Skip to content

Commit

Permalink
Update RSPEC for 9.22 (again) (#8961)
Browse files Browse the repository at this point in the history
  • Loading branch information
zsolt-kolbay-sonarsource authored Mar 20, 2024
1 parent 28b72bb commit ace4c81
Show file tree
Hide file tree
Showing 9 changed files with 51 additions and 41 deletions.
17 changes: 9 additions & 8 deletions analyzers/rspec/cs/S2551.html
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
<h2>Why is this an issue?</h2>
<p>A shared resource refers to a resource or data that can be accessed or modified by multiple <a
href="https://en.wikipedia.org/wiki/Thread_(computing)">threads</a> or concurrent parts of a program. It could be any piece of data, object, file,
database connection, or system resource that needs to be accessed or manipulated by multiple parts of a program concurrently.</p>
<p>Shared resources should not be used for <a href="https://en.wikipedia.org/wiki/Lock_(computer_science)">locking</a> as it increases the chance of
<a href="https://en.wikipedia.org/wiki/Deadlock">deadlocks</a>. Any other thread could acquire (or attempt to acquire) the same lock while doing some
operation, without knowing that the resource is meant to be used for locking purposes.</p>
<p>One example of this is a <code>String</code> <a href="https://en.wikipedia.org/wiki/Interning_(computer_science)">interned</a> by the runtime. This
means that each <code>String</code> instance is immutable and stored, and then reused everywhere it is referenced.</p>
<p>Instead, a dedicated private <code>object</code> instance should be used for each shared resource. Making the lock-specific object
<code>private</code> guarantees that the access to it is as minimal as possible, in order to avoid deadlocks or lock contention.</p>
database connection, or system resource that needs to be accessed or manipulated by multiple parts of a program at the same time.</p>
<p>Shared resources should not be used for <a href="https://en.wikipedia.org/wiki/Lock_(computer_science)">locking</a> because it increases the chance
of <a href="https://en.wikipedia.org/wiki/Deadlock">deadlocks</a>. Any other thread could acquire (or attempt to acquire) the same lock while doing
some operation, without knowing that the resource is meant to be used for locking purposes.</p>
<p>For example, a <code>string</code> should never be used for locking. When a <code>string</code> is <a
href="https://en.wikipedia.org/wiki/Interning_(computer_science)">interned</a> by the runtime, it can be shared by multiple threads, breaking the
locking mechanism.</p>
<p>Instead, a dedicated private <code>object</code> instance should be used for each shared resource. This minimizes access to the lock instance,
avoiding deadlocks and lock contention.</p>
<p>The following objects are considered as shared resources:</p>
<ul>
<li> a reference to <a href="https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/this">this</a>: if the instance is publicly
Expand Down
4 changes: 2 additions & 2 deletions analyzers/rspec/cs/S3927.html
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<h2>Why is this an issue?</h2>
<p>Serialization event handlers that don’t have the correct signature will not be called, bypassing augmentations to the automated
de/serialization.</p>
<p>Serialization event handlers that don’t have the correct signature will not be called, bypassing augmentations to automated serialization and
deserialization events.</p>
<p>A method is designated a serialization event handler by applying one of the following serialization event attributes:</p>
<ul>
<li> <a
Expand Down
13 changes: 8 additions & 5 deletions analyzers/rspec/cs/S5542.html
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,10 @@ <h2>Why is this an issue?</h2>
</ol>
<p>For these reasons, as soon as cryptography is included in a project, it is important to choose encryption algorithms that are considered strong and
secure by the cryptography community.</p>
<p>For AES, the weakest modes are CBC (Cipher Block Chaining) and ECB (Electronic Codebook) because they are either vulnerable to padding oracles or
do not provide authentication mechanisms.</p>
<p>For AES, the weakest mode is ECB (Electronic Codebook). Repeated blocks of data are encrypted to the same value, making them easy to identify and
reducing the difficulty of recovering the original cleartext.</p>
<p>Unauthenticated modes such as CBC (Cipher Block Chaining) may be used but are prone to attacks that manipulate the ciphertext. They must be used
with caution.</p>
<p>For RSA, the weakest algorithms are either using it without padding or using the PKCS1v1.5 padding scheme.</p>
<h3>What is the potential impact?</h3>
<p>The cleartext of an encrypted message might be recoverable. Additionally, it might be possible to modify the cleartext of an encrypted message.</p>
Expand Down Expand Up @@ -78,7 +80,8 @@ <h4>Compliant solution</h4>
<h3>How does this work?</h3>
