SonarSource
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1124_java.html‎
Lines changed: 14 additions & 12 deletions b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1124_java.html‎
Lines changed: 14 additions & 12 deletions
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1130_java.html‎
Lines changed: 12 additions & 8 deletions b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1130_java.html‎
Lines changed: 12 additions & 8 deletions
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1168_java.html‎
Lines changed: 0 additions & 1 deletion b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1168_java.html‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1182_java.html‎
Lines changed: 1 addition & 1 deletion b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1182_java.html‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1700_java.html‎
Lines changed: 0 additions & 1 deletion b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1700_java.html‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1860_java.html‎
Lines changed: 4 additions & 3 deletions b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1860_java.html‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1862_java.html‎
Lines changed: 0 additions & 1 deletion b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S1862_java.html‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2077_java.html‎
Lines changed: 7 additions & 51 deletions b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2077_java.html‎
Lines changed: 7 additions & 51 deletions
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2077_java.json‎
Lines changed: 1 addition & 1 deletion b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2077_java.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2115_java.html‎
Lines changed: 5 additions & 16 deletions b/‎java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2115_java.html‎
Lines changed: 5 additions & 16 deletions
@@ -1,16 +1,18 @@
 <p>The Java Language Specification recommends listing modifiers in the following order:</p>
-<p>1. Annotations</p>
-<p>2. public</p>
-<p>3. protected</p>
-<p>4. private</p>
-<p>5. abstract</p>
-<p>6. static</p>
-<p>7. final</p>
-<p>8. transient</p>
-<p>9. volatile</p>
-<p>10. synchronized</p>
-<p>11. native</p>
-<p>12. strictfp</p>
+<ol>
+  <li> Annotations </li>
+  <li> public </li>
+  <li> protected </li>
+  <li> private </li>
+  <li> abstract </li>
+  <li> static </li>
+  <li> final </li>
+  <li> transient </li>
+  <li> volatile </li>
+  <li> synchronized </li>
+  <li> native </li>
+  <li> strictfp </li>
+</ol>
 <p>Not following this convention has no technical impact, but will reduce the code's readability because most developers are used to the standard
 order.</p>
 <h2>Noncompliant Code Example</h2>
 
@@ -1,7 +1,9 @@
 <p>An exception in a <code>throws</code> declaration in Java is superfluous if it is:</p>
-<p> * listed multiple times</p>
-<p> * a subclass of another listed exception</p>
-<p> * completely unnecessary because the declared exception type cannot actually be thrown</p>
+<ul>
+  <li> listed multiple times </li>
+  <li> a subclass of another listed exception </li>
+  <li> completely unnecessary because the declared exception type cannot actually be thrown </li>
+</ul>
 <h2>Noncompliant Code Example</h2>
 <pre>
 void foo() throws MyException, MyException {}  // Noncompliant; should be listed once
@@ -14,11 +16,13 @@ <h2>Compliant Solution</h2>
 </pre>
 <h2>Exceptions</h2>
 <p>The rule will not raise any issue for exceptions that cannot be thrown from the method body:</p>
-<p> * in overriding and implementation methods</p>
-<p> * in interface <code>default</code> methods</p>
-<p> * in non-private methods that only <code>throw</code>, have empty bodies, or a single return statement.</p>
-<p> * in overridable methods (non-final, or not member of a final class, non-static, non-private), if the exception is documented with a proper
-JavaDoc</p>
+<ul>
+  <li> in overriding and implementation methods </li>
+  <li> in interface <code>default</code> methods </li>
+  <li> in non-private methods that only <code>throw</code>, have empty bodies, or a single return statement. </li>
+  <li> in overridable methods (non-final, or not member of a final class, non-static, non-private), if the exception is documented with a proper
+  JavaDoc </li>
+</ul>
 <p>Also, the rule won't raise issues on <code>RuntimeException</code>, or one of its descendants, because explicating runtime exceptions which could
 be thrown can ultimately help the method's users, and can even be considered as good practice.</p>
 <pre>
 
@@ -20,7 +20,6 @@ <h2>Noncompliant Code Example</h2>
     }
   }
 }
-
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
 
