SonarSource
diff --git a/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html‎
Lines changed: 29 additions & 32 deletions b/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html‎
Lines changed: 29 additions & 32 deletions
diff --git a/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json‎
Lines changed: 8 additions & 7 deletions b/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.json‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2245.html‎
Lines changed: 30 additions & 42 deletions b/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2245.html‎
Lines changed: 30 additions & 42 deletions
diff --git a/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2245.json‎
Lines changed: 8 additions & 7 deletions b/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2245.json‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4036.html‎
Lines changed: 28 additions & 48 deletions b/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4036.html‎
Lines changed: 28 additions & 48 deletions
diff --git a/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4036.json‎
Lines changed: 6 additions & 5 deletions b/‎sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4036.json‎
Lines changed: 6 additions & 5 deletions
@@ -1,20 +1,18 @@
-<p>Formatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the
-query. However, this rule doesn’t detect SQL injections (unlike rule {rule:javasecurity:S3649}), the goal is only to highlight complex/formatted queries.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>Some parts of the query come from untrusted values (like user inputs).</li>
-  <li>The query is repeated/duplicated in other parts of the code.</li>
-  <li>The application must support different types of relational databases.</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li>Use <a href="https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html">parameterized queries, prepared statements,
-  or stored procedures</a> and bind variables to SQL query parameters.</li>
-  <li>Consider using ORM frameworks if there is a need to have an abstract layer to access data.</li>
-</ul>
-<h2>Sensitive Code Example</h2>
-<pre>
+<p>Dynamically building SQL query strings can result in broken SQL syntax and open SQL injection attacks.</p>
+<h2>Why is this an issue?</h2>
+<p>When SQL queries are constructed by concatenating or formatting user-supplied values directly into the query string, the structure of the query
+itself can be altered by a malicious input. This rule flags calls to SQL execution functions where the query string is built using string
+concatenation or format operators rather than parameterized queries or prepared statements. Unlike rule {rule:javasecurity:S3649}, this rule does not perform
+taint analysis — it flags all dynamically formatted SQL queries as a potential risk regardless of the data source.</p>
+<h3>What is the potential impact?</h3>
+<h4>SQL injection</h4>
+<p>If any part of a dynamically formatted query string originates from untrusted input, an attacker can manipulate the query to read, modify, or
+delete data they should not have access to, bypass authentication checks, or in some configurations execute operating system commands.</p>
+<h2>How to fix it</h2>
+<h3>Code examples</h3>
+<p>The following code builds a SQL query by concatenating a value directly into the query string.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 public User getUser(Connection con, String user) throws SQLException {
 
   Statement stmt1 = null;
@@ -26,10 +24,10 @@ <h2>Sensitive Code Example</h2>
 
     stmt2 = con.createStatement();
     ResultSet rs2 = stmt2.executeQuery("select FNAME, LNAME, SSN " +
-                 "from USERS where UNAME=" + user);  // Sensitive
+                 "from USERS where UNAME=" + user);  // Noncompliant
 
     pstmt = con.prepareStatement("select FNAME, LNAME, SSN " +
-                 "from USERS where UNAME=" + user);  // Sensitive
+                 "from USERS where UNAME=" + user);  // Noncompliant
     ResultSet rs3 = pstmt.executeQuery();
 
     //...
@@ -38,12 +36,12 @@ <h2>Sensitive Code Example</h2>
 public User getUserHibernate(org.hibernate.Session session, String data) {
 
   org.hibernate.Query query = session.createQuery(
-            "FROM students where fname = " + data);  // Sensitive
+            "FROM students where fname = " + data);  // Noncompliant
   // ...
 }
 </pre>
-<h2>Compliant Solution</h2>
-<pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
 public User getUser(Connection con, String user) throws SQLException {
 
   Statement stmt1 = null;
@@ -55,7 +53,7 @@ <h2>Compliant Solution</h2>
     ResultSet rs1 = stmt1.executeQuery("GETDATE()");
 
     pstmt = con.prepareStatement(query);
-    pstmt.setString(1, user);  // Good; PreparedStatements escape their inputs.
+    pstmt.setString(1, user);
     ResultSet rs2 = pstmt.executeQuery();
 