<p>As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.</p>
<p>Appropriate choices are currently the following.</p>
<h4>For AES: Use Galois/Counter mode (GCM)</h4>
<h4>For AES: use authenticated encryption modes</h4>
<p>The best-known authenticated encryption mode for AES is Galois/Counter mode (GCM).</p>
<p>GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and
authenticity of data.</p>
<p>Other similar modes are:</p>
Expand All @@ -89,8 +92,8 @@ <h4>For AES: Use Galois/Counter mode (GCM)</h4>
<li> IAPM: <code>Integer Authenticated Parallelizable Mode</code> </li>
<li> OCB: <code>Offset Codebook Mode</code> </li>
</ul>
<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it</p>
<p>is considered more straightforward to use AES-GCM directly instead.</p>
<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it is considered more straightforward to use AES-GCM directly
instead.</p>
<h4>For RSA: use the OAEP scheme</h4>
<p>The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of
RSA.</p>
Expand Down
20 changes: 11 additions & 9 deletions analyzers/rspec/vbnet/S117.html
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,17 @@ <h2>Why is this an issue?</h2>
<h3>What is the potential impact?</h3>
<p>Inconsistent naming of local variables can lead to several issues in your code:</p>
<ul>
<li> Reduced Readability: inconsistent local variable names make the code harder to read and understand; consequently, it is more difficult to
identify the purpose of each variable, spot errors, or comprehend the logic. </li>
<li> Difficulty in Identifying Variables: local variables that don’t adhere to a standard naming convention are challenging to identify; thus, the
coding process slows down, especially when dealing with a large codebase. </li>
<li> Increased Risk of Errors: inconsistent or unclear local variable names lead to misunderstandings about what the variable represents. This
ambiguity leads to incorrect assumptions and, consequently, bugs in the code. </li>
<li> Collaboration Difficulties: in a team setting, inconsistent naming conventions lead to confusion and miscommunication among team members. </li>
<li> Difficulty in Code Maintenance: inconsistent naming leads to an inconsistent codebase. The code is difficult to understand, and making changes
feels like refactoring constantly, as you face different naming methods. Ultimately, it makes the codebase harder to maintain. </li>
<li> <strong>Reduced Readability</strong>: Inconsistent local variable names make the code harder to read and understand; consequently, it is more
difficult to identify the purpose of each variable, spot errors, or comprehend the logic. </li>
<li> <strong>Difficulty in Identifying Variables</strong>: The local variables that don’t adhere to a standard naming convention are challenging to
identify; thus, the coding process slows down, especially when dealing with a large codebase. </li>
<li> <strong>Increased Risk of Errors</strong>: Inconsistent or unclear local variable names lead to misunderstandings about what the variable
represents. This ambiguity leads to incorrect assumptions and, consequently, bugs in the code. </li>
<li> <strong>Collaboration Difficulties</strong>: In a team setting, inconsistent naming conventions lead to confusion and miscommunication among
team members. </li>
<li> <strong>Difficulty in Code Maintenance</strong>: Inconsistent naming leads to an inconsistent codebase. The code is difficult to understand,
and making changes feels like refactoring constantly, as you face different naming methods. Ultimately, it makes the codebase harder to maintain.
</li>
</ul>
<p>In summary, not adhering to a naming convention for local variables can lead to confusion, errors, and inefficiencies, making the code harder to
read, understand, and maintain.</p>
Expand Down
17 changes: 9 additions & 8 deletions analyzers/rspec/vbnet/S2551.html
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
<h2>Why is this an issue?</h2>
<p>A shared resource refers to a resource or data that can be accessed or modified by multiple <a
href="https://en.wikipedia.org/wiki/Thread_(computing)">threads</a> or concurrent parts of a program. It could be any piece of data, object, file,
database connection, or system resource that needs to be accessed or manipulated by multiple parts of a program concurrently.</p>
<p>Shared resources should not be used for <a href="https://en.wikipedia.org/wiki/Lock_(computer_science)">locking</a> as it increases the chance of
<a href="https://en.wikipedia.org/wiki/Deadlock">deadlocks</a>. Any other thread could acquire (or attempt to acquire) the same lock while doing some
operation, without knowing that the resource is meant to be used for locking purposes.</p>
<p>One example of this is a <code>String</code> <a href="https://en.wikipedia.org/wiki/Interning_(computer_science)">interned</a> by the runtime. This
means that each <code>String</code> instance is immutable and stored, and then reused everywhere it is referenced.</p>
