Update rule metadata (#5306)

Co-authored-by: tomasz-tylenda-sonarsource <tomasz-tylenda-sonarsource@users.noreply.github.com>

Author: github-actions[bot]

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2053.html

@@ -51,15 +51,15 @@ <h4>Compliant solution</h4>
 
 public void hash() {
     SecureRandom random = new SecureRandom();
-    byte[] salt = new byte[32];
+    byte[] salt = new byte[16];
     random.nextBytes(salt);
 
     PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, 10000);
 }
 </pre>
 <h3>How does this work?</h3>
 <p>This code ensures that each user’s password has a unique salt value associated with it. It generates a salt randomly and with a length that
-provides the required security level. It uses a salt length of at least 32 bytes (256 bits), as recommended by industry standards.</p>
+provides the required security level. It uses a salt length of at least 16 bytes (128 bits), as recommended by industry standards.</p>
 <p>Here, the compliant code example ensures the salt is random and has a sufficient length by calling the <code>nextBytes</code> method from the
 <code>SecureRandom</code> class with a salt buffer of 16 bytes. This class implements a cryptographically secure pseudo-random number generator.</p>
 <h2>Resources</h2>

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.html

@@ -11,8 +11,8 @@ <h2>Ask Yourself Whether</h2>
 <h2>Recommended Secure Coding Practices</h2>
 <p>The most restrictive possible permissions should be assigned to files and directories.</p>
 <h2>Sensitive Code Example</h2>
-<pre>
-    public void setPermissions(String filePath) {
+<pre data-diff-id="1" data-diff-type="noncompliant">
+    public void setPermissions(String filePath) throws IOException {
         Set&lt;PosixFilePermission&gt; perms = new HashSet&lt;PosixFilePermission&gt;();
         // user permission
         perms.add(PosixFilePermission.OWNER_READ);
@@ -29,20 +29,15 @@ <h2>Sensitive Code Example</h2>
         Files.setPosixFilePermissions(Paths.get(filePath), perms);
     }
 </pre>
-<pre>
-    public void setPermissionsUsingRuntimeExec(String filePath) {
-        Runtime.getRuntime().exec("chmod 777 file.json"); // Sensitive
-    }
-</pre>
-<pre>
+<pre data-diff-id="2" data-diff-type="noncompliant">
     public void setOthersPermissionsHardCoded(String filePath ) {
         Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwxrwx")); // Sensitive
     }
 </pre>
 <h2>Compliant Solution</h2>
 <p>On operating systems that implement POSIX standard. This will throw a <code>UnsupportedOperationException</code> on Windows.</p>
-<pre>
-    public void setPermissionsSafe(String filePath) throws IOException {
+<pre data-diff-id="1" data-diff-type="compliant">
+    public void setPermissions(String filePath) throws IOException {
         Set&lt;PosixFilePermission&gt; perms = new HashSet&lt;PosixFilePermission&gt;();
         // user permission
         perms.add(PosixFilePermission.OWNER_READ);
@@ -52,13 +47,18 @@ <h2>Compliant Solution</h2>
         perms.add(PosixFilePermission.GROUP_READ);
         perms.add(PosixFilePermission.GROUP_EXECUTE);
         // others permissions removed
-        perms.remove(PosixFilePermission.OTHERS_READ); // Compliant
-        perms.remove(PosixFilePermission.OTHERS_WRITE); // Compliant
-        perms.remove(PosixFilePermission.OTHERS_EXECUTE); // Compliant
+        perms.remove(PosixFilePermission.OTHERS_READ);
+        perms.remove(PosixFilePermission.OTHERS_WRITE);
+        perms.remove(PosixFilePermission.OTHERS_EXECUTE);
 
         Files.setPosixFilePermissions(Paths.get(filePath), perms);
     }
 </pre>
+<pre data-diff-id="2" data-diff-type="compliant">
+    public void setOthersPermissionsHardCoded(String filePath ) {
+        Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwx---"));
+    }
+</pre>
 <h2>See</h2>
 <ul>
   <li> OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a> </li>

