SONARJAVA-5254 Update RSPEC before 8.10 release (#5030)

Author: alban-auzeill

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4426.html

@@ -152,7 +152,7 @@ <h3>How does this work?</h3>
 <h4>RSA (Rivest-Shamir-Adleman) and DSA (Digital Signature Algorithm)</h4>
 <p>The security of these algorithms depends on the difficulty of attacks attempting to solve their underlying mathematical problem.</p>
 <p>In general, a minimum key size of <strong>2048</strong> bits is recommended for both. It provides 112 bits of security. A key length of
-<strong>3072</strong> or <strong>4092</strong> should be preferred when possible.</p>
+<strong>3072</strong> or <strong>4096</strong> should be preferred when possible.</p>
 <h4>AES (Advanced Encryption Standard)</h4>
 <p>AES supports three key sizes: 128 bits, 192 bits and 256 bits. The security of the AES algorithm is based on the computational complexity of trying
 all possible keys.<br> A larger key size increases the number of possible keys and makes exhaustive search attacks computationally infeasible.

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5332.json

@@ -9,7 +9,8 @@
   },
   "status": "ready",
   "tags": [
-    "cwe"
+    "cwe",
+    "android"
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5332",

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6293.json

@@ -13,7 +13,8 @@
     "constantCost": "5min"
   },
   "tags": [
-    "cwe"
+    "cwe",
+    "android"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-6293",

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6809.html

@@ -1,13 +1,13 @@
 <h2>Why is this an issue?</h2>
-<p>A method annotated with Spring’s <code>@Async</code> or <code>@Transactional</code> annotations will not work as expected if invoked directly from
-within its class.</p>
-<p>This is because Spring generates a proxy class with wrapper code to manage the method’s asynchronicity (<code>@Async</code>) or to handle the
-transaction (<code>@Transactional</code>). However, when called using <code>this</code>, the proxy instance is bypassed, and the method is invoked
-directly without the required wrapper code.</p>
+<p>A method annotated with Spring’s <code>@Async</code>, <code>@Cacheable</code> or <code>@Transactional</code> annotations will not work as expected
+if invoked directly from within its class.</p>
+<p>This is because Spring generates a proxy class with wrapper code to manage the method’s asynchronicity (<code>@Async</code>), to cache methods
+invocations (<code>@Cacheable</code>), or to handle the transaction (<code>@Transactional</code>). However, when called using <code>this</code>, the
+proxy instance is bypassed, and the method is invoked directly without the required wrapper code.</p>
 <h2>How to fix it</h2>
-<p>Replace calls to <code>@Async</code> or <code>@Transactional</code> methods via <code>this</code> with calls on an instance that was injected by
-Spring (<code>@Autowired</code>, <code>@Resource</code> or <code>@Inject</code>). The injected instance is a proxy on which the methods can be invoked
-safely.</p>
+<p>Replace calls to <code>@Async</code>, <code>@Cacheable</code> or <code>@Transactional</code> methods via <code>this</code> with calls on an
+instance that was injected by Spring (<code>@Autowired</code>, <code>@Resource</code> or <code>@Inject</code>). The injected instance is a proxy on
+which the methods can be invoked safely.</p>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
@@ -17,12 +17,19 @@ <h4>Noncompliant code example</h4>
   @Override
   public void process(Notification notification) {
     processAsync(notification); // Noncompliant, call bypasses proxy
+    retrieveNotification(notification.id); // Noncompliant, call bypasses proxy and will not be cached
   }
 
   @Async
   public processAsync(Notification notification) {
     // ...
   }
+
+  @Cacheable
+  public Notification retrieveNotification(Long id) {
+    // ...
+  }
+
 }
 </pre>
 <h4>Compliant solution</h4>
@@ -36,12 +43,18 @@ <h4>Compliant solution</h4>
   @Override
   public void process(Notification notification) {
     asyncNotificationProcessor.processAsync(notification); // Compliant, call via injected proxy
+    asyncNotificationProcessor.retrieveNotification(notification.id); // Compliant, the call will be cached
   }
 
   @Async
   public processAsync(Notification notification) {
     // ...
   }
+
+  @Cacheable
+  public Notification retrieveNotification(Long id) {
+    // ...
+  }
 }
 </pre>
 <h2>Resources</h2>
@@ -51,12 +64,16 @@ <h3>Documentation</h3>
   Framework API - Annotation Interface Async</a> </li>
   <li> <a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/transaction/annotation/Transactional.html">Spring
   Framework API - Annotation Interface Transactional</a> </li>
+  <li> <a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/cache/annotation/Cacheable.html">Spring Framework
+  API - Annotation Interface Cacheable</a> </li>
 </ul>
 <h3>Articles &amp; blog posts</h3>
 <ul>
   <li> <a href="https://www.baeldung.com/spring-async">Baeldung - How To Do @Async in Spring</a> </li>
   <li> <a href="https://stackoverflow.com/questions/22561775/spring-async-ignored">Stack Overflow - Spring @Async ignored</a> </li>
   <li> <a href="https://stackoverflow.com/questions/4396284/does-spring-transactional-attribute-work-on-a-private-method">Stack Overflow - Does Spring
   @Transactional attribute work on a private method?</a> </li>
+  <li> <a href="https://docs.spring.io/spring-framework/reference/integration/cache/annotations.html#cache-annotations-cacheable">Spring docs, The
+  @Cacheable Annotation</a> </li>
 </ul>
 

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6856.html

@@ -5,6 +5,8 @@ <h2>Why is this an issue?</h2>
 module and are commonly used to define the routes for different HTTP operations in a RESTful API.</p>
 <p>If a method has a path template containing a placeholder, like "/api/resource/{id}", and there’s no <code>@PathVariable</code> annotation on a
 method parameter to capture the id path variable, Spring will disregard the id variable.</p>
+<p>This rule will raise an issue if a method has a path template with a placeholder, but no corresponding <code>@PathVariable</code>, or
+vice-versa.</p>
 <h2>How to fix it</h2>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
@@ -13,13 +15,23 @@ <h4>Noncompliant code example</h4>
 public ResponseEntity&lt;String&gt; getResourceById(Long id) { // Noncompliant - The 'id' parameter will not be automatically populated with the path variable value
   return ResponseEntity.ok("Fetching resource with ID: " + id);
 }
+
+@GetMapping("/api/asset/")
+public ResponseEntity&lt;String&gt; getAssetById(@PathVariable Long id) { // Noncompliant - The 'id' parameter does not have a corresponding placeholder
+  return ResponseEntity.ok("Fetching asset with ID: " + id);
+}
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
 @GetMapping("/api/resource/{id}")
 public ResponseEntity&lt;String&gt; getResourceById(@PathVariable Long id) { // Compliant
   return ResponseEntity.ok("Fetching resource with ID: " + id);
 }
+
+@GetMapping("/api/asset/{id}")
+public ResponseEntity&lt;String&gt; getAssetById(@PathVariable Long id) {
+  return ResponseEntity.ok("Fetching asset with ID: " + id);
+}
 </pre>
 <h2>Resources</h2>
 <h3>Documentation</h3>

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2025-01-09T10:42:54.029515Z",
+  "latest-update": "2025-02-14T14:49:23.786310Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false