@@ -5,7 +5,7 @@
 <ol>
   <li> <code>x.clone() != x</code> </li>
   <li> <code>x.clone().getClass() == x.getClass()</code> </li>
-  <li> <code>x.clone().equals\(x\)</code> </li>
+  <li> <code>x.clone().equals(x)</code> </li>
 </ol>
 <p>Obtaining the object that will be returned by calling <code>super.clone()</code> helps to satisfy those invariants:</p>
 <ol>
 
@@ -25,7 +25,6 @@ <h2>Compliant Solution</h2>
 
 Foo foo = new Foo();
 foo.getName()
-
 </pre>
 <h2>Exceptions</h2>
 <p>When the type of the field is the containing class and that field is static, no issue is raised to allow singletons named like the type. </p>
 
@@ -35,7 +35,6 @@ <h2>Noncompliant Code Example</h2>
   synchronized(listLock) {  // Noncompliant
     // ...
   }
-
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
@@ -60,6 +59,8 @@ <h2>Compliant Solution</h2>
   }
 </pre>
 <h2>See</h2>
-<p> * <a href="https://wiki.sei.cmu.edu/confluence/x/1zdGBQ">CERT, LCK01-J.</a> - Do not synchronize on objects that may be reused</p>
-<p> * <a href="https://openjdk.java.net/jeps/390">JEP-390.</a> - JEP 390: Warnings for Value-Based Classes</p>
+<ul>
+  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/1zdGBQ">CERT, LCK01-J.</a> - Do not synchronize on objects that may be reused </li>
+  <li> <a href="https://openjdk.java.net/jeps/390">JEP-390.</a> - JEP 390: Warnings for Value-Based Classes </li>
+</ul>
 
@@ -21,7 +21,6 @@ <h2>Compliant Solution</h2>
 else if (param == 3)
   moveWindowToTheBackground();
 }
-
 </pre>
 <h2>See</h2>
 <ul>
 
@@ -1,62 +1,18 @@
-<p>Formatting strings used as SQL queries is security-sensitive. It has led in the past to the following vulnerabilities:</p>
-<ul>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9019">CVE-2018-9019</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7318">CVE-2018-7318</a> </li>
-  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611">CVE-2017-5611</a> </li>
-</ul>
-<p>SQL queries often need to use a hardcoded SQL string with a dynamic parameter coming from a user request. Formatting a string to add those
-parameters to the request is a bad practice as it can result in an <a href="https://www.owasp.org/index.php/SQL_Injection">SQL injection</a>. The safe
-way to add parameters to a SQL query is to use SQL binding mechanisms.</p>
-<p>This rule raises an issue when an SQL query is built by formatting Strings, even if there is no injection. This rule does not detect SQL
-injections. The goal is to guide security code reviews and to prevent a common bad practice.</p>
-<p>The following method signatures from Java JDBC, JPA, JDO, Hibernate and Spring are tested: </p>
-<ul>
-  <li> <code>org.hibernate.Session.createQuery</code> </li>
-  <li> <code>org.hibernate.Session.createSQLQuery</code> </li>
-  <li> <code>java.sql.Statement.executeQuery</code> </li>
-  <li> <code>java.sql.Statement.execute</code> </li>
-  <li> <code>java.sql.Statement.executeUpdate</code> </li>
-  <li> <code>java.sql.Statement.executeLargeUpdate</code> </li>
-  <li> <code>java.sql.Statement.addBatch</code> </li>
-  <li> <code>java.sql.Connection.prepareStatement</code> </li>
-  <li> <code>java.sql.Connection.prepareCall</code> </li>
-  <li> <code>java.sql.Connection.nativeSQL</code> </li>
-  <li> <code>javax.persistence.EntityManager.createNativeQuery</code> </li>
-  <li> <code>javax.persistence.EntityManager.createQuery</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.batchUpdate</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.execute</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.query</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.queryForList</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.queryForMap</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.queryForObject</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.queryForRowSet</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.queryForInt</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.queryForLong</code> </li>
-  <li> <code>org.springframework.jdbc.core.JdbcOperations.update</code> </li>
-  <li> <code>org.springframework.jdbc.core.PreparedStatementCreatorFactory.&lt;init&gt;</code> </li>
-  <li> <code>org.springframework.jdbc.core.PreparedStatementCreatorFactory.newPreparedStatementCreator</code> </li>
-  <li> <code>javax.jdo.PersistenceManager.newQuery</code> </li>
-  <li> <code>javax.jdo.Query.setFilter</code> </li>
-  <li> <code>javax.jdo.Query.setGrouping</code> </li>
-</ul>
-<p>If a method is defined in an interface, implementations are also tested. For example this is the case for
-<code>org.springframework.jdbc.core.JdbcOperations</code> , which is usually used as <code>org.springframework.jdbc.core.JdbcTemplate</code>). </p>
+<p>Formatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the
+query. However, this rule doesn't detect SQL injections (unlike rule s3649), the goal is only to highlight complex/formatted queries.</p>
 <h2>Ask Yourself Whether</h2>
 <ul>
-  <li> the SQL query is built using string formatting technics, such as concatenating variables. </li>
-  <li> some of the values are coming from an untrusted source and are not sanitized. </li>
+  <li> Some parts of the query come from untrusted values (like user inputs). </li>
+  <li> The query is repeated/duplicated in other parts of the code. </li>
+  <li> The application must support different types of relational databases. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
-  <li> Avoid building queries manually using formatting technics. If you do it anyway, do not include user input in this building process. </li>
   <li> Use <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">parameterized queries, prepared statements, or stored
-  procedures</a> whenever possible. </li>
-  <li> You may also use ORM frameworks such as Hibernate which, if used correctly, reduce injection risks. </li>
-  <li> Avoid executing SQL queries containing unsafe input in stored procedures or functions. </li>
-  <li> <a href="https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet">Sanitize</a> every unsafe input. </li>
+  procedures</a> and bind variables to SQL query parameters. </li>
+  <li> Consider using ORM frameworks if there is a need to have an abstract layer to access data. </li>
 </ul>
-<p>You can also reduce the impact of an attack by using a database account with low privileges.</p>
 <h2>Sensitive Code Example</h2>
 <pre>
 public User getUser(Connection con, String user) throws SQLException {
 
