From 8751252388b956072398263683892104fbaa3b9a Mon Sep 17 00:00:00 2001
From: tomasz-tylenda-sonarsource
 <tomasz-tylenda-sonarsource@users.noreply.github.com>
Date: Fri, 27 Feb 2026 13:15:39 +0000
Subject: [PATCH] Update rule metadata

---
 .../org/sonar/l10n/java/rules/java/S4684.html | 11 ++++--
 .../org/sonar/l10n/java/rules/java/S4684.json |  2 +-
 .../org/sonar/l10n/java/rules/java/S8446.html |  2 +-
 .../org/sonar/l10n/java/rules/java/S8446.json |  2 +-
 .../org/sonar/l10n/java/rules/java/S8447.html | 38 +++++++++----------
 sonarpedia.json                               |  4 +-
 6 files changed, 31 insertions(+), 28 deletions(-)

diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4684.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4684.html
index b609f5e5b83..d08dc6b06c4 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4684.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4684.html
@@ -1,8 +1,11 @@
-<p>With Spring, when a request mapping method is configured to accept bean objects as arguments, the framework will automatically bind HTTP parameters
-to those objects' properties. If the targeted beans are also persistent entities, the framework will also store those properties in the storage
-backend, usually the application’s database.</p>
+<p>Mass assignment occurs when a framework automatically binds user-controlled input to objects that are directly persisted to a database backend. If
+the application does not restrict which fields are writable, an attacker can inject additional properties into a request to overwrite sensitive
+data—such as authorization levels, ownership, or workflow states. This lack of filtering allows internal server-managed properties to be externally
+modified through a single, unfiltered write operation.</p>
 <h2>Why is this an issue?</h2>
-<p>By accepting persistent entities as method arguments, the application allows clients to manipulate the object’s properties directly.</p>
+<p>Because the application does not enforce which fields are writable, an attacker can craft a request containing any document property, including
+those that are meant to be managed exclusively by the server. Fields controlling authorization, ownership, workflow state, or internal identifiers all
+become externally settable through a single unfiltered write operation.</p>
 <h3>What is the potential impact?</h3>
 <p>Attackers could forge malicious HTTP requests that will alter unexpected properties of persistent objects. This can lead to unauthorized
 modifications of the entity’s state. This is known as a <strong>mass assignment</strong> attack.</p>
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4684.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4684.json
index 7a31dccc500..1cd499c76c4 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4684.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S4684.json
@@ -1,5 +1,5 @@
 {
-  "title": "Persistent entities should not be used as arguments of \"@RequestMapping\" methods",
+  "title": "Database Operations should not be vulnerable to mass assignment",
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8446.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8446.html
index 400ef879d8e..3a403c413a3 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8446.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8446.html
@@ -41,6 +41,6 @@ <h4>Compliant solution</h4>
 <h2>Resources</h2>
 <h3>Documentation</h3>
 <ul>
-  <li> <a href="https://openjdk.org/jeps/512">JEP 512: Compact Source Files and Instance Main Methods</a> </li>
+  <li><a href="https://openjdk.org/jeps/512">JEP 512: Compact Source Files and Instance Main Methods</a></li>
 </ul>
 
