f57c4..2fe8e557466 100644 --- a/rules/S6399/common/resources/standards.adoc +++ b/rules/S6399/common/resources/standards.adoc @@ -3,4 +3,6 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/91[CWE-91 - XML Injection (aka Blind XPath Injection)] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6399/metadata.json b/rules/S6399/metadata.json index 178860d97c8..321beeaebdb 100644 --- a/rules/S6399/metadata.json +++ b/rules/S6399/metadata.json @@ -36,6 +36,10 @@ "5.1.3", "5.1.4", "5.3.10" + ], + "STIG ASD 2023-06-08": [ + "V-222608", + "V-222609" ] }, "defaultSeverity": "Major", @@ -51,4 +55,4 @@ ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6404/terraform/metadata.json b/rules/S6404/terraform/metadata.json index 89ead763b6a..4f9e34b22e1 100644 --- a/rules/S6404/terraform/metadata.json +++ b/rules/S6404/terraform/metadata.json @@ -37,6 +37,9 @@ ], "PCI DSS 4.0": [ "6.2.4" + ], + "STIG ASD 2023-06-08": [ + "V-222620" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6404/terraform/rule.adoc b/rules/S6404/terraform/rule.adoc index 21a0afc47d3..a6be4946a5c 100644 --- a/rules/S6404/terraform/rule.adoc +++ b/rules/S6404/terraform/rule.adoc @@ -120,6 +120,7 @@ resource "google_container_cluster" "example" { == See * CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222620[Application Security and Development: V-222620] - Application web servers must be on a separate network segment from the application and database servers. ifdef::env-github,rspecator-view[] diff --git a/rules/S6423/csharp/metadata.json b/rules/S6423/csharp/metadata.json index 826abee5597..0e3539321c7 100644 --- a/rules/S6423/csharp/metadata.json +++ b/rules/S6423/csharp/metadata.json @@ -20,6 +20,11 @@ "ruleSpecification": "RSPEC-6423", "sqKey": "S6423", "scope": "Main", + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222610" + ] + }, "defaultQualityProfiles": [ ], "quickfix": "unknown" } diff --git a/rules/S6423/csharp/rule.adoc b/rules/S6423/csharp/rule.adoc index 66960e8d3fe..b5cad79cd02 100644 --- a/rules/S6423/csharp/rule.adoc +++ b/rules/S6423/csharp/rule.adoc @@ -54,3 +54,5 @@ public static async Task Run( * https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-error-pages?tabs=csharp[Azure Functions error handling and retries] * https://docs.microsoft.com/en-us/azure/azure-functions/functions-monitoring[Monitor Azure Functions] * https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-functions-supported-features[Application Insights for Azure Functions supported features] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222610[Application Security and Development: V-222610] - The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + diff --git a/rules/S6469/docker/rule.adoc b/rules/S6469/docker/rule.adoc index 71cdad86c88..2f75ac40dfb 100644 --- a/rules/S6469/docker/rule.adoc +++ b/rules/S6469/docker/rule.adoc @@ -79,6 +79,7 @@ expose them to unintended parties. === Standards * CWE - https://cwe.mitre.org/data/definitions/732[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. ifdef::env-github,rspecator-view[] diff --git a/rules/S6469/metadata.json b/rules/S6469/metadata.json index 19f1a9c7f2e..c0cf01f1fa1 100644 --- a/rules/S6469/metadata.json +++ b/rules/S6469/metadata.json @@ -19,6 +19,9 @@ "securityStandards": { "CWE": [ 732 + ], + "STIG ASD 2023-06-08": [ + "V-222430" ] }, "defaultSeverity": "Critical", diff --git a/rules/S6474/docker/rule.adoc b/rules/S6474/docker/rule.adoc index 6da3a583164..479a04a8125 100644 --- a/rules/S6474/docker/rule.adoc +++ b/rules/S6474/docker/rule.adoc @@ -213,6 +213,9 @@ RUN make install * CWE - https://cwe.mitre.org/data/definitions/384[CWE-345 - Insufficient Verification of Data Authenticity] * https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode[Microsoft, Authenticode Digital Signatures] * https://www.linux.com/training-tutorials/pgp-web-trust-core-concepts-behind-trusted-communication/[Linux.com, PGP Web of Trust: Core Concepts Behind Trusted