SONARPY-3892 Updated rule metadata (#949)

GitOrigin-RevId: c4bf2e467841a6dd376dffb4fa16e876b92e7b31

Author: joke1196

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2068.json

@@ -3,7 +3,7 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "BLOCKER"
+      "SECURITY": "MEDIUM"
     },
     "attribute": "TRUSTWORTHY"
   },
@@ -16,7 +16,7 @@
   "tags": [
     "cwe"
   ],
-  "defaultSeverity": "Blocker",
+  "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-2068",
   "sqKey": "S2068",
   "scope": "Main",

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2612.html

@@ -1,52 +1,59 @@
+<h2>Why is this an issue?</h2>
 <p>In Unix file system permissions, the "<code>others</code>" category refers to all users except the owner of the file system resource and the
 members of the group assigned to this resource.</p>
 <p>Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive
 information, disrupt services or elevate privileges.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>The application is designed to be run on a multi-user environment.</li>
-  <li>Corresponding files and directories may contain confidential information.</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<p>The most restrictive possible permissions should be assigned to files and directories.</p>
-<h2>Sensitive Code Example</h2>
-<p>For <a href="https://docs.python.org/3/library/os.html#os.umask">os.umask</a>:</p>
+<h3>What is the potential impact?</h3>
+<h4>Unauthorized access to sensitive information</h4>
+<p>When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models),
+attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords,
+personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive
+disadvantage.</p>
+<h4>Service disruption and data corruption</h4>
+<p>Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or
+compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete
+important resources, leading to service outages, system instability, data loss, and denial of service.</p>
+<h4>Privilege escalation</h4>
+<p>When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to
+execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious
+code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling
+them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.</p>
+<h2>How to fix it</h2>
+<p>When using <code>os.umask</code>, set a restrictive umask value that prevents permissions for "others". The umask value <code>0o777</code> ensures
+that no permissions are granted to any category by default. This is the most secure approach as it requires explicit permission grants rather than
+implicit ones.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
 os.umask(0)  # Sensitive
 </pre>
-<p>For <a href="https://docs.python.org/3/library/os.html#os.chmod">os.chmod</a>, <a
-href="https://docs.python.org/3/library/os.html#os.lchmod">os.lchmod</a>, and <a
-href="https://docs.python.org/3/library/os.html#os.fchmod">os.fchmod</a>:</p>
-<pre data-diff-id="2" data-diff-type="noncompliant">
-os.chmod("/tmp/fs", stat.S_IRWXO)   # Sensitive
-os.lchmod("/tmp/fs", stat.S_IRWXO)  # Sensitive
-os.fchmod(fd, stat.S_IRWXO)         # Sensitive
-</pre>
-<h2>Compliant Solution</h2>
-<p>For <a href="https://docs.python.org/3/library/os.html#os.umask">os.umask</a>:</p>
+<h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
 os.umask(0o777)
 </pre>
-<p>For <a href="https://docs.python.org/3/library/os.html#os.chmod">os.chmod</a>, <a
-href="https://docs.python.org/3/library/os.html#os.lchmod">os.lchmod</a>, and <a
-href="https://docs.python.org/3/library/os.html#os.fchmod">os.fchmod</a>:</p>
-<pre data-diff-id="2" data-diff-type="compliant">
-os.chmod("/tmp/fs", stat.S_IRWXU)
-os.lchmod("/tmp/fs", stat.S_IRWXU)
-os.fchmod(fd, stat.S_IRWXU)
-</pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li>OWASP File Permission Testing Guide - <a
+  href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission">OWASP guidance on testing file permissions in web applications</a></li>
+  <li>Python Documentation - os.umask - <a href="https://docs.python.org/3/library/os.html#os.umask">Official Python documentation for the os.umask
+  function</a></li>
+  <li>Python Documentation - os.chmod - <a href="https://docs.python.org/3/library/os.html#os.chmod">Official Python documentation for the os.chmod
+  function</a></li>
+  <li>Python Documentation - os.lchmod - <a href="https://docs.python.org/3/library/os.html#os.lchmod">Official Python documentation for the os.lchmod
+  function</a></li>
+  <li>Python Documentation - os.fchmod - <a href="https://docs.python.org/3/library/os.html#os.fchmod">Official Python documentation for the os.fchmod
+  function</a></li>
+</ul>
+<h3>Standards</h3>
 <ul>
-  <li>OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a></li>
-  <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
-  <li>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control">Top 10 2017 Category A5 - Broken Access
-  Control</a></li>
-  <li><a
-  href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission">OWASP File Permission</a></li>
-  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a></li>
   <li>CWE - <a href="https://cwe.mitre.org/data/definitions/266">CWE-266 - Incorrect Privilege Assignment</a></li>
+  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a></li>
   <li>STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222430">Application Security and
-  Development: V-222430</a> - The application must execute without excessive account permissions.</li>
+  Development: V-222430</a> - The application must execute without excessive account permissions</li>
+  <li>OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a></li>
+  <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
+  <li>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control">Top 10 2017 Category A5 - Broken Access Control -
+  OWASP Top 10 2017</a></li>
 </ul>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S2612.json

@@ -1,6 +1,6 @@
 {
-  "title": "Setting loose POSIX file permissions is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "File permissions should not be set to world-accessible values",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
       "SECURITY": "MEDIUM"
@@ -43,5 +43,6 @@
     "STIG ASD_V5R3": [
       "V-222430"
     ]
-  }
+  },
+  "quickfix": "unknown"
 }