     //...
@@ -66,22 +64,21 @@ <h2>Compliant Solution</h2>
 
   org.hibernate.Query query =  session.createQuery("FROM students where fname = ?");
   query = query.setParameter(0,data);  // Good; Parameter binding escapes all input
-
-  org.hibernate.Query query2 =  session.createQuery("FROM students where fname = " + data); // Sensitive
-  // ...
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li>Derived from FindSecBugs rules <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA">Potential SQL/JPQL Injection
+  (JPA)</a>, <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO">Potential SQL/JDOQL Injection (JDO)</a>, <a
+  href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_HIBERNATE">Potential SQL/HQL Injection (Hibernate)</a></li>
+</ul>
+<h3>Standards</h3>
 <ul>
   <li>OWASP - <a href="https://owasp.org/Top10/A03_2021-Injection/">Top 10 2021 Category A3 - Injection</a></li>
   <li>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A1_2017-Injection">Top 10 2017 Category A1 - Injection</a></li>
   <li>CWE - <a href="https://cwe.mitre.org/data/definitions/89">CWE-89 - Improper Neutralization of Special Elements used in an SQL Command</a></li>
-  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/564">CWE-564 - SQL Injection: Hibernate</a></li>
-  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/20">CWE-20 - Improper Input Validation</a></li>
   <li>CWE - <a href="https://cwe.mitre.org/data/definitions/943">CWE-943 - Improper Neutralization of Special Elements in Data Query Logic</a></li>
   <li><a
   href="https://cmu-sei.github.io/secure-coding-standards/sei-cert-oracle-coding-standard-for-java/rules/input-validation-and-data-sanitization-ids/ids00-j">CERT, IDS00-J.</a> - Prevent SQL injection</li>
-  <li>Derived from FindSecBugs rules <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA">Potential SQL/JPQL Injection
-  (JPA)</a>, <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO">Potential SQL/JDOQL Injection (JDO)</a>, <a
-  href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_HIBERNATE">Potential SQL/HQL Injection (Hibernate)</a></li>
 </ul>
 