Communication] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222618[Application Security and Development: V-222618] - Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy. + + ifdef::env-github,rspecator-view[] ''' diff --git a/rules/S6474/metadata.json b/rules/S6474/metadata.json index 8ca3503515c..1e1e9308bd2 100644 --- a/rules/S6474/metadata.json +++ b/rules/S6474/metadata.json @@ -21,6 +21,9 @@ "sqKey": "S6474", "scope": "Main", "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222618" + ], "CWE": [ 345 ] diff --git a/rules/S6547/common/resources/standards.adoc b/rules/S6547/common/resources/standards.adoc index 13b319ecd2c..b9bc1c30c7c 100644 --- a/rules/S6547/common/resources/standards.adoc +++ b/rules/S6547/common/resources/standards.adoc @@ -3,4 +3,6 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/454[CWE-454 - External Initialization of Trusted Variables or Data Stores] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/454[CWE-454 - External Initialization of Trusted Variables or Data Stores] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6547/metadata.json b/rules/S6547/metadata.json index 2960ffd13e7..ad27f8ca7bc 100644 --- a/rules/S6547/metadata.json +++ b/rules/S6547/metadata.json @@ -42,6 +42,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6549/common/resources/standards.adoc b/rules/S6549/common/resources/standards.adoc index 2ae72b4f8d2..97a216c1077 100644 --- a/rules/S6549/common/resources/standards.adoc +++ b/rules/S6549/common/resources/standards.adoc @@ -6,3 +6,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] * CWE - https://cwe.mitre.org/data/definitions/22[CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6549/metadata.json b/rules/S6549/metadata.json index cbe47024baa..4d50ef21cf2 100644 --- a/rules/S6549/metadata.json +++ b/rules/S6549/metadata.json @@ -42,9 +42,14 @@ "12.3.1", "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, - "defaultQualityProfiles": ["Sonar way"], + "defaultQualityProfiles": [ + "Sonar way" + ], "educationPrinciples": [ "defense_in_depth", "never_trust_user_input" diff --git a/rules/S6639/common/resources/standards.adoc b/rules/S6639/common/resources/standards.adoc index b7cd3f2bfe5..367a10c0e80 100644 --- a/rules/S6639/common/resources/standards.adoc +++ b/rules/S6639/common/resources/standards.adoc @@ -1,3 +1,6 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/789[CWE-789 - Memory Allocation with Excessive Size Value] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222594[Application Security and Development: V-222594] - The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6639/metadata.json b/rules/S6639/metadata.json index 146012ff05e..b3d1d896dc0 100644 --- a/rules/S6639/metadata.json +++ b/rules/S6639/metadata.json @@ -1,52 +1,56 @@ { - "title": "Memory allocations should not be vulnerable to Denial of Service attacks", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "MEDIUM" - }, - "attribute": "COMPLETE" + "title": "Memory allocations should not be vulnerable to Denial of Service attacks", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "MEDIUM" }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "5min" - }, - "tags": [ - "cwe" + "attribute": "COMPLETE" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "cwe" + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6639", + "sqKey": "S6639", + "scope": "All", + "securityStandards": { + "CWE": [ + 789 + ], + "OWASP": [ + "A1" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-6639", - "sqKey": "S6639", - "scope": "All", - "securityStandards": { - "CWE": [ - 789 - ], - "OWASP": [ - "A1" - ], - "OWASP Top 10 2021": [ - "A3" - ], - "PCI DSS 3.2": [ - "6.5.1" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.1.3", - "5.1.4" - ] - }, - "defaultQualityProfiles": [ - "Sonar way" + "ASVS 4.0": [ + "5.1.3", + "5.1.4" ], - "educationPrinciples": [ - "defense_in_depth", - "never_trust_user_input" - ], - "quickfix": "unknown" - } - \ No newline at end