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6984.html

@@ -1,7 +1,7 @@
 <p>This rule raises an issue when an incorrect pattern is provided to an <code>einops</code> operation.</p>
 <h2>Why is this an issue?</h2>
 <p>The <code>einops</code> library provides a powerful and flexible way to manipulate tensors using the Einstein summation convention. The
-<code>einops</code> uses a different convention than the <a href="https://ejenner.com/post/einsum/">traditional</a> one. In particular, the axis names
+<code>einops</code> uses a different convention than the <a href="https://ejenner.com/post/einsum">traditional</a> one. In particular, the axis names
 can be more than one letter long and are separated by spaces.</p>
 <h2>How to fix it</h2>
 <p>Correct the syntax of the <code>einops</code> operation by balancing the parentheses and following the convention.</p>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8392.html

@@ -117,9 +117,9 @@ <h3>Documentation</h3>
   (127.0.0.1) and production (0.0.0.0) binding</a></li>
   <li>Flask Deployment Options - <a href="https://flask.palletsprojects.com/en/2.3.x/deploying/">Official Flask documentation on secure deployment
   practices</a></li>
-  <li>Flask Security Considerations - <a href="https://flask.palletsprojects.com/en/2.3.x/security/">Flask security best practices and common
+  <li>Flask Security Considerations - <a href="https://flask.palletsprojects.com/en/stable/web-security/">Flask security best practices and common
   vulnerabilities</a></li>
-  <li>Gunicorn Documentation - <a href="https://docs.gunicorn.org/en/stable/">Production WSGI server for Python web applications</a></li>
+  <li>Gunicorn Documentation - <a href="https://gunicorn.org/quickstart/">Production WSGI server for Python web applications</a></li>
 </ul>
 <h3>Standards</h3>
 <ul>

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8396.html

@@ -1,5 +1,5 @@
-<p>This is an issue when a Pydantic model field uses <code>Optional[Type]</code> or <code>Type | None</code> type hints without providing an explicit
-default value, or when using <code>Field(…​)</code> with the ellipsis operator.</p>
+<p>This is an issue when a Pydantic model field uses <code>Optional[Type]</code> without providing an explicit default value, or when using
+<code>Field(…​)</code> with <code>Optional[Type]</code> and the ellipsis operator.</p>
 <h2>Why is this an issue?</h2>
 <p>In Pydantic models, there is a common misconception about what <code>Optional[Type]</code> means. Many developers assume that marking a field as
 <code>Optional[Type]</code> makes it optional during validation, but this is not the case.</p>
@@ -9,14 +9,17 @@ <h2>Why is this an issue?</h2>
 <p>To make a field truly optional (meaning it doesn’t need to be provided during validation), you must assign a default value. This is typically
 <code>None</code> for optional fields, but can be any appropriate default value.</p>
 <p>A particularly problematic pattern is using <code>Field(…​)</code> with <code>Optional[Type]</code>. The ellipsis (<code>…​</code>) is Pydantic’s
-way of explicitly marking a field as required. This creates a direct contradiction: the type hint says the field can be <code>None</code>, but the
-<code>Field(…​)</code> says it must be provided. In this case, Pydantic prioritizes the ellipsis, making the field required despite the
-<code>Optional</code> annotation.</p>
+way of explicitly marking a field as required. This creates a direct contradiction: the type hint says the field can be <code>None</code>, but
+<code>Field(…​)</code> says it must be provided.</p>
 <p>This mismatch between developer intent and actual behavior leads to unexpected validation errors in production, confusing API consumers who receive
 "field required" errors for fields they reasonably expected to be optional based on the type hints.</p>
+<h3>Exceptions</h3>
+<p>Fields typed as <code>Type | None</code>, <code>None | Type</code>, or <code>Union[Type, None]</code> are compliant, with or without a default
+value.</p>
+<p>These annotations are explicit nullable type declarations and do not imply that the field may be omitted from input data.</p>
 <h3>What is the potential impact?</h3>
-<p>When optional fields lack explicit default values, the application will reject valid requests where users omit fields they believe to be optional.
-This leads to:</p>
+<p>When <code>Optional[…​]</code> fields lack explicit default values, the application may reject requests where users omit fields they believe to be
+optional. This leads to:</p>
 <ul>
   <li>Poor user experience with confusing "field required" validation errors</li>
   <li>API contract violations where the schema suggests fields are optional but validation requires them</li>
@@ -26,11 +29,12 @@ <h3>What is the potential impact?</h3>
 <h2>How to fix it</h2>
 <p>Add an explicit default value (typically <code>None</code>) to fields with <code>Optional</code> type hints. This makes the field truly optional
 during validation while maintaining the type safety that allows <code>None</code> values.</p>
+<p>For <code>Optional[…​]</code> fields, avoid the ellipsis form (<code>Field(…​)</code>) and provide an explicit default instead.</p>
 <h3>Code examples</h3>
 <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
 from typing import Optional
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 
 class TwitterAccount(BaseModel):
     username: str
@@ -42,8 +46,8 @@ <h4>Noncompliant code example</h4>
 </pre>
 <h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
-from typing import Optional
-from pydantic import BaseModel
+from typing import Optional, Union
+from pydantic import BaseModel, Field
 
 class TwitterAccount(BaseModel):
     username: str

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "PY"
   ],
-  "latest-update": "2026-02-18T12:35:08.274727508Z",
+  "latest-update": "2026-03-10T13:34:05.699012606Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true