Update rule metadata (#712)

Co-authored-by: petertrr <petertrr@users.noreply.github.com>

Author: hashicorp-vault-sonar-prod[bot]

sonar-kotlin-plugin/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "KOTLIN"
   ],
-  "latest-update": "2026-04-10T12:56:34.437431195Z",
+  "latest-update": "2026-04-17T11:19:29.957200855Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5320.html

@@ -1,21 +1,22 @@
-<p>In Android applications, broadcasting intents is security-sensitive. For example, it has led in the past to the following vulnerability:</p>
-<ul>
-  <li><a href="https://www.cve.org/CVERecord?id=CVE-2018-9489">CVE-2018-9489</a></li>
-</ul>
-<p>By default, broadcasted intents are visible to every application, exposing all sensitive information they contain.</p>
-<p>This rule raises an issue when an intent is broadcasted without specifying any "receiver permission".</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>The intent contains sensitive information.</li>
-  <li>Intent reception is not restricted.</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<p>Restrict the access to broadcasted intents. See <a
-href="https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions">Android documentation</a> for more
-information.</p>
-<h2>Sensitive Code Example</h2>
-<pre>
+<p>Broadcasted intents in Android are visible to every application by default, which can expose sensitive information.</p>
+<h2>Why is this an issue?</h2>
+<p>By default, broadcasted intents are visible to every application on the device, exposing all sensitive information that intents contain. This rule
+raises an issue when an intent is broadcasted without specifying a receiver permission.</p>
+<p>Methods like <code>sendBroadcast</code>, <code>sendBroadcastAsUser</code>, <code>sendOrderedBroadcast</code>, and
+<code>sendOrderedBroadcastAsUser</code> that are called without a receiver permission parameter or with <code>null</code> for the permission allow any
+application to receive the broadcast.</p>
+<h3>What is the potential impact?</h3>
+<h4>Information disclosure</h4>
+<p>If an intent contains sensitive data such as user credentials, personal information, or internal application state, any malicious application
+installed on the same device can intercept and read this data.</p>
+<h4>Privilege escalation</h4>
+<p>A malicious application could listen for broadcasted intents to trigger unauthorized actions or manipulate application behavior, potentially
+gaining access to functionality that should be restricted.</p>
+<h2>How to fix it</h2>
+<h3>Code examples</h3>
+<p>The following code broadcasts an intent without specifying a receiver permission, making it accessible to all applications on the device.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 import android.content.BroadcastReceiver
 import android.content.Context
 import android.content.Intent
@@ -33,20 +34,20 @@ <h2>Sensitive Code Example</h2>
                   initialData: String,
                   initialExtras: Bundle,
                   broadcastPermission: String) {
-        context.sendBroadcast(intent) // Sensitive
-        context.sendBroadcastAsUser(intent, user) // Sensitive
+        context.sendBroadcast(intent) // Noncompliant
+        context.sendBroadcastAsUser(intent, user) // Noncompliant
 