@@ -1,6 +1,6 @@
 {
-  "title": "Formatting SQL queries is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "SQL queries should not be dynamically formatted",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "LOW",
@@ -9,6 +9,7 @@
     "attribute": "COMPLETE"
   },
   "status": "ready",
+  "quickfix": "unknown",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "20min"
@@ -19,7 +20,8 @@
     "bad-practice",
     "cert",
     "hibernate",
-    "sql"
+    "sql",
+    "former-hotspot"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-2077",
@@ -30,8 +32,8 @@
       "IDS00-J."
     ],
     "CWE": [
-      20,
-      89
+      89,
+      943
     ],
     "OWASP": [
       "A1"
@@ -51,6 +53,5 @@
       "5.3.4",
       "5.3.5"
     ]
-  },
-  "quickfix": "unknown"
+  }
 }
@@ -1,54 +1,42 @@
-<p>PRNGs are algorithms that produce sequences of numbers that only approximate true randomness. While they are suitable for applications like
-simulations or modeling, they are not appropriate for security-sensitive contexts because their outputs can be predictable if the internal state is
-known.</p>
-<p>In contrast, cryptographically secure pseudorandom number generators (CSPRNGs) are designed to be secure against prediction attacks. CSPRNGs use
-cryptographic algorithms to ensure that the generated sequences are not only random but also unpredictable, even if part of the sequence or the
-internal state becomes known. This unpredictability is crucial for security-related tasks such as generating encryption keys, tokens, or any other
-values that must remain confidential and resistant to guessing attacks.</p>
-<p>For example, the use of non-cryptographic PRNGs has led to vulnerabilities such as:</p>
-<ul>
-  <li><a href="https://www.cve.org/CVERecord?id=CVE-2013-6386">CVE-2013-6386</a></li>
-  <li><a href="https://www.cve.org/CVERecord?id=CVE-2006-3419">CVE-2006-3419</a></li>
-  <li><a href="https://www.cve.org/CVERecord?id=CVE-2008-4102">CVE-2008-4102</a></li>
-</ul>
-<p>When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that
-will be generated, and use this guess to impersonate another user or access sensitive information. Therefore, it is critical to use CSPRNGs in any
-security-sensitive application to ensure the robustness and security of the system.</p>
-<p>As the <code>java.util.Random</code> class relies on a non-cryptographic pseudorandom number generator, this class and relating
-<code>java.lang.Math.random()</code> method should not be used for security-critical applications or for protecting sensitive data. In such context,
-the <code>java.security.SecureRandom</code> class which relies on a CSPRNG should be used in place.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>the code using the generated value requires it to be unpredictable. It is the case for all encryption mechanisms or when a secret value, such as
-  a password, is hashed.</li>
-  <li>the function you use is a non-cryptographic PRNG.</li>
-  <li>the generated value is used multiple times.</li>
-  <li>an attacker can access the generated value.</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li>Use a cryptographically secure pseudo random number generator (CSPRNG) like "java.security.SecureRandom" in place of a non-cryptographic
-  PRNG.</li>
-  <li>Use the generated random values only once.</li>
-  <li>You should not expose the generated random value. If you have to store it, make sure that the database or file is secure.</li>
-</ul>
-<h2>Sensitive Code Example</h2>
-<pre>
-Random random = new Random(); // Sensitive use of Random
+<p>Pseudorandom number generators (PRNGs) produce sequences that only approximate true randomness and are not suitable for security-sensitive
+contexts.</p>
+<h2>Why is this an issue?</h2>
+<p>When software generates predictable values in a context requiring unpredictability, an attacker who knows or can guess the internal state of the
+PRNG may predict the next value that will be generated. The rule flags the use of non-cryptographic PRNGs in contexts where a cryptographically secure
+pseudorandom number generator (CSPRNG) is required, such as generating encryption keys, tokens, or other secret values.</p>
+<p>As the <code>java.util.Random</code> class relies on a non-cryptographic pseudorandom number generator, this class and the related
+<code>java.lang.Math.random()</code> method should not be used for security-critical applications or for protecting sensitive data. In such contexts,
+the <code>java.security.SecureRandom</code> class which relies on a CSPRNG should be used instead.</p>
+<h3>What is the potential impact?</h3>
+<h4>Predictable values</h4>
+<p>If an attacker can predict the values generated by a PRNG, they may be able to guess session tokens, encryption keys, password reset links, or
+other secrets, leading to unauthorized access or impersonation.</p>
+<h4>Broken cryptography</h4>
+<p>Using a non-cryptographic PRNG to generate keys or initialization vectors weakens the security of the cryptographic scheme, potentially making it
+trivially breakable.</p>
+<h2>How to fix it</h2>
+<h3>Code examples</h3>
+<p>Use a cryptographically secure pseudorandom number generator (CSPRNG) instead of a non-cryptographic PRNG.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+Random random = new Random(); // Noncompliant
 byte bytes[] = new byte[20];
-random.nextBytes(bytes); // Check if bytes is used for hashing, encryption, etc...
+random.nextBytes(bytes);
 </pre>
-<h2>Compliant Solution</h2>
-<pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
 SecureRandom random = new SecureRandom();
 byte bytes[] = new byte[20];
 random.nextBytes(bytes);
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Documentation</h3>
 <ul>
   <li>OWASP - <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation">Secure
   Random Number Generation Cheat Sheet</a></li>
+</ul>
+<h3>Standards</h3>
+<ul>
   <li>OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10 2021 Category A2 - Cryptographic Failures</a></li>
   <li>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
   Exposure</a></li>
 
