Update RSPEC for 9.26 release (#9367)

analyzers/rspec/cs/S4347.html

@@ -1,19 +1,19 @@
-<p>When using <code>SecureRandom</code>, it is important not to use predictable seeds. This class is used to generate cryptographically strong random
-numbers. Using a predictable seed will make its output predictable as well, which counteracts the use case of <code>SecureRandom</code>.</p>
+<p>Cryptographic operations often rely on unpredictable random numbers to enhance security. These random numbers are created by cryptographically
+secure pseudo-random number generators (CSPRNG). It is important not to use a predictable seed with these random number generators otherwise the
+random numbers will also become predictable.</p>
 <h2>Why is this an issue?</h2>
-<p><code>java.security.SecureRandom</code> is often used to generate random values for cryptographic algorithms. When a random number generator is
-used for cryptographic purposes, the generated numbers must be as random and unpredictable as possible. When <code>SecureRandom</code> is improperly
-seeded with a constant or a predictable value, its output will also be predictable.</p>
+<p>Random number generators are often used to generate random values for cryptographic algorithms. When a random number generator is used for
+cryptographic purposes, the generated numbers must be as random and unpredictable as possible. When the random number generator is improperly seeded
+with a constant or a predictable value, its output will also be predictable.</p>
 <p>This can have severe security implications for cryptographic operations that rely on the randomness of the generated numbers. By using a
 predictable seed, an attacker can potentially guess or deduce the generated numbers, compromising the security of whatever cryptographic algorithm
-relies on <code>SecureRandom</code>.</p>
+relies on the random number generator.</p>
 <h3>What is the potential impact?</h3>
 <p>It is crucial to understand that the strength of cryptographic algorithms heavily relies on the quality of the random numbers used. By improperly
-seeding the <code>SecureRandom</code> class, we introduce a significant weakness that can be exploited by attackers.</p>
+seeding a CSPRNG, we introduce a significant weakness that can be exploited by attackers.</p>
 <h4>Insecure cryptographic keys</h4>
-<p>One of the primary use cases for the <code>SecureRandom</code> class is generating cryptographic keys. If an attacker can predict the seed used to
-initialize the SecureRandom instance, they may be able to derive the same keys. Depending on the use case, this can lead to multiple severe outcomes,
-such as:</p>
+<p>One of the primary use cases for CSPRNGs is generating cryptographic keys. If an attacker can predict the seed used to initialize the random number
+generator, they may be able to derive the same keys. Depending on the use case, this can lead to multiple severe outcomes, such as:</p>
 <ul>
   <li> Being able to decrypt sensitive documents, leading to privacy breaches or identity theft. </li>
   <li> Gaining access to a private key used for signing, allowing an attacker to forge digital signatures and impersonate legitimate entities. </li>
@@ -111,8 +111,8 @@ <h4>Compliant solution</h4>
 <h2>Resources</h2>
 <h3>Documentation</h3>
 <ul>
-  <li> Java Documentation - <a href="https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/SecureRandom.html">Class
-  <code>java.security.SecureRandom</code></a> </li>
+  <li> Bouncy Castle - <a href="https://downloads.bouncycastle.org/csharp/docs/BC-CSharpDotNet-UserGuide.pdf">The BouncyCastle.NET User Guide</a>
+  </li>
 </ul>
 <h3>Standards</h3>
 <ul>
@@ -129,7 +129,27 @@ <h3>Standards</h3>
 <h2>Implementation Specification</h2>
 <p>(visible only on this page)</p>
 <h3>Message</h3>
-<p>Change this seed value to something unpredictable, or remove the seed.</p>
+<p>When the random number generator’s output <strong>is not</strong> predictable by default:</p>
+<blockquote>
+  <p>Change this seed value to something unpredictable, or remove the seed.</p>
+</blockquote>
+<p>When the random number generator’s output <strong>is</strong> predictable by default:</p>
+<blockquote>
+  <p>Set an unpredictable seed before generating random values.</p>
+</blockquote>
 <h3>Highlighting</h3>
-<p>The call to SecureRandom.setSeed() or the SecureRandom(byte[]) constructor call</p>
+<p>When the random number generator’s output <strong>is not</strong> predictable by default:</p>
+<ul>
+  <li> The most recent function call that sets a seed. For example:
+    <ul>
+      <li> The factory method that returns the RNG, where the seed is passed as a parameter. </li>
+      <li> The RNG constructor, where the seed is a parameter. </li>
+      <li> The function call on the RNG that sets the seed. </li>
+    </ul>  </li>
+</ul>
+<p>When the random number generator’s output <strong>is</strong> predictable by default:</p>
+<ul>
+  <li> The function call on the RNG that returns a random value. </li>
+</ul>
+<p>If the factory method or constructor is not already highlighted, it should become a secondary highlight.</p>
 

analyzers/rspec/cs/S4347.json

@@ -1,5 +1,5 @@
 {
-  "title": "\"SecureRandom\" seeds should not be predictable",
+  "title": "Secure random number generators should not output predictable values",
   "type": "VULNERABILITY",
   "code": {
     "impacts": {

analyzers/rspec/cs/Sonar_way_profile.json

@@ -319,6 +319,7 @@
     "S6800",
     "S6930",
     "S6931",
+    "S6932",
     "S6934",
     "S6960",
     "S6961",

analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "CSH"
   ],
-  "latest-update": "2024-05-29T15:19:37.466844500Z",
+  "latest-update": "2024-05-31T08:10:51.650298800Z",
   "options": {
     "no-language-in-filenames": true
   }

analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "VBNET"
   ],
-  "latest-update": "2024-05-29T15:20:05.748456800Z",
+  "latest-update": "2024-05-31T08:11:17.885759100Z",
   "options": {
     "no-language-in-filenames": true
   }