of file + "STIG ASD 2023-06-08": [ + "V-222594", + "V-222609", + "V-222667" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "educationPrinciples": [ + "defense_in_depth", + "never_trust_user_input" + ], + "quickfix": "unknown" +} diff --git a/rules/S6641/common/resources/standards.adoc b/rules/S6641/common/resources/standards.adoc index 74feb18d299..eb761e25600 100644 --- a/rules/S6641/common/resources/standards.adoc +++ b/rules/S6641/common/resources/standards.adoc @@ -1,3 +1,4 @@ * CWE - https://cwe.mitre.org/data/definitions/15[CWE-15 - External Control of System or Configuration Setting] * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. diff --git a/rules/S6641/csharp/metadata.json b/rules/S6641/csharp/metadata.json index ac316074c97..6933dc66902 100644 --- a/rules/S6641/csharp/metadata.json +++ b/rules/S6641/csharp/metadata.json @@ -13,38 +13,41 @@ "constantCost": "5min" }, "tags": [ - "cwe" + "cwe" ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-6641", "sqKey": "S6641", "scope": "All", "securityStandards": { - "CWE": [ - 15 - ], - "OWASP": [ - "A1" - ], - "OWASP Top 10 2021": [ - "A3" - ], - "PCI DSS 3.2": [ - "6.5.1" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.1.3" - ] - }, + "CWE": [ + 15 + ], + "OWASP": [ + "A1" + ], + "OWASP Top 10 2021": [ + "A3" + ], + "PCI DSS 3.2": [ + "6.5.1" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "5.1.3" + ], + "STIG ASD 2023-06-08": [ + "V-222609" + ] + }, "defaultQualityProfiles": [ - "Sonar way" + "Sonar way" ], "educationPrinciples": [ - "defense_in_depth", - "never_trust_user_input" - ], + "defense_in_depth", + "never_trust_user_input" + ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6652/secrets/metadata.json b/rules/S6652/secrets/metadata.json index fc30f1339f0..1f6831fea7a 100644 --- a/rules/S6652/secrets/metadata.json +++ b/rules/S6652/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6680/common/resources/standards.adoc b/rules/S6680/common/resources/standards.adoc index 52c0993384a..8ce26598f8d 100644 --- a/rules/S6680/common/resources/standards.adoc +++ b/rules/S6680/common/resources/standards.adoc @@ -3,3 +3,5 @@ * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * CWE - https://cwe.mitre.org/data/definitions/606[CWE-606 - Unchecked Input for Loop Condition] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6680/metadata.json b/rules/S6680/metadata.json index 3f36c80e54f..213fe4aa072 100644 --- a/rules/S6680/metadata.json +++ b/rules/S6680/metadata.json @@ -23,7 +23,7 @@ "scope": "Main", "securityStandards": { "CWE": [ - 606 + 606 ], "OWASP": [ "A1" @@ -32,10 +32,16 @@ "A3" ], "PCI DSS 3.2": [ + ], "PCI DSS 4.0": [ + ], "ASVS 4.0": [ + + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6684/secrets/metadata.json b/rules/S6684/secrets/metadata.json index 717ca5e61c6..4dbbc584d18 100644 --- a/rules/S6684/secrets/metadata.json +++ b/rules/S6684/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6686/secrets/metadata.json b/rules/S6686/secrets/metadata.json index 87c877ee0e8..50673ac9370 100644 --- a/rules/S6686/secrets/metadata.json +++ b/rules/S6686/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6687/secrets/metadata.json b/rules/S6687/secrets/metadata.json index 090f9660e96..27febc194ee 100644 --- a/rules/S6687/secrets/metadata.json +++ b/rules/S6687/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6688/secrets/metadata.json b/rules/S6688/secrets/metadata.json index 62056eb8542..7cb4aaf0397 100644 --- a/rules/S6688/secrets/metadata.json +++ b/rules/S6688/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6689/secrets/metadata.json b/rules/S6689/secrets/metadata.json index 5d6f403eba5..bf9c77589db 100644 --- a/rules/S6689/secrets/metadata.json +++ b/rules/S6689/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6690/secrets/metadata.json b/rules/S6690/secrets/metadata.json index fcb21712881..01d273b896e 100644 --- a/rules/S6690/secrets/metadata.json +++ b/rules/S6690/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6691/secrets/metadata.json b/rules/S6691/secrets/metadata.json index 4096c304b42..daf74ff8d11 100644 --- a/rules/S6691/secrets/metadata.json +++ b/rules/S6691/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6692/secrets/metadata.json b/rules/S6692/secrets/metadata.json index de13e235485..c7b88ba381d 100644 --- a/rules/S6692/secrets/metadata.json +++ b/rules/S6692/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6693/secrets/metadata.json b/rules/S6693/secrets/metadata.json index de963d701b4..55a5edc2175 100644 --- a/rules/S6693/secrets/metadata.json +++ b/rules/S6693/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6694/secrets/metadata.json b/rules/S6694/secrets/metadata.json index cd771bcd3c9..f56b18ecf24 100644 --- a/rules/S6694/secrets/metadata.json +++ b/rules/S6694/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6695/secrets/metadata.json b/rules/S6695/secrets/metadata.json index 82341418648..8185e94313b 100644 --- a/rules/S6695/secrets/metadata.json +++ b/rules/S6695/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6696/secrets/metadata.json b/rules/S6696/secrets/metadata.json index fbab291dd24..0d5cca93769 100644 --- a/rules/S6696/secrets/metadata.json +++ b/rules/S6696/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6697/secrets/metadata.json b/rules/S6697/secrets/metadata.json index af5b1728502..6dd78c31103 100644 --- a/rules/S6697/secrets/metadata.json +++ b/rules/S6697/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6698/secrets/metadata.json b/rules/S6698/secrets/metadata.json index c3f49779313..5d1c871c0dd 100644 --- a/rules/S6698/secrets/metadata.json +++ b/rules/S6698/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6699/secrets/metadata.json b/rules/S6699/secrets/metadata.json index 6830dcf0b32..33f54239a1b 100644 --- a/rules/S6699/secrets/metadata.json +++ b/rules/S6699/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6700/secrets/metadata.json b/rules/S6700/secrets/metadata.json index 1d28a86c97a..f90e65b2a87 100644 --- a/rules/S6700/secrets/metadata.json +++ b/rules/S6700/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6701/secrets/metadata.json b/rules/S6701/secrets/metadata.json index bdd168d12bf..c8baf6f25f1 100644 --- a/rules/S6701/secrets/metadata.json +++ b/rules/S6701/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6702/secrets/metadata.json b/rules/S6702/secrets/metadata.json index 4116f413866..3e1664aaa84 100644 --- a/rules/S6702/secrets/metadata.json +++ b/rules/S6702/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6703/secrets/metadata.json b/rules/S6703/secrets/metadata.json index f934fc5540f..6fb484a5d01 100644 --- a/rules/S6703/secrets/metadata.json +++ b/rules/S6703/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6704/secrets/metadata.json b/rules/S6704/secrets/metadata.json index 6eeca51bb1e..05ec287c598 100644 --- a/rules/S6704/secrets/metadata.json +++ b/rules/S6704/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6705/secrets/metadata.json b/rules/S6705/secrets/metadata.json index 5b6002c0bf7..ec81574eeaf 100644 --- a/rules/S6705/secrets/metadata.json +++ b/rules/S6705/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6706/secrets/metadata.json b/rules/S6706/secrets/metadata.json index 6f2e842db63..8acae4653c7 100644 --- a/rules/S6706/secrets/metadata.json +++ b/rules/S6706/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6708/secrets/metadata.json b/rules/S6708/secrets/metadata.json index 5fbc41171f4..58d9442f664 100644 --- a/rules/S6708/secrets/metadata.json +++ b/rules/S6708/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6709/python/metadata.json b/rules/S6709/python/metadata.json index dfb35a9b9ad..f7386f46030 100644 --- a/rules/S6709/python/metadata.json +++ b/rules/S6709/python/metadata.json @@ -14,7 +14,14 @@ "ruleSpecification": "RSPEC-6709", "sqKey": "S6709", "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "securityStandards": { + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], "quickfix": "unknown", "code": { "impacts": { diff --git a/rules/S6709/python/rule.adoc b/rules/S6709/python/rule.adoc index 0be25e2920f..f21ffa27025 100644 --- a/rules/S6709/python/rule.adoc +++ b/rules/S6709/python/rule.adoc @@ -59,6 +59,10 @@ def foo(): * NumPy documentation - https://numpy.org/neps/nep-0019-rng-policy.html[NEP 19 RNG Policy] +=== Standards + +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222642[Application Security and Development: V-222642] - The application must not contain embedded authentication data. + === Related rules * S6711 - `numpy.random.Generator` should be preferred to `numpy.random.RandomState` diff --git a/rules/S6710/secrets/metadata.json b/rules/S6710/secrets/metadata.json index c5387cf8851..0caa44d0385 100644 --- a/rules/S6710/secrets/metadata.json +++ b/rules/S6710/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6713/secrets/metadata.json b/rules/S6713/secrets/metadata.json index ea919c66086..b8037e6b443 100644 --- a/rules/S6713/secrets/metadata.json +++ b/rules/S6713/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6717/secrets/metadata.json b/rules/S6717/secrets/metadata.json index 1b143eab244..f9fa94863b2 100644 --- a/rules/S6717/secrets/metadata.json +++ b/rules/S6717/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6718/secrets/metadata.json b/rules/S6718/secrets/metadata.json index bea682afb49..9671e223abf 100644 --- a/rules/S6718/secrets/metadata.json +++ b/rules/S6718/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6719/secrets/metadata.json b/rules/S6719/secrets/metadata.json index fdca8b23f58..1587fa6d21c 100644 --- a/rules/S6719/secrets/metadata.json +++ b/rules/S6719/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6720/secrets/metadata.json b/rules/S6720/secrets/metadata.json index 957f15fc53b..637cd2ce91b 100644 --- a/rules/S6720/secrets/metadata.json +++ b/rules/S6720/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6721/secrets/metadata.json b/rules/S6721/secrets/metadata.json index d1a0ca3a9f3..76ed81f6a58 100644 --- a/rules/S6721/secrets/metadata.json +++ b/rules/S6721/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6722/secrets/metadata.json b/rules/S6722/secrets/metadata.json index 2b6c0b6050c..3e4d8c4f511 100644 --- a/rules/S6722/secrets/metadata.json +++ b/rules/S6722/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6723/secrets/metadata.json b/rules/S6723/secrets/metadata.json index 8d27d7bb7cf..4af44804c7e 100644 --- a/rules/S6723/secrets/metadata.json +++ b/rules/S6723/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6731/secrets/metadata.json b/rules/S6731/secrets/metadata.json index 71eddcda1e6..a9ed55a30d4 100644 --- a/rules/S6731/secrets/metadata.json +++ b/rules/S6731/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6732/secrets/metadata.json b/rules/S6732/secrets/metadata.json index 7aa425465b3..6d911096ebf 100644 --- a/rules/S6732/secrets/metadata.json +++ b/rules/S6732/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6733/secrets/metadata.json b/rules/S6733/secrets/metadata.json index bc340acf375..111d3db6625 100644 --- a/rules/S6733/secrets/metadata.json +++ b/rules/S6733/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6736/secrets/metadata.json b/rules/S6736/secrets/metadata.json index 940f6f5f216..bed1027fd53 100644 --- a/rules/S6736/secrets/metadata.json +++ b/rules/S6736/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6739/secrets/metadata.json b/rules/S6739/secrets/metadata.json index 2c8f47d8c28..382265bb2f6 100644 --- a/rules/S6739/secrets/metadata.json +++ b/rules/S6739/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6751/secrets/metadata.json b/rules/S6751/secrets/metadata.json index 709a0dfc79b..9d8aefc94ca 100644 --- a/rules/S6751/secrets/metadata.json +++ b/rules/S6751/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6752/secrets/metadata.json b/rules/S6752/secrets/metadata.json index b51f01910a0..a499a3a934a 