         // Broadcasting intent with "null" for receiverPermission
-        context.sendBroadcast(intent, null) // Sensitive
-        context.sendBroadcastAsUser(intent, user, null) // Sensitive
-        context.sendOrderedBroadcast(intent, null) // Sensitive
+        context.sendBroadcast(intent, null) // Noncompliant
+        context.sendBroadcastAsUser(intent, user, null) // Noncompliant
+        context.sendOrderedBroadcast(intent, null) // Noncompliant
         context.sendOrderedBroadcastAsUser(intent, user, null, resultReceiver,
-            scheduler, initialCode, initialData, initialExtras) // Sensitive
+            scheduler, initialCode, initialData, initialExtras) // Noncompliant
     }
 }
 </pre>
-<h2>Compliant Solution</h2>
-<pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
 import android.content.BroadcastReceiver
 import android.content.Context
 import android.content.Intent
@@ -68,12 +69,18 @@ <h2>Compliant Solution</h2>
         context.sendBroadcast(intent, broadcastPermission)
         context.sendBroadcastAsUser(intent, user, broadcastPermission)
         context.sendOrderedBroadcast(intent, broadcastPermission)
-        context.sendOrderedBroadcastAsUser(intent, user,broadcastPermission, resultReceiver,
+        context.sendOrderedBroadcastAsUser(intent, user, broadcastPermission, resultReceiver,
             scheduler, initialCode, initialData, initialExtras)
     }
 }
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li><a href="https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions">Android documentation</a> -
+  Broadcast Overview - Security considerations and best practices</li>
+</ul>
+<h3>Standards</h3>
 <ul>
   <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
   <li>OWASP - <a href="https://mas.owasp.org/checklists/MASVS-PLATFORM/">Mobile AppSec Verification Standard - Platform Interaction
@@ -85,7 +92,5 @@ <h2>See</h2>
   <li>OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration">Mobile Top 10 2024 Category M8 - Security
   Misconfiguration</a></li>
   <li>CWE - <a href="https://cwe.mitre.org/data/definitions/927">CWE-927 - Use of Implicit Intent for Sensitive Communication</a></li>
-  <li><a href="https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions">Android documentation</a> -
-  Broadcast Overview - Security considerations and best practices</li>
 </ul>
 

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5320.json

@@ -1,18 +1,23 @@
 {
-  "title": "Broadcasting intents is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Intents should not be broadcast without receiver permissions",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH"
+      "SECURITY": "MEDIUM"
     },
     "attribute": "COMPLETE"
   },
   "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "10min"
+  },
   "tags": [
     "cwe",
-    "android"
+    "android",
+    "former-hotspot"
   ],
-  "defaultSeverity": "Critical",
+  "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-5320",
   "sqKey": "S5320",
   "scope": "Main",

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5322.html

@@ -1,29 +1,22 @@
-<p>Android applications can receive broadcasts from the system or other applications. Receiving intents is security-sensitive. For example, it has led
-in the past to the following vulnerabilities:</p>
-<ul>
-  <li><a href="https://www.cve.org/CVERecord?id=CVE-2019-1677">CVE-2019-1677</a></li>
-  <li><a href="https://www.cve.org/CVERecord?id=CVE-2015-1275">CVE-2015-1275</a></li>
-</ul>
-<p>Receivers can be declared in the manifest or in the code to make them context-specific. If the receiver is declared in the manifest Android will
-start the application if it is not already running once a matching broadcast is received. The receiver is an entry point into the application.</p>
-<p>Other applications can send potentially malicious broadcasts, so it is important to consider broadcasts as untrusted and to limit the applications
-that can send broadcasts to the receiver.</p>
-<p>Permissions can be specified to restrict broadcasts to authorized applications. Restrictions can be enforced by both the sender and receiver of a
-broadcast. If permissions are specified when registering a broadcast receiver, then only broadcasters who were granted this permission can send a
-message to the receiver.</p>
-<p>This rule raises an issue when a receiver is registered without specifying any broadcast permission.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>The data extracted from intents is not sanitized.</li>
-  <li>Intents broadcast is not restricted.</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<p>Restrict the access to broadcasted intents. See the <a
-href="https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions">Android documentation</a> for more
-information.</p>
-<h2>Sensitive Code Example</h2>
-<pre>
+<p>Android applications can receive broadcasts from the system or other applications through registered broadcast receivers.</p>
+<h2>Why is this an issue?</h2>
+<p>A broadcast receiver registered or declared without a broadcast permission can receive intents from any application on the device, making it an
+unrestricted entry point into the application. Malicious or compromised applications can send crafted broadcasts that trigger unintended behavior,
+bypass access controls, or feed untrusted data into the application’s processing logic. This rule raises an issue when a receiver is registered in
+code without a <code>broadcastPermission</code> argument, or when a receiver is declared in the manifest as exported without an
+<code>android:permission</code> attribute.</p>
+<h3>What is the potential impact?</h3>
+<h4>Unauthorized access</h4>
+<p>An attacker controlling a malicious application can send arbitrary broadcasts to the unprotected receiver, potentially triggering sensitive
+operations such as changing application state or invoking privileged functionality without the user’s knowledge.</p>
+<h4>Data injection</h4>
+<p>Without restriction, any application can supply arbitrary intent data to the receiver. If that data is processed without validation, it can lead to
+logic errors or further exploitation within the application.</p>
+<h2>How to fix it</h2>
+<h3>Code examples</h3>
+<p>The following code registers a broadcast receiver without specifying a broadcast permission, allowing any application to send intents to it.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 import android.content.BroadcastReceiver
 import android.content.Context
 import android.content.IntentFilter
@@ -39,17 +32,17 @@ <h2>Sensitive Code Example</h2>
         scheduler: Handler?,
         flags: Int
     ) {
-        context.registerReceiver(receiver, filter) // Sensitive
-        context.registerReceiver(receiver, filter, flags) // Sensitive
+        context.registerReceiver(receiver, filter) // Noncompliant
+        context.registerReceiver(receiver, filter, flags) // Noncompliant
 