@@ -1,21 +1,23 @@
 {
-  "title": "Using pseudorandom number generators (PRNGs) is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Pseudorandom number generators (PRNGs) should not be used in security contexts",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "MEDIUM"
     },
     "attribute": "TRUSTWORTHY"
   },
   "status": "ready",
+  "quickfix": "unknown",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "10min"
   },
   "tags": [
-    "cwe"
+    "cwe",
+    "former-hotspot"
   ],
-  "defaultSeverity": "Critical",
+  "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-2245",
   "sqKey": "S2245",
   "scope": "Main",
@@ -49,6 +51,5 @@
     "ASVS 4.0": [
       "6.2.4"
     ]
-  },
-  "quickfix": "unknown"
+  }
 }
@@ -1,60 +1,40 @@
-<p>When you run an OS command, it is always important to protect yourself against the risk of accidental or malicious replacement of the executables
-in the production system.</p>
-<p>To do so, it is important to point to the specific executable that should be used.</p>
-<p>For example, if you call <code>git</code> (without specifying a path), the operating system will search for the executable in the directories
-specified in the <code>PATH</code> environment variable.
-  <br>
-  An attacker could have added, in a permissive directory covered by <code>PATH</code> , another executable called <code>git</code>, but with a
-  completely different behavior, for example exfiltrating data or exploiting a vulnerability in your own code.</p>
-<p>However, by calling <code>/usr/bin/git</code> or <code>../git</code> (relative path) directly, the operating system will always use the intended
-executable.
-  <br>
-  Note that you still need to make sure that the executable is not world-writeable and potentially overwritten. This is not the scope of this
-  rule.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>The PATH environment variable only contains fixed, trusted directories.</li>
-</ul>
-<p>There is a risk if you answered no to this question.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<p>If you wish to rely on the <code>PATH</code> environment variable to locate the OS command, make sure that each of its listed directories is fixed,
-not susceptible to change, and not writable by unprivileged users.</p>
-<p>If you determine that these folders cannot be altered, and that you are sure that the program you intended to use will be used, then you can
-determine that these risks are under your control.</p>
-<p>A good practice you can use is to also hardcode the <code>PATH</code> variable you want to use, if you can do so in the framework you use.</p>
-<p>If the previous recommendations cannot be followed due to their complexity or other requirements, then consider using the absolute path of the
-command instead.</p>
-<pre>
-$ whereis git
-git: /usr/bin/git /usr/share/man/man1/git.1.gz
-$ ls -l /usr/bin/git
--rwxr-xr-x 1 root root 3376112 Jan 28 10:13 /usr/bin/git
-</pre>
-<h2>Sensitive Code Example</h2>
-<p>The full path of the command is not specified and thus the executable will be searched in all directories listed in the <code>PATH</code>
-environment variable:</p>
-<pre>
-Runtime.getRuntime().exec("make");  // Sensitive
-Runtime.getRuntime().exec(new String[]{"make"});  // Sensitive
+<p>Executing an OS command without specifying an absolute or relative path exposes the application to PATH-hijacking attacks.</p>
+<h2>Why is this an issue?</h2>
+<p>When an OS command is executed using only its name (without an absolute or relative path), the operating system searches each directory listed in
+the <code>PATH</code> environment variable until it finds a matching executable. If an attacker can write to any directory listed in
+<code>PATH</code>, or can prepend a directory they control to <code>PATH</code>, they can place a malicious executable with the same name as the
+intended command. The next time the application executes the command, the malicious binary will run instead of the intended one.</p>
+<h3>What is the potential impact?</h3>
+<h4>Arbitrary command execution</h4>
+<p>If a directory in <code>PATH</code> is writable by an unprivileged user, or if an attacker can influence the value of <code>PATH</code>, they can
+substitute the expected executable with a malicious binary of the same name. This gives the attacker arbitrary code execution in the context of the
+application, which may lead to data exfiltration, privilege escalation, or full system compromise.</p>
+<h2>How to fix it</h2>
+<h3>Code examples</h3>
+<p>The following code executes a command by name only, causing the operating system to search <code>PATH</code> to locate the executable.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+Runtime.getRuntime().exec("make");  // Noncompliant
+Runtime.getRuntime().exec(new String[]{"make"});  // Noncompliant
 
-ProcessBuilder builder = new ProcessBuilder("make");  // Sensitive
-builder.command("make");  // Sensitive
+ProcessBuilder builder = new ProcessBuilder("make");  // Noncompliant
+builder.command("make");  // Noncompliant
 </pre>
-<h2>Compliant Solution</h2>
-<p>The command is defined by its full path:</p>
-<pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
 Runtime.getRuntime().exec("/usr/bin/make");
 Runtime.getRuntime().exec(new String[]{"~/bin/make"});
 
 ProcessBuilder builder = new ProcessBuilder("./bin/make");
 builder.command("../bin/make");
-builder.command(Arrays.asList("..\bin\make", "-j8"));
+builder.command(Arrays.asList("..\\bin\\make", "-j8"));
 
-builder = new ProcessBuilder(Arrays.asList(".\make"));
-builder.command(Arrays.asList("C:\bin\make", "-j8"));
-builder.command(Arrays.asList("\\SERVER\bin\make"));
+builder = new ProcessBuilder(Arrays.asList(".\\make"));
+builder.command(Arrays.asList("C:\\bin\\make", "-j8"));
+builder.command(Arrays.asList("\\\\SERVER\\bin\\make"));
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
   <li>OWASP - <a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">Top 10 2021 Category A8 - Software and Data Integrity
   Failures</a></li>
 
@@ -1,19 +1,21 @@
 {
-  "title": "Searching OS commands in PATH is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "OS commands should not rely on PATH resolution",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
       "SECURITY": "LOW"
     },
     "attribute": "COMPLETE"
   },
   "status": "ready",
+  "quickfix": "unknown",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "15min"
   },
   "tags": [
-    "cwe"
+    "cwe",
+    "former-hotspot"
   ],
   "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-4036",
@@ -30,6 +32,5 @@
     "OWASP Top 10 2021": [
       "A8"
     ]
-  },
-  "quickfix": "unknown"
+  }
 }