Update rule metadata (#1537)

Co-authored-by: rudy-regazzoni-sonarsource <rudy-regazzoni-sonarsource>

iac-extensions/arm/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "AZURE_RESOURCE_MANAGER"
   ],
-  "latest-update": "2024-09-02T14:46:42.140530Z",
+  "latest-update": "2024-09-17T06:40:06.632039Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

iac-extensions/cloudformation/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "CLOUD_FORMATION"
   ],
-  "latest-update": "2024-09-02T14:46:49.511642Z",
+  "latest-update": "2024-09-17T06:40:14.503224Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

iac-extensions/cloudformation/src/main/resources/org/sonar/l10n/cloudformation/rules/cloudformation/S6249.html

@@ -29,7 +29,7 @@ <h2>Sensitive Code Example</h2>
   S3Bucket:
     Type: 'AWS::S3::Bucket' # Sensitive
     Properties:
-      BucketName: "mynoncompliantbucket"
+      BucketName: "bucketname"
 
   S3BucketPolicy:
     Type: 'AWS::S3::BucketPolicy'
@@ -43,7 +43,9 @@ <h2>Sensitive Code Example</h2>
               AWS: # Sensitive: only one principal is forced to use https
                 - 'arn:aws:iam::123456789123:root'
             Action: "*"
-            Resource: arn:aws:s3:::mynoncompliantbuckets6249/*
+            Resource:
+              - arn:aws:s3:::bucketname
+              - arn:aws:s3:::bucketname/*
             Condition:
               Bool:
                 "aws:SecureTransport": false
@@ -56,20 +58,22 @@ <h2>Compliant Solution</h2>
   S3Bucket:
     Type: 'AWS::S3::Bucket' # Compliant
     Properties:
-      BucketName: "mycompliantbucket"
+      BucketName: "bucketname"
 
   S3BucketPolicy:
     Type: 'AWS::S3::BucketPolicy'
     Properties:
-      Bucket: "mycompliantbucket"
+      Bucket: !Ref S3Bucket
       PolicyDocument:
         Version: "2012-10-17"
         Statement:
           - Effect: Deny
             Principal:
               AWS: "*" # all principals should use https
             Action: "*" # for any actions
-            Resource: arn:aws:s3:::mycompliantbucket/* # for any resources
+            Resource: # for the bucket and all its objects
+              - arn:aws:s3:::bucketname
+              - arn:aws:s3:::bucketname/*
             Condition:
               Bool:
                 "aws:SecureTransport": false

iac-extensions/docker/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "DOCKER"
   ],
-  "latest-update": "2024-09-02T14:46:56.877054Z",
+  "latest-update": "2024-09-17T06:40:22.621532Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

iac-extensions/docker/src/main/resources/org/sonar/l10n/docker/rules/docker/S7026.html

@@ -1,4 +1,4 @@
-<p>In Dockerfiles, a common use case is to download remote resources to use during the build. This is often done using third-party tools inside the
+<p>In Dockerfiles, a common use case is downloading remote resources to use during the build. This is often done using third-party tools inside the
 image, like <code>wget</code> or <code>curl</code>. However, this practice can lead to inefficient use of Docker’s build cache and unnecessary
 complexity. The <code>ADD</code> instruction is a built-in feature of Docker that is specifically designed for this purpose, making it a more
 efficient and safer choice.</p>
@@ -7,28 +7,35 @@ <h2>Why is this an issue?</h2>
 lead to several issues, particularly related to the inefficient use of Docker’s build cache.</p>
 <p>Docker’s build cache is a powerful feature that can significantly speed up the build process by reusing intermediate layers from previous builds if
 no changes were detected. When you use <code>wget</code>, <code>curl</code>, or similar commands, these commands are run during the build process, and
-Docker has no way of knowing if the remote content has changed without executing the commands. This makes it impossible to effectively cache the
-results of these commands.</p>
-<p>Moreover, the installation of third-party tools inside the image can introduce unnecessary complexity, dependency on external tools and increase
-the size of the final image.</p>
+Docker has no way of knowing if the remote content has changed without executing the commands. This makes it impossible to cache the results of these
+commands efficiently.</p>
+<p>Moreover, installing third-party tools inside the image can introduce unnecessary complexity, dependency on external tools and increase the size of
+the final image.</p>
+<h3>Exceptions</h3>
+<p>In some cases, the <code>ADD</code> instruction is not able to replace the <code>wget</code> or <code>curl</code> command, especially if specific
+HTTP parameters are required: method, headers, body, etc.</p>
+<pre>
+FROM ubuntu:20.04
+RUN wget --header="Authorization: Bearer your_token" --method=POST https://example.com/resource
+</pre>
 <h2>How to fix it</h2>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
-FROM ununtu:20.04
+FROM ubuntu:20.04
 RUN wget https://example.com/resource -O /path/to/resource
 </pre>
 <pre data-diff-id="2" data-diff-type="noncompliant">
-FROM ununtu:20.04
+FROM ubuntu:20.04
 RUN curl -o /path/to/resource https://example.com/resource &amp;&amp; echo "123456abcdef /path/to/resource" | sha256sum --check
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
-FROM ununtu:20.04
+FROM ubuntu:20.04
 ADD https://example.com/resource /path/to/resource
 </pre>
 <pre data-diff-id="2" data-diff-type="compliant">
-FROM ununtu:20.04
+FROM ubuntu:20.04
 ADD --checksum=sha256:123456abcdef https://example.com/resource /path/to/resource
 </pre>
 <h2>Resources</h2>