@@ -16,7 +16,7 @@
     "hibernate",
     "sql"
   ],
-  "defaultSeverity": "Critical",
+  "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-2077",
   "sqKey": "S2077",
   "scope": "Main",
 
@@ -1,24 +1,13 @@
-<p>Databases should always be password protected. The use of a database connection with an empty password is a clear indication of a database that is
-not protected.</p>
-<p>This rule flags database connections with empty passwords.</p>
+<p>When relying on the password authentication mode for the database connection, a secure password should be chosen.</p>
+<p>This rule raises an issue when an empty password is used.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
-Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "AppLogin", "");
-Connection conn2 = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&amp;password=");
+Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "login", "");
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
-DriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&amp;password=password");
-
-DriverManager.getConnection("jdbc:mysql://address=(host=myhost1)(port=1111)(key1=value1)(user=sandy)(password=secret),address=(host=myhost2)(port=2222)(key2=value2)(user=sandy)(password=secret)/db");
-
-DriverManager.getConnection("jdbc:mysql://sandy:secret@[myhost1:1111,myhost2:2222]/db");
-
-String url = "jdbc:postgresql://localhost/test";
-Properties props = new Properties();
-props.setProperty("user", "fred");
-props.setProperty("password", "secret");
-DriverManager.getConnection(url, props);
+String password = System.getProperty("database.password");
+Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "login", password);
 </pre>
 <h2>See</h2>
 <ul>
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,6 @@ <h2>Noncompliant Code Example</h2>`
`20`	`20`	`}`
`21`	`21`	`}`
`22`	`22`	`}`
`23`		`-`
`24`	`23`	`</pre>`
`25`	`24`	`<h2>Compliant Solution</h2>`
`26`	`25`	`<pre>`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,6 @@ <h2>Compliant Solution</h2>`
`21`	`21`	`else if (param == 3)`
`22`	`22`	`moveWindowToTheBackground();`
`23`	`23`	`}`
`24`		`-`
`25`	`24`	`</pre>`
`26`	`25`	`<h2>See</h2>`
`27`	`26`	`<ul>`