<p>Instead, a dedicated private <code>object</code> instance should be used for each shared resource. Making the lock-specific object
<code>private</code> guarantees that the access to it is as minimal as possible, in order to avoid deadlocks or lock contention.</p>
database connection, or system resource that needs to be accessed or manipulated by multiple parts of a program at the same time.</p>
<p>Shared resources should not be used for <a href="https://en.wikipedia.org/wiki/Lock_(computer_science)">locking</a> because it increases the chance
of <a href="https://en.wikipedia.org/wiki/Deadlock">deadlocks</a>. Any other thread could acquire (or attempt to acquire) the same lock while doing
some operation, without knowing that the resource is meant to be used for locking purposes.</p>
<p>For example, a <code>String</code> should never be used for locking. When a <code>String</code> is <a
href="https://en.wikipedia.org/wiki/Interning_(computer_science)">interned</a> by the runtime, it can be shared by multiple threads, breaking the
locking mechanism.</p>
<p>Instead, a dedicated private <code>Object</code> instance should be used for each shared resource. This minimizes access to the lock instance,
avoiding deadlocks and lock contention.</p>
<p>The following objects are considered as shared resources:</p>
<ul>
<li> a reference to <a
Expand Down
4 changes: 2 additions & 2 deletions analyzers/rspec/vbnet/S3927.html
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<h2>Why is this an issue?</h2>
<p>Serialization event handlers that don’t have the correct signature will not be called, bypassing augmentations to the automated
de/serialization.</p>
<p>Serialization event handlers that don’t have the correct signature will not be called, bypassing augmentations to automated serialization and
deserialization events.</p>
<p>A method is designated a serialization event handler by applying one of the following serialization event attributes:</p>
<ul>
<li> <a
Expand Down
13 changes: 8 additions & 5 deletions analyzers/rspec/vbnet/S5542.html
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,10 @@ <h2>Why is this an issue?</h2>
</ol>
<p>For these reasons, as soon as cryptography is included in a project, it is important to choose encryption algorithms that are considered strong and
secure by the cryptography community.</p>
<p>For AES, the weakest modes are CBC (Cipher Block Chaining) and ECB (Electronic Codebook) because they are either vulnerable to padding oracles or
do not provide authentication mechanisms.</p>
<p>For AES, the weakest mode is ECB (Electronic Codebook). Repeated blocks of data are encrypted to the same value, making them easy to identify and
reducing the difficulty of recovering the original cleartext.</p>
<p>Unauthenticated modes such as CBC (Cipher Block Chaining) may be used but are prone to attacks that manipulate the ciphertext. They must be used
with caution.</p>
<p>For RSA, the weakest algorithms are either using it without padding or using the PKCS1v1.5 padding scheme.</p>
<h3>What is the potential impact?</h3>
<p>The cleartext of an encrypted message might be recoverable. Additionally, it might be possible to modify the cleartext of an encrypted message.</p>
Expand Down Expand Up @@ -87,7 +89,8 @@ <h4>Compliant solution</h4>
<h3>How does this work?</h3>
<p>As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.</p>
<p>Appropriate choices are currently the following.</p>
<h4>For AES: Use Galois/Counter mode (GCM)</h4>
<h4>For AES: use authenticated encryption modes</h4>
<p>The best-known authenticated encryption mode for AES is Galois/Counter mode (GCM).</p>
<p>GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and
authenticity of data.</p>
<p>Other similar modes are:</p>
Expand All @@ -98,8 +101,8 @@ <h4>For AES: Use Galois/Counter mode (GCM)</h4>
<li> IAPM: <code>Integer Authenticated Parallelizable Mode</code> </li>
<li> OCB: <code>Offset Codebook Mode</code> </li>
</ul>
<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it</p>
<p>is considered more straightforward to use AES-GCM directly instead.</p>
<p>It is also possible to use AES-CBC with HMAC for integrity checks. However, it is considered more straightforward to use AES-GCM directly
instead.</p>
<h4>For RSA: use the OAEP scheme</h4>
<p>The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of
RSA.</p>
Expand Down
2 changes: 1 addition & 1 deletion analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"languages": [
"CSH"
],
"latest-update": "2024-03-15T12:11:31.487123200Z",
"latest-update": "2024-03-20T08:56:52.732098400Z",
"options": {
"no-language-in-filenames": true
}
Expand Down
2 changes: 1 addition & 1 deletion analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"languages": [
"VBNET"
],
"latest-update": "2024-03-15T12:11:49.495514500Z",
"latest-update": "2024-03-20T08:59:07.028699300Z",
"options": {
"no-language-in-filenames": true
}
Expand Down

0 comments on commit ace4c81

Please sign in to comment.