Skip to content

Update rule metadata#1695

Open
hashicorp-vault-sonar-prod[bot] wants to merge 1 commit into
masterfrom
bot/update-rule-metadata
Open

Update rule metadata#1695
hashicorp-vault-sonar-prod[bot] wants to merge 1 commit into
masterfrom
bot/update-rule-metadata

Conversation

@hashicorp-vault-sonar-prod
Copy link
Copy Markdown
Contributor

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot commented May 12, 2026
edited
Loading

Rule Metadata Update Summary

Sonarpedia Rules to update Rules updated
./sonarpedia.json 245 2
Total 245 2

Rule API Version: 2.21.0.5887

This PR was automatically generated to update rule metadata across all supported languages.

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented May 12, 2026
edited
Loading

Summary

This PR updates metadata for 2 PHP rules (S2077, S4507) by replacing their tag classifications with a single "former-hotspot" tag. S2077 (SQL injection detection) loses "cwe", "bad-practice", "sql" tags. S4507 (debug logging detection) loses "cwe", "error-handling", "debug", "user-experience" tags. The sonarpedia.json sync timestamp is also updated. These are metadata-only changes with no impact to rule logic or severity.

What reviewers should know

What changed: Two rule JSON files received tag updates, and the metadata sync timestamp was incremented.

Files to review:

  • php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2077.json — SQL injection rule, tags simplified
  • php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4507.json — Debug info exposure rule, tags simplified
  • sonarpedia.json — Sync timestamp updated

Context: This is an automated metadata update. Per the author's description, 245 rules were scanned but only these 2 required changes. The tag changes appear intentional (shifting from multi-tag classifications to the "former-hotspot" category), suggesting these rules may have been reclassified in SonarSource's rule taxonomy.

  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

@github-actions github-actions Bot force-pushed the bot/update-rule-metadata branch from 1960ca4 to cf67144 Compare May 13, 2026 06:13
sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change is straightforward metadata-only update — no code logic is touched. One thing worth confirming before approving: other rules in this repo that carry the former-hotspot tag retain their original categorical tags alongside it (e.g. ["cwe", "former-hotspot", "privacy"]), whereas S2077 and S4507 have their previous tags (cwe, bad-practice, sql, error-handling, debug, user-experience) completely removed and replaced with only ["former-hotspot"]. Please confirm this complete replacement is the intended output of the Rule API v2.20.0.5857 sync and not an inadvertent loss of categorisation metadata.

🗣️ Give feedback

Comment thread php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2077.json
Comment on lines 14 to 16
"constantCost": "20min"
},
"tags": [
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other former-hotspot rules in this repo (e.g. S2092, S5042) keep their original categorical tags alongside former-hotspot — e.g. ["cwe", "former-hotspot", "privacy"]. Here all three prior tags (cwe, bad-practice, sql) are dropped entirely, leaving only ["former-hotspot"].

Is this complete replacement the intended output of the Rule API v2.20.0.5857 sync, or should cwe (at minimum) be retained? Removing cwe in particular affects how SonarQube maps this vulnerability rule to CWE entries in security dashboards.

  • Mark as noise

@nils-werner-sonarsource nils-werner-sonarsource enabled auto-merge (squash) May 13, 2026 11:14
sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

@github-actions github-actions Bot force-pushed the bot/update-rule-metadata branch from cf67144 to e9c0629 Compare May 14, 2026 06:11
sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

@github-actions github-actions Bot force-pushed the bot/update-rule-metadata branch from e9c0629 to 1de4fdf Compare May 15, 2026 06:18
sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prior question about S2077's complete tag replacement is still open, and S4507 has the identical issue. Every other former-hotspot rule in the repo — S2092, S5042, S5122, S2068, S5328, and more — retains at least "cwe" alongside "former-hotspot". Both rules in this PR strip all original tags entirely, leaving only ["former-hotspot"].

Note that CWE dashboard mapping is preserved in both rules via the securityStandards.CWE array, so security tooling is not technically broken. The open question is whether the complete tag replacement is an intentional behavioral change in Rule API v2.21.0.5887 (vs. v2.20.0.5857 used for the older former-hotspot rules), or whether "cwe" should be retained for consistency.

🗣️ Give feedback

Comment thread php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4507.json
Comment on lines 15 to 17
"tags": [
"cwe",
"error-handling",
"debug",
"user-experience"
"former-hotspot"
],
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same complete tag replacement as S2077 — all original tags (cwe, error-handling, debug, user-experience) are dropped, leaving only former-hotspot. Every other pre-existing former-hotspot rule in the repo (e.g. S2092, S5042, S5122, S2068, S5328) keeps "cwe" alongside "former-hotspot".

If the Rule API v2.21 intentionally strips all original tags, this is fine — but please confirm, since it deviates from the established pattern.

Suggested change
"tags": [
"cwe",
"error-handling",
"debug",
"user-experience"
"former-hotspot"
],
"cwe",
"former-hotspot"
  • Mark as noise

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented May 15, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@nils-werner-sonarsource nils-werner-sonarsource nils-werner-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nils-werner-sonarsource