         // Broadcasting intent with "null" for broadcastPermission
-        context.registerReceiver(receiver, filter, null, scheduler) // Sensitive
-        context.registerReceiver(receiver, filter, null, scheduler, flags) // Sensitive
+        context.registerReceiver(receiver, filter, null, scheduler) // Noncompliant
+        context.registerReceiver(receiver, filter, null, scheduler, flags) // Noncompliant
     }
 }
 </pre>
-<h2>Compliant Solution</h2>
-<pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
 import android.content.BroadcastReceiver
 import android.content.Context
 import android.content.IntentFilter
@@ -71,8 +64,16 @@ <h2>Compliant Solution</h2>
     }
 }
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li><a href="https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions">Android documentation</a> -
+  Broadcast Overview - Security considerations and best practices</li>
+</ul>
+<h3>Standards</h3>
 <ul>
+  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/925">CWE-925 - Improper Verification of Intent by Broadcast Receiver</a></li>
+  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/926">CWE-926 - Improper Export of Android Application Components</a></li>
   <li>OWASP - <a href="https://mas.owasp.org/checklists/MASVS-PLATFORM/">Mobile AppSec Verification Standard - Platform Interaction
   Requirements</a></li>
   <li>OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage">Mobile Top 10 2016 Category M1 - Improper
@@ -81,9 +82,5 @@ <h2>See</h2>
   - Insecure Authentication/Authorization</a></li>
   <li>OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation">Mobile Top 10 2024 Category M4
   - Insufficient Input/Output Validation</a></li>
-  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/925">CWE-925 - Improper Verification of Intent by Broadcast Receiver</a></li>
-  <li>CWE - <a href="https://cwe.mitre.org/data/definitions/926">CWE-926 - Improper Export of Android Application Components</a></li>
-  <li><a href="https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions">Android documentation</a> -
-  Broadcast Overview - Security considerations and best practices</li>
 </ul>
 

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5322.json

@@ -1,6 +1,11 @@
 {
-  "title": "Receiving intents is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Android broadcast receivers should not be registered without a permission",
+  "type": "VULNERABILITY",
+  "quickfix": "unknown",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "15min"
+  },
   "code": {
     "impacts": {
       "SECURITY": "HIGH"
@@ -10,7 +15,8 @@
   "status": "ready",
   "tags": [
     "cwe",
-    "android"
+    "android",
+    "former-hotspot"
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5322",
@@ -31,6 +37,5 @@
     "MASVS": [
       "MSTG-PLATFORM-2"
     ]
-  },
-  "quickfix": "unknown"
+  }
 }