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8446.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8446.json
index d6ac4dff41c..36df5f30fd9 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8446.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8446.json
@@ -1,5 +1,5 @@
 {
-  "title": "Only one \"main\" method should be present",
+  "title": "Only one \"main\" method should be defined in a class",
   "type": "CODE_SMELL",
   "status": "ready",
   "remediation": {
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8447.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8447.html
index 48d0019aac6..66e20dc8e99 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8447.html
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8447.html
@@ -5,8 +5,8 @@ <h2>Why is this an issue?</h2>
 <p>Traditionally, the explicit constructor invocation (<code>super(…​)</code> or <code>this(…​)</code>) had to be the first statement in a
 constructor, forcing subclass field initialization to happen after the superclass was already constructed. If the superclass constructor calls an
 overridable method, the subclass implementation will see default values (such as <code>null</code>, <code>0</code>, or <code>false</code>) for its
-fields instead of the values intended by the caller. This leads to subtle bugs, `NullPointerException`s, or inconsistent object states that are
-difficult to debug.</p>
+fields instead of the values intended by the caller. This leads to subtle bugs, <code>NullPointerException</code>s, or inconsistent object states that
+are difficult to debug.</p>
 <h2>How to fix it</h2>
 <p>Move the initialization of subclass fields before the <code>super()</code> call. This takes advantage of flexible constructor bodies to ensure that
 the subclass state is established before the superclass constructor begins its execution. Alternatively, if the method in the superclass does not need
@@ -16,10 +16,10 @@ <h4>Noncompliant code example</h4>
 <pre data-diff-id="1" data-diff-type="noncompliant">
 class Super {
     Super() {
-        overriddenMethod();
+        foo();
     }
 
-    void overriddenMethod() {
+    void foo() {
         System.out.println("Base logic");
     }
 }
@@ -29,11 +29,11 @@ <h4>Noncompliant code example</h4>
 
     Sub(int x) {
         super();
-        this.x = x; // Noncompliant: x is uninitialized when overriddenMethod is called by Super()
+        this.x = x; // Noncompliant: x is uninitialized when foo is called by Super()
     }
 
     @Override
-    void overriddenMethod() {
+    void foo() {
         System.out.println(x); // Prints 0 instead of the value of x
     }
 }
@@ -42,10 +42,10 @@ <h4>Compliant solution</h4>
 <pre data-diff-id="1" data-diff-type="compliant">
 class Super {
     Super() {
-        overriddenMethod();
+        foo();
     }
 
-    void overriddenMethod() {
+    void foo() {
         System.out.println("Base logic");
     }
 }
@@ -59,7 +59,7 @@ <h4>Compliant solution</h4>
     }
 
     @Override
-    void overriddenMethod() {
+    void foo() {
         System.out.println(x); // Prints the expected value
     }
 }
@@ -67,13 +67,13 @@ <h4>Compliant solution</h4>
 <p>Alternatively, if the method in the superclass does not need to be overridden, it can be marked as <code>final</code> or <code>private</code> to
 prevent the issue entirely.</p>
 <h4>Noncompliant code example</h4>
-<pre data-diff-id="1" data-diff-type="noncompliant">
+<pre data-diff-id="2" data-diff-type="noncompliant">
 class Super {
     Super() {
-        overriddenMethod();
+        foo();
     }
 
-    void overriddenMethod() {
+    void foo() {
         System.out.println("Base logic");
     }
 }
@@ -83,23 +83,23 @@ <h4>Noncompliant code example</h4>
 
     Sub(int x) {
         super();
-        this.x = x; // Noncompliant: x is uninitialized when overriddenMethod is called by Super()
+        this.x = x; // Noncompliant: x is uninitialized when foo is called by Super()
     }
 
     @Override
-    void overriddenMethod() {
+    void foo() {
         System.out.println(x); // Prints 0 instead of the value of x
     }
 }
 </pre>
 <h4>Compliant solution</h4>
-<pre data-diff-id="1" data-diff-type="compliant">
+<pre data-diff-id="2" data-diff-type="compliant">
 class Super {
     Super() {
-        overriddenMethod();
+        foo();
     }
 
-    final void finalMethod() {
+    final void foo() {
         System.out.println("Base logic");
     }
 }
@@ -109,13 +109,13 @@ <h4>Compliant solution</h4>
 
     Sub(int x) {
         super();
-        this.x = x; // Compliant: finalMethod is final, so it cannot be overridden and will not access uninitialized fields
+        this.x = x; // Compliant: foo is final, so it cannot be overridden and will not access uninitialized fields
     }
 }
