SONARJAVA-6356 Update rule metadata#5609
SONARJAVA-6356 Update rule metadata#5609hashicorp-vault-sonar-prod[bot] wants to merge 1 commit intomasterfrom
Conversation
hashicorp-vault-sonar-prod
Bot
changed the title
SummaryThis PR updates rule metadata across 114 files in the sonar-java-plugin. The primary change is a bulk migration of CERT (SEI CERT Coding Standards) reference links from the deprecated CMU wiki format to the new GitHub Pages documentation, affecting resource links in HTML rule documentation across ~108 rules. Additionally, minor JSON metadata updates are made to rule tags and a timestamp refresh in sonarpedia.json reflects the Rule API version 2.20.0.5857. What reviewers should knowWhat's changing:
How to review:
No logic changes — this is purely metadata and documentation link maintenance.
|
|
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM! ✅
Clean PR overall — the URL migrations look correct and the content rewrites are accurate. Three behavioral changes are worth calling out explicitly before merge.
S4512 promoted from SECURITY_HOTSPOT to VULNERABILITY: This is the most impactful change. Hotspots require a human to review and mark them Safe/Reviewed; vulnerabilities are automatically raised as active issues and block quality gates. Any codebase using BeanUtils.populate() or BeanWrapper.setPropertyValues() with unfiltered user input will now get a quality gate failure instead of a review prompt. The accompanying HTML rewrite and the removal of the incorrectly placed CERT MSC61-J reference (about cryptographic algorithms — unrelated to bean property injection) are both correct.
S5042 downgraded from SECURITY_HOTSPOT to CODE_SMELL and deprecated: The HTML now opens with a deprecation notice. Severity drops from Critical to Major, and the security impact is removed. Projects relying on this hotspot to surface zip-bomb risks will lose that coverage when the rule is eventually removed.
S2143 added to Sonar_way_profile.json: The rule (enforce java.time over java.util.Date/Calendar/JodaTime) is now part of the default profile. Projects on Java 8+ with legacy date code will start seeing new issues. The HTML table was also corrected — the previous version mixed JodaTime-specific classes (OffsetDate, DateTimeFields, Calendrical) with java.time classes; the new table lists actual java.time types (Instant, Year, Period, Duration, Clock).
One minor correctness improvement in the S5042 compliant example: THRESHOLD_SIZE and totalSizeArchive are changed from int to long, which is the right type for byte counts that can exceed 2 GB.
All CERT reference URLs have been consistently migrated from wiki.sei.cmu.edu/confluence (short hash URLs) to the structured cmu-sei.github.io/secure-coding-standards paths. Spot-checked rule IDs in link text against URL path slugs across multiple rules — no mismatches found.
1 participant
Rule Metadata Update Summary
./sonarpedia.jsonRule API Version: 2.20.0.5857
This PR was automatically generated to update rule metadata across all supported languages.