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5324.html

@@ -1,38 +1,34 @@
-<p>Storing data locally is a common task for mobile applications. Such data includes files among other things. One convenient way to store files is to
-use the external file storage which usually offers a larger amount of disc space compared to internal storage.</p>
-<p>Files created on the external storage are globally readable and writable. Therefore, a malicious application having the permissions
-<code>WRITE_EXTERNAL_STORAGE</code> or <code>READ_EXTERNAL_STORAGE</code> could try to read sensitive information from the files that other
-applications have stored on the external storage.</p>
-<p>External storage can also be removed by the user (e.g. when based on SD card) making the files unavailable to the application.</p>
-<h2>Ask Yourself Whether</h2>
-<p>Your application uses external storage to:</p>
-<ul>
-  <li>store files that contain sensitive data.</li>
-  <li>store files that are not meant to be shared with other application.</li>
-  <li>store files that are critical for the application to work.</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li>Use internal storage whenever possible as the system prevents other apps from accessing this location.</li>
-  <li>Only use external storage if you need to share non-sensitive files with other applications.</li>
-  <li>If your application has to use the external storage to store sensitive data, make sure it encrypts the files using <a
-  href="https://developer.android.com/reference/androidx/security/crypto/EncryptedFile">EncryptedFile</a>.</li>
-  <li>Data coming from external storage should always be considered untrusted and should be validated.</li>
-  <li>As some external storage can be removed, make sure to never store files on it that are critical for the usability of your application.</li>
-</ul>
-<h2>Sensitive Code Example</h2>
+<p>Android applications can store files on external storage (such as an SD card or shared storage), which is globally readable and writable by other
+applications.</p>
+<h2>Why is this an issue?</h2>
+<p>External storage in Android is globally readable and writable by any application that holds the <code>READ_EXTERNAL_STORAGE</code> or
+<code>WRITE_EXTERNAL_STORAGE</code> permissions. Files stored there can be read, modified, or deleted by other applications, making external storage
+unsuitable for sensitive data. External storage can also be physically removed by the user, causing files to become unavailable at any time. This rule
+raises an issue when an application accesses external storage directories via APIs such as <code>getExternalFilesDir</code>,
+<code>getExternalStorageDirectory</code>, or equivalent.</p>
+<h3>What is the potential impact?</h3>
+<h4>Data exposure</h4>
+<p>A malicious application with storage permissions can read sensitive files stored in external storage, leading to exposure of user credentials,
+personal data, or application secrets.</p>
+<h4>Data integrity</h4>
+<p>An attacker can modify or delete files in external storage, corrupting application data or injecting malicious content that the application will
+later process.</p>
+<h2>How to fix it</h2>
+<h3>Code examples</h3>
+<p>The following code accesses external storage, which is globally readable and writable by other applications and therefore should not be used to
+store sensitive data.</p>
+<h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
 import android.content.Context
 
 class AccessExternalFiles {
 
     fun accessFiles(Context context) {
-        context.getExternalFilesDir(null) // Sensitive
+        context.getExternalFilesDir(null) // Noncompliant
     }
 }
 </pre>
-<h2>Compliant Solution</h2>
+<h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
 import android.content.Context
 import android.os.Environment
@@ -44,11 +40,15 @@ <h2>Compliant Solution</h2>
     }
 }
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Documentation</h3>
 <ul>
-  <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
-  <li><a href="https://developer.android.com/privacy-and-security/security-tips#ExternalStorage">Android Security tips on external file
+  <li><a href="https://developer.android.com/privacy-and-security/security-tips#external-storage">Android Security tips on external file
   storage</a></li>
+</ul>
+<h3>Standards</h3>
+<ul>
+  <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
   <li>OWASP - <a href="https://mas.owasp.org/checklists/MASVS-STORAGE/">Mobile AppSec Verification Standard - Data Storage and Privacy
   Requirements</a></li>
   <li>OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage">Mobile Top 10 2016 Category M2 - Insecure Data

sonar-kotlin-plugin/src/main/resources/org/sonar/l10n/kotlin/rules/kotlin/S5324.json

@@ -1,16 +1,21 @@
 {
-  "title": "Accessing Android external storage is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Sensitive data should not be stored in Android external storage",
+  "type": "VULNERABILITY",
   "code": {
     "impacts": {
       "SECURITY": "HIGH"
     },
     "attribute": "COMPLETE"
   },
   "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "1h"
+  },
   "tags": [
     "cwe",
-    "android"
+    "android",
+    "former-hotspot"
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-5324",