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4426.html

@@ -16,9 +16,9 @@ <h2>Why is this an issue?</h2>
 <p>Note that depending on the algorithm, the term <strong>key</strong> refers to a different mathematical property. For example:</p>
 <ul>
   <li> For RSA, the key is the product of two large prime numbers, also called the <strong>modulus</strong>. </li>
-  <li> For AES and Elliptic Curve Cryptography (ECC), the key is only a sequence of randomly generated bytes.
+  <li> For Elliptic Curve Cryptography (ECC), the key is only a sequence of randomly generated bytes.
     <ul>
-      <li> In some cases, AES keys are derived from a master key or a passphrase using a Key Derivation Function (KDF) like PBKDF2 (Password-Based Key
+      <li> In some cases, keys are derived from a master key or a passphrase using a Key Derivation Function (KDF) like PBKDF2 (Password-Based Key
       Derivation Function 2) </li>
     </ul>  </li>
 </ul>
@@ -66,21 +66,6 @@ <h4>Noncompliant code example</h4>
     }
 }
 </pre>
-<p>Here is an example of a private key generation with AES:</p>
-<pre data-diff-id="2" data-diff-type="noncompliant">
-import java.security.KeyGenerator;
-import java.security.NoSuchAlgorithmException;
-
-public static void main(String[] args) {
-    try {
-        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
-        keyGenerator.initialize(64); // Noncompliant
-
-    } catch (NoSuchAlgorithmException e) {
-        // ...
-    }
-}
-</pre>
 <p>Here is an example of an Elliptic Curve (EC) initialization. It implicitly generates a private key whose size is indicated in the elliptic curve
 name:</p>
 <pre data-diff-id="3" data-diff-type="noncompliant">
@@ -115,20 +100,6 @@ <h4>Compliant solution</h4>
     }
 }
 </pre>
-<pre data-diff-id="2" data-diff-type="compliant">
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-
-public static void main(String[] args) {
-    try {
-        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("AES");
-        keyPairGenerator.initialize(128);
-
-    } catch (NoSuchAlgorithmException e) {
-        // ...
-    }
-}
-</pre>
 <pre data-diff-id="3" data-diff-type="compliant">
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
@@ -153,11 +124,6 @@ <h4>RSA (Rivest-Shamir-Adleman) and DSA (Digital Signature Algorithm)</h4>
 <p>The security of these algorithms depends on the difficulty of attacks attempting to solve their underlying mathematical problem.</p>
 <p>In general, a minimum key size of <strong>2048</strong> bits is recommended for both. It provides 112 bits of security. A key length of
 <strong>3072</strong> or <strong>4096</strong> should be preferred when possible.</p>
-<h4>AES (Advanced Encryption Standard)</h4>
-<p>AES supports three key sizes: 128 bits, 192 bits and 256 bits. The security of the AES algorithm is based on the computational complexity of trying
-all possible keys.<br> A larger key size increases the number of possible keys and makes exhaustive search attacks computationally infeasible.
-Therefore, a 256-bit key provides a higher level of security than a 128-bit or 192-bit key.</p>
-<p>Currently, a minimum key size of <strong>128 bits</strong> is recommended for AES.</p>
 <h4>Elliptic Curve Cryptography (ECC)</h4>
 <p>Elliptic curve cryptography is also used in various algorithms, such as ECDSA, ECDH, or ECMQV. The length of keys generated with elliptic curve
 algorithms is mentioned directly in their names. For example, <code>secp256k1</code> generates a 256-bits long private key.</p>

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4507.json

@@ -33,6 +33,9 @@
     ],
     "OWASP Top 10 2021": [
       "A5"
+    ],
+    "ASVS 4.0": [
+      "14.3.2"
     ]
   },
   "quickfix": "unknown"

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6246.html

@@ -1,6 +1,7 @@
+<p>This rule reports an issue when a lambda invokes another lambda synchronously.</p>
 <h2>Why is this an issue?</h2>
 <p>Invoking other Lambdas synchronously from a Lambda is a scalability anti-pattern. Lambdas have a maximum execution time before they timeout (15
-minutes as of May 2021). Having to wait for another Lambda to finish its execution could lead to a timeout.</p>
+minutes as of June 2025). Having to wait for another Lambda to finish its execution could lead to a timeout.</p>
 <p>A better solution is to generate&nbsp;events that can be consumed asynchronously by other Lambdas.</p>
 <h3>Noncompliant code example</h3>
 <p>With AWS SDKv1</p>

sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6363.html

@@ -1,6 +1,5 @@
-<p>Exposing the Android file system to WebViews is security-sensitive.</p>
 <p>Granting file access to WebViews, particularly through the <code>file://</code> scheme, introduces a risk of local file inclusion vulnerabilities.
-The severity of this risk depends heavily on the specific <code>WebSettings</code> configured. Overly permissive settings can allow malicious scripts
+The severity of this risk depends heavily on the specific settings configured for the WebView. Overly permissive settings can allow malicious scripts
 to access a wide range of local files, potentially exposing sensitive data such as Personally Identifiable Information (PII) or private application
 data, leading to data breaches and other security compromises.</p>
 <h2>Ask Yourself Whether</h2>
@@ -11,8 +10,13 @@ <h2>Ask Yourself Whether</h2>
 <p>There is a risk if you answered yes to any of these questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <p>Avoid opening <code>file://</code> URLs from external sources in WebView components. If your application accepts arbitrary URLs from external
-sources, do not enable this functionality. Instead, utilize <code>androidx.webkit.WebViewAssetLoader</code> to access files, including assets and
-resources, via <code>http(s)://</code> schemes.</p>
+sources, do not enable this functionality.</p>
+<p>On Android, it is recommended to use <code>androidx.webkit.WebViewAssetLoader</code> to access files, including assets and resources, via a custom,
+controllable scheme.</p>
+<p>On iOS, it is recommended to use Bundles to access local files, keeping access limited a controlled subset using the
+<code>allowingReadAccessTo</code> parameter of the <code>loadFileURL</code> method. If <code>allowFileAccessFromFileURLs</code> and
+<code>allowUniversalAccessFromFileURLs</code> are not enabled, it is not possible to access files outside the intended directory. It is also possible
+to create a custom scheme to access local files, but this is more complex and might lead to unintended security issues.</p>
 <p>For enhanced security, ensure that the options to load <code>file://</code> URLs are explicitly set to false.</p>
 <h2>Sensitive Code Example</h2>
 <pre>

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2025-08-04T14:06:07.748110868Z",
+  "latest-update": "2025-09-29T08:08:50.655366545Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false