iac-extensions/kubernetes/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "KUBERNETES"
   ],
-  "latest-update": "2024-09-02T14:47:03.763797Z",
+  "latest-update": "2024-09-17T06:40:30.052792Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

iac-extensions/kubernetes/src/main/resources/org/sonar/l10n/kubernetes/rules/kubernetes/S6430.html

@@ -51,6 +51,6 @@ <h2>Compliant Solution</h2>
 <h2>See</h2>
 <ul>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/284">CWE-284 - Improper Access Control</a> </li>
-  <li> <a href="https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt">Linux Kernel Archives, no_new_privs</a> - Official docs </li>
+  <li> <a href="https://docs.kernel.org/userspace-api/no_new_privs.html">Linux Kernel Archives, no_new_privs</a> - Official docs </li>
 </ul>
 

iac-extensions/terraform/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "TERRAFORM"
   ],
-  "latest-update": "2024-09-02T14:47:11.602411Z",
+  "latest-update": "2024-09-17T06:40:38.583237Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

iac-extensions/terraform/src/main/resources/org/sonar/l10n/terraform/rules/terraform/S6382.html

@@ -17,11 +17,15 @@ <h2>Ask Yourself Whether</h2>
 <h2>Recommended Secure Coding Practices</h2>
 <p>Enable certificate-based authentication.</p>
 <h2>Sensitive Code Example</h2>
-<p>For <a href="https://azure.microsoft.com/en-us/services/app-service/">App Service</a>:</p>
+<p>For <a href="https://azure.microsoft.com/en-us/services/app-service/containers/">Linux and Windows Web Apps</a>:</p>
 <pre data-diff-id="1" data-diff-type="noncompliant">
-resource "azurerm_app_service" "example" {
+resource "azurerm_linux_web_app" "example" {
   client_cert_enabled = false # Sensitive
 }
+resource "azurerm_linux_web_app" "example2" {
+  client_certificate_enabled = true
+  client_certificate_mode = "Optional" # Sensitive
+}
 </pre>
 <p>For <a href="https://azure.microsoft.com/en-us/services/logic-apps/">Logic App Standards</a> and <a
 href="https://azure.microsoft.com/en-us/services/functions/">Function Apps</a>:</p>
@@ -43,21 +47,18 @@ <h2>Sensitive Code Example</h2>
   client_certificate_mode = "Optional" # Sensitive
 }
 </pre>
-<p>For <a href="https://azure.microsoft.com/en-us/services/app-service/containers/">Linux and Windows Web Apps</a>:</p>
+<p>For <a href="https://azure.microsoft.com/en-us/services/app-service/">App Service</a>:</p>
 <pre data-diff-id="5" data-diff-type="noncompliant">
-resource "azurerm_linux_web_app" "example" {
+resource "azurerm_app_service" "example" {
   client_cert_enabled = false # Sensitive
 }
-resource "azurerm_linux_web_app" "exemple2" {
-  client_cert_enabled = true
-  client_cert_mode = "Optional" # Sensitive
-}
 </pre>
 <h2>Compliant Solution</h2>
-<p>For <a href="https://azure.microsoft.com/en-us/services/app-service/">App Service</a>:</p>
+<p>For <a href="https://azure.microsoft.com/en-us/services/app-service/containers/">Linux and Windows Web Apps</a>:</p>
 <pre data-diff-id="1" data-diff-type="compliant">
-resource "azurerm_app_service" "example" {
-  client_cert_enabled = true
+resource "azurerm_linux_web_app" "example" {
+  client_certificate_enabled = true
+  client_certificate_mode = "Required"
 }
 </pre>
 <p>For <a href="https://azure.microsoft.com/en-us/services/logic-apps/">Logic App Standards</a> and <a
@@ -80,11 +81,10 @@ <h2>Compliant Solution</h2>
   client_certificate_mode = "Required"
 }
 </pre>
-<p>For <a href="https://azure.microsoft.com/en-us/services/app-service/containers/">Linux and Windows Web Apps</a>:</p>
+<p>For <a href="https://azure.microsoft.com/en-us/services/app-service/">App Service</a>:</p>
 <pre data-diff-id="5" data-diff-type="compliant">
-resource "azurerm_linux_web_app" "exemple" {
+resource "azurerm_app_service" "example" {
   client_cert_enabled = true
-  client_cert_mode = "Required"
 }
 </pre>
 <h2>See</h2>