SONARJAVA-6356 Update rule metadata

[hashicorp-vault-sonar-prod]

Rule Metadata Update Summary

Sonarpedia	Rules to update	Rules updated
./sonarpedia.json	686	108
Total	686	108

Rule API Version: 2.20.0.5857

This PR was automatically generated to update rule metadata across all supported languages.

[hashicorp-vault-sonar-prod]

SONARJAVA-6356

[sonar-review-alpha]

Summary

This PR updates 108 Java rule metadata files to fix documentation reference URLs. The primary change is migrating CERT standard references from outdated wiki URLs (wiki.sei.cmu.edu/confluence) to their current home on the CMU SEI GitHub documentation site (cmu-sei.github.io/secure-coding-standards). The commit message indicates this is a revert/fix of a previous automated metadata update that had inconsistencies. Also includes minor HTML formatting adjustments for readability and an updated timestamp in sonarpedia.json.

What reviewers should know

Key areas to review:

1. URL validity — Spot-check several new CERT URLs across different rule categories (ERR, DCL, MET, etc.) to confirm they resolve correctly and link to the right standard sections.

2. Consistency — Verify the 108 updated rules follow a consistent pattern for URL migration. A few sample rules to check: S106, S112, S1116, S2143 (appears to have larger changes based on file stats).

3. Non-URL changes — Most changes are just URL updates, but quickly scan for any unintended modifications to rule descriptions, severity, tags, or other metadata properties. The HTML reformatting (line wrapping) is intentional.

4. Scope — 111 files changed total (mostly rule HTMLs, plus sonarpedia.json). If the description says 686 rules exist but only 108 were updated, confirm that's expected and not a sign of incomplete coverage.

5. Previous issues — The commit message mentions this reverts inconsistent metadata from a prior update. If there's context on what went wrong before, it's worth checking that this fix doesn't introduce similar issues.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[sonar-review-alpha]

The bulk of this PR is clean mechanical migration of CERT reference URLs from wiki.sei.cmu.edu/confluence to cmu-sei.github.io/secure-coding-standards. Based on spot-checking across multiple rules, the new URLs map correctly to the referenced rule IDs and categories. However, three changes go beyond URL updates and deserve explicit sign-off.

S4512 is promoted from SECURITY_HOTSPOT to VULNERABILITY, with the HTML rewritten in the standard vulnerability format. The change also removes an erroneous CERT MSC61-J reference (about cryptographic algorithms — unrelated to JavaBean property injection). The new content is accurate and well-written.

S2143 gets a content overhaul fixing factually incorrect class descriptions: the old table listed JodaTime-specific types (OffsetDate, DateTimeFields, Calendrical) as if they were java.time classes. The rewrite is accurate. Additionally, S2143 is added to Sonar_way_profile.json, activating it in the default quality profile for the first time — any project using java.util.Date, Calendar, or JodaTime will now receive issues from this rule by default.

S5042 is reclassified from SECURITY_HOTSPOT to CODE_SMELL with RELIABILITY: MEDIUM impact. The rule was already marked "status": "deprecated" before this PR, so the reclassification is cleanup for a retiring rule rather than a change to active behavior.

🗣️ Give feedback

[sonar-review-alpha]

S2143 is newly activated in the Sonar Way quality profile. This will raise issues on any project using java.util.Date, java.util.Calendar, or JodaTime — including code intentionally targeting Java 7 or older, where the java.time API isn't available. Is this activation intentional here, or should it ship separately with a migration notice?

• Mark as noise

[sonar-review-alpha]

This rule is promoted from SECURITY_HOTSPOT to VULNERABILITY. That's a meaningful behavioral change: hotspots require manual "reviewed" confirmation in SonarQube, while vulnerabilities are automatically counted against the quality gate. Please confirm this promotion is intentional and has gone through the usual review process for rule type changes.

• Mark as noise

[sonar-review-alpha]

The list item mixes two different CERT link formatting conventions, producing duplicate "CERT" in the rendered output: CERT - CERT, IDS04-J. - Safely extract files from ZipInputStream.

All other changed rules follow one of two patterns:

• Pattern A (majority): <li><a href="...">CERT, IDS04-J.</a> - Description</li>
• Pattern B: <li>CERT - <a href="...">IDS04-J. Description</a></li>

The current code combines both. Suggest using Pattern A:

Suggested change

	<li>CERT - <a
	href="https://cmu-sei.github.io/secure-coding-standards/sei-cert-oracle-coding-standard-for-java/rules/input-validation-and-data-sanitization-ids/ids04-j">CERT, IDS04-J.</a> - Safely extract files from ZipInputStream</li>
	<li><a
	href="https://cmu-sei.github.io/secure-coding-standards/sei-cert-oracle-coding-standard-for-java/rules/input-validation-and-data-sanitization-ids/ids04-j">CERT, IDS04-J.</a> - Safely extract files from ZipInputStream</li>

• Mark as noise