NO-JIRA Update rules metadata (#1054)

GitOrigin-RevId: 29bb749ca8ba868066f5ba113eb43307ee1547ff

Author: guillaume-dequenne

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2092.html

@@ -1,43 +1,29 @@
 <p>When a cookie is protected with the <code>secure</code> attribute set to <em>true</em> it will not be send by the browser over an unencrypted HTTP
 request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>the cookie is for instance a <em>session-cookie</em> not designed to be sent over non-HTTPS communication.</li>
-  <li>it’s not sure that the website contains <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content">mixed content</a> or not
-  (ie HTTPS everywhere or not)</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li>It is recommended to use <code>HTTPs</code> everywhere so setting the <code>secure</code> flag to <em>true</em> should be the default behaviour
-  when creating cookies.</li>
-  <li>Set the <code>secure</code> flag to <em>true</em> for session-cookies.</li>
-</ul>
-<h2>Sensitive Code Example</h2>
-<p>Using Flask:</p>
-<pre data-diff-id="11" data-diff-type="noncompliant">
+<h2>Why is this an issue?</h2>
+<p>When a cookie is created without the <code>secure</code> attribute set to <code>true</code>, browsers will transmit it over unencrypted HTTP
+connections as well as HTTPS. An attacker who can observe or intercept network traffic—for example on a public Wi-Fi network—can read the cookie value
+in cleartext.</p>
+<h3>What is the potential impact?</h3>
+<h4>Session hijacking</h4>
+<p>If a session cookie is transmitted over an unencrypted HTTP connection, an attacker who can intercept the traffic can steal it. With a valid
+session cookie, the attacker can impersonate the victim and gain full access to their account without knowing their password. Even on sites that
+primarily use HTTPS, a single HTTP request containing the session cookie is enough to expose it.</p>
+<h2>How to fix it in Flask</h2>
+<p>Pass <code>secure=True</code> to <code>set_cookie</code> to prevent the cookie from being transmitted over unencrypted HTTP connections.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 from flask import Response
 
 @app.route('/')
 def index():
     response = Response()
-    response.set_cookie('key', 'value')  # Sensitive
+    response.set_cookie('key', 'value')  # Noncompliant
     return response
 </pre>
-<p>Using FastAPI:</p>
-<pre data-diff-id="21" data-diff-type="noncompliant">
-from fastapi import FastAPI, Response
-
-app = FastAPI()
-
-@app.get('/')
-async def index(response: Response):
-    response.set_cookie('key', 'value')  # Sensitive
-    return {"message": "Hello world!"}
-</pre>
-<h2>Compliant Solution</h2>
-<p>Using Flask:</p>
-<pre data-diff-id="11" data-diff-type="compliant">
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
 from flask import Response
 
 @app.route('/')
@@ -46,8 +32,22 @@ <h2>Compliant Solution</h2>
     response.set_cookie('key', 'value', secure=True)
     return response
 </pre>
-<p>Using FastAPI:</p>
-<pre data-diff-id="21" data-diff-type="compliant">
+<h2>How to fix it in FastAPI</h2>
+<p>Pass <code>secure=True</code> to <code>set_cookie</code> to prevent the cookie from being transmitted over unencrypted HTTP connections.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+from fastapi import FastAPI, Response
+
+app = FastAPI()
+
+@app.get('/')
+async def index(response: Response):
+    response.set_cookie('key', 'value')  # Noncompliant
+    return {"message": "Hello world!"}
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
 from fastapi import FastAPI, Response
 
 app = FastAPI()
@@ -57,7 +57,8 @@ <h2>Compliant Solution</h2>
     response.set_cookie('key', 'value', secure=True)
     return {"message": "Hello world!"}
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
   <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
   <li>OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a></li>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2092.json

@@ -1,6 +1,7 @@
 {
-  "title": "Creating cookies without the \"secure\" flag is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Cookies should have the \"secure\" flag",
+  "type": "VULNERABILITY",
+  "quickfix": "unknown",
   "code": {
     "impacts": {
       "SECURITY": "LOW"