100644 --- a/rules/S6752/secrets/metadata.json +++ b/rules/S6752/secrets/metadata.json @@ -49,11 +49,14 @@ "2.10.4", "3.5.2", "6.4.1" - ] + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6753/secrets/metadata.json b/rules/S6753/secrets/metadata.json index b45c5250eeb..a226103ec27 100644 --- a/rules/S6753/secrets/metadata.json +++ b/rules/S6753/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6755/secrets/metadata.json b/rules/S6755/secrets/metadata.json index fad0db405d2..fe9e2397aab 100644 --- a/rules/S6755/secrets/metadata.json +++ b/rules/S6755/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6758/secrets/metadata.json b/rules/S6758/secrets/metadata.json index dfbc734e8e2..d2458cc6fc2 100644 --- a/rules/S6758/secrets/metadata.json +++ b/rules/S6758/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6760/secrets/metadata.json b/rules/S6760/secrets/metadata.json index f4696aec2ed..4e5e7ac877d 100644 --- a/rules/S6760/secrets/metadata.json +++ b/rules/S6760/secrets/metadata.json @@ -47,6 +47,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6762/secrets/metadata.json b/rules/S6762/secrets/metadata.json index 5cb766b5998..b2a388b7cd1 100644 --- a/rules/S6762/secrets/metadata.json +++ b/rules/S6762/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6764/secrets/metadata.json b/rules/S6764/secrets/metadata.json index 3c14aaa369e..3b8b38daa96 100644 --- a/rules/S6764/secrets/metadata.json +++ b/rules/S6764/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6765/secrets/metadata.json b/rules/S6765/secrets/metadata.json index b62bec841e1..41aa90721a7 100644 --- a/rules/S6765/secrets/metadata.json +++ b/rules/S6765/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6768/secrets/metadata.json b/rules/S6768/secrets/metadata.json index 6c9dbf9e195..bf1d754b988 100644 --- a/rules/S6768/secrets/metadata.json +++ b/rules/S6768/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6769/secrets/metadata.json b/rules/S6769/secrets/metadata.json index 59cf0e78959..1b3482dcf36 100644 --- a/rules/S6769/secrets/metadata.json +++ b/rules/S6769/secrets/metadata.json @@ -47,10 +47,13 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" -} \ No newline at end of file +} diff --git a/rules/S6771/secrets/metadata.json b/rules/S6771/secrets/metadata.json index 531ff3c7fb2..548e8117813 100644 --- a/rules/S6771/secrets/metadata.json +++ b/rules/S6771/secrets/metadata.json @@ -49,6 +49,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ @@ -56,4 +59,4 @@ ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6773/secrets/metadata.json b/rules/S6773/secrets/metadata.json index 0602a0324ba..92b4f4be9a3 100644 --- a/rules/S6773/secrets/metadata.json +++ b/rules/S6773/secrets/metadata.json @@ -49,11 +49,14 @@ "2.10.4", "3.5.2", "6.4.1" - ] + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6776/python/metadata.json b/rules/S6776/python/metadata.json index 65235e22938..918f9088d4e 100644 --- a/rules/S6776/python/metadata.json +++ b/rules/S6776/python/metadata.json @@ -32,6 +32,9 @@ "ASVS 4.0": [ "14.3.1", "14.3.2" + ], + "STIG ASD 2023-06-08": [ + "V-222610" ] }, "defaultQualityProfiles": ["Sonar way"], diff --git a/rules/S6776/python/rule.adoc b/rules/S6776/python/rule.adoc index 95eeedea629..2fcf7124546 100644 --- a/rules/S6776/python/rule.adoc +++ b/rules/S6776/python/rule.adoc @@ -21,6 +21,8 @@ Python Documentation - https://docs.python.org/3/library/traceback.html[tracebac * OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/209[CWE-209 - Generation of Error Message Containing Sensitive Information] * CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222610[Application Security and Development: V-222610] - The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + ifdef::env-github,rspecator-view[] diff --git a/rules/S6777/secrets/metadata.json b/rules/S6777/secrets/metadata.json index 15ec071519a..da167de56b2 100644 --- a/rules/S6777/secrets/metadata.json +++ b/rules/S6777/secrets/metadata.json @@ -49,11 +49,15 @@ "2.10.4", "3.5.2", "6.4.1" - ] + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6782/secrets/metadata.json b/rules/S6782/secrets/metadata.json index a1b71235978..c0f28cb2657 100644 --- a/rules/S6782/secrets/metadata.json +++ b/rules/S6782/secrets/metadata.json @@ -49,11 +49,15 @@ "2.10.4", "3.5.2", "6.4.1" - ] + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, "defaultQualityProfiles": [ "Sonar way" ], "quickfix": "unknown" } - \ No newline at end of file + diff --git a/rules/S6783/secrets/metadata.json b/rules/S6783/secrets/metadata.json index 0ef2bd86ec1..f4e203c2d91 100644 --- a/rules/S6783/secrets/metadata.json +++ b/rules/S6783/secrets/metadata.json @@ -49,7 +49,11 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] + }, "defaultQualityProfiles": [ "Sonar way" diff --git a/rules/S6784/secrets/metadata.json b/rules/S6784/secrets/metadata.json index 3632573c025..acca2390e98 100644 --- a/rules/S6784/secrets/metadata.json +++ b/rules/S6784/secrets/metadata.json @@ -51,6 +51,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] } } diff --git a/rules/S6785/python/metadata.json b/rules/S6785/python/metadata.json index 7f8ae17ab6a..f1c590e0e48 100644 --- a/rules/S6785/python/metadata.json +++ b/rules/S6785/python/metadata.json @@ -27,6 +27,9 @@ ], "ASVS 4.0": [ "13.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222667" ] }, "defaultSeverity": "Critical", diff --git a/rules/S6785/python/rule.adoc b/rules/S6785/python/rule.adoc index f57b8520574..99bcb7bd9f2 100644 --- a/rules/S6785/python/rule.adoc +++ b/rules/S6785/python/rule.adoc @@ -95,6 +95,7 @@ The easiest way to set such a limit is to use the query validation API available * OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration] * OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration] * CWE - https://cwe.mitre.org/data/definitions/770[CWE-707 - Allocation of Resources Without Limits or Throttling] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented. ifdef::env-github,rspecator-view[] diff --git a/rules/S6839/metadata.json b/rules/S6839/metadata.json index d0e2192f5dd..112b2fd39fe 100644 --- a/rules/S6839/metadata.json +++ b/rules/S6839/metadata.json @@ -41,6 +41,9 @@ "ASVS 4.0": [ "5.1.3", "5.1.4" + ], + "STIG ASD 2023-06-08": [ + "V-222609" ] }, "defaultQualityProfiles": [ diff --git a/rules/S6839/see.adoc b/rules/S6839/see.adoc index 22c4e31f918..80238451b7c 100644 --- a/rules/S6839/see.adoc +++ b/rules/S6839/see.adoc @@ -9,4 +9,6 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection] * OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection] * CWE - https://cwe.mitre.org/data/definitions/20[CWE-20 - Improper Input Validation] -* CWE - https://cwe.mitre.org/data/definitions/113[CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')] \ No newline at end of file +* CWE - https://cwe.mitre.org/data/definitions/113[CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222609[Application Security and Development: V-222609] - The application must not be subject to input handling vulnerabilities. + diff --git a/rules/S6910/secrets/metadata.json b/rules/S6910/secrets/metadata.json index db472469aad..c08743d7c3e 100644 --- a/rules/S6910/secrets/metadata.json +++ b/rules/S6910/secrets/metadata.json @@ -47,6 +47,9 @@ "2.10.4", "3.5.2", "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" ] }, "defaultQualityProfiles": [ diff --git a/shared_content/secrets/resources/standards.adoc b/shared_content/secrets/resources/standards.adoc index e6eb6888a48..4fc97bea513 100644 --- a/shared_content/secrets/resources/standards.adoc +++ b/shared_content/secrets/resources/standards.adoc @@ -4,3 +4,5 @@ * OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] * CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials] * CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222642[Application Security and Development: V-222642] - The application must not contain embedded authentication data. +