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8494.html

@@ -1,10 +1,33 @@
-<p>This rule raises an issue when code assigns a value to an attribute that is not listed in the class's <code>__slots__</code> declaration.</p>
+<p>This rule raises an issue when code assigns a value to an attribute that is not listed in the class’s <code>__slots__</code> declaration.</p>
 <h2>Why is this an issue?</h2>
-<p>In Python, the <code>__slots__</code> class attribute is used to explicitly declare which instance attributes a class can have. When a class defines
-<code>__slots__</code>, Python restricts instances to only those attributes, preventing the creation of new attributes dynamically.</p>
-<p>Assigning to an attribute that is not in <code>__slots__</code> causes Python to raise an <code>AttributeError</code> at runtime.</p>
+<p>In Python, the <code>__slots__</code> class attribute is used to explicitly declare which instance attributes a class can have. When a class
+defines <code>__slots__</code>, Python restricts instances to only those attributes, preventing the creation of new attributes dynamically.</p>
+<p>This restriction serves several purposes:</p>
+<ul>
+  <li><strong>memory efficiency</strong>: instances use less memory because Python does not create a <code>__dict__</code> for each instance</li>
+  <li><strong>faster attribute access</strong>: attribute lookups are faster with <code>__slots__</code></li>
+  <li><strong>explicit interface</strong>: the class clearly declares which attributes it supports</li>
+</ul>
+<p>Assigning to an attribute that is not in <code>__slots__</code> causes Python to raise an <code>AttributeError</code> at runtime:</p>
+<pre>
+class Point:
+    __slots__ = ['x', 'y']
+
+p = Point()
+p.x = 10  # OK
+p.z = 20  # Raises AttributeError: 'Point' object has no attribute 'z'
+</pre>
+<h3>What is the potential impact?</h3>
+<p>When code attempts to assign to an attribute not in <code>__slots__</code>, the application will crash with an <code>AttributeError</code> at
+runtime. This can lead to:</p>
+<ul>
+  <li><strong>application crashes</strong>: the error will terminate the current operation unless properly handled</li>
+  <li><strong>data loss</strong>: if the assignment happens during a data processing operation, partial results may be lost</li>
+  <li><strong>poor user experience</strong>: users may encounter unexpected errors during normal operations</li>
+  <li><strong>difficult debugging</strong>: the error may only occur in specific scenarios, making it hard to reproduce and fix</li>
+</ul>
 <h2>How to fix it</h2>
-<p>Add the missing attribute to the <code>__slots__</code> declaration.</p>
+<p>If the attribute should be part of the class’s interface, add it to the <code>__slots__</code> declaration.</p>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
@@ -31,3 +54,4 @@ <h3>Documentation</h3>
 <ul>
   <li>Python Documentation - <a href="https://docs.python.org/3/reference/datamodel.html#slots">__slots__</a></li>
 </ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8494.json

@@ -1,21 +1,24 @@
 {
   "title": "Attributes should only be assigned if they are declared in \"__slots__\"",
   "type": "BUG",
-  "code": {
-    "impacts": {
-      "RELIABILITY": "BLOCKER"
-    },
-    "attribute": "LOGICAL"
-  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
-    "constantCost": "5min"
+    "constantCost": "5 min"
   },
-  "tags": [],
+  "tags": [
+    "pitfall",
+    "slots"
+  ],
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-8494",
   "sqKey": "S8494",
   "scope": "All",
-  "quickfix": "unknown"
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "BLOCKER"
+    },
+    "attribute": "LOGICAL"
+  }
 }

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8495.html

@@ -10,6 +10,7 @@ <h2>Why is this an issue?</h2>
     else:
         return (value, value * 2)  # Returns a 2-tuple
 
+# Caller has no reliable way to unpack this
 result = process_data(10)
 x, y = result  # ValueError if value &gt; 0!
 </pre>
@@ -20,8 +21,8 @@ <h3>What is the potential impact?</h3>
 <p>Runtime errors from tuple unpacking may not surface during initial testing if certain code paths are not fully exercised, leading to production
 failures. The need for defensive length-checking also increases the maintenance burden and makes the API harder to document for new team members.</p>
 <h2>How to fix it</h2>
-<p>Make all return statements return tuples of the same length. Add placeholder values (like <code>None</code> or <code>0</code>) to shorter tuples
-to maintain consistency.</p>
+<p>Make all return statements return tuples of the same length. Add placeholder values (like <code>None</code> or <code>0</code>) to shorter tuples to
+maintain consistency.</p>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
@@ -41,9 +42,28 @@ <h4>Compliant solution</h4>
     average = total / len(numbers)
     return (total, average)
 </pre>
+<h3>Going the extra mile</h3>
+<p>For complex return types, consider using <code>typing.NamedTuple</code> to make the return value self-documenting. Named tuples provide clear field
+names and enforce a consistent structure, making the API easier to use and understand.</p>
+<pre>
+from typing import NamedTuple
+
+class Stats(NamedTuple):
+    total: float
+    average: float
+
+def calculate_stats(numbers) -&gt; Stats:
+    if not numbers:
+        return Stats(total=0, average=0)
+    total = sum(numbers)
+    average = total / len(numbers)
+    return Stats(total=total, average=average)
+</pre>
 <h2>Resources</h2>
 <h3>Documentation</h3>
 <ul>
-  <li>Python Documentation - <a href="https://docs.python.org/3/tutorial/controlflow.html#more-on-defining-functions">More on Defining Functions</a></li>
+  <li>Python Documentation - <a href="https://docs.python.org/3/tutorial/controlflow.html#more-on-defining-functions">More on Defining
+  Functions</a></li>
   <li>Python Documentation - <a href="https://docs.python.org/3/tutorial/datastructures.html#tuples-and-sequences">Tuples and Sequences</a></li>
 </ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8495.json

@@ -4,18 +4,23 @@
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
-    "constantCost": "5min"
+    "constantCost": "10 min"
   },
-  "tags": [],
+  "tags": [
+    "pitfall",
+    "api-design",
+    "type-system"
+  ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-8495",
   "sqKey": "S8495",
   "scope": "Main",
   "quickfix": "unknown",
   "code": {
     "impacts": {
+      "RELIABILITY": "HIGH",
       "MAINTAINABILITY": "HIGH"
     },
-    "attribute": "CONVENTIONAL"
+    "attribute": "CLEAR"
   }
 }

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -328,6 +328,8 @@
     "S8413",
     "S8414",
     "S8415",
+    "S8494",
+    "S8495",
     "S8504",
     "S8517",
     "S8521"

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "PY"
   ],
-  "latest-update": "2026-04-08T07:34:47.747313Z",
+  "latest-update": "2026-04-09T08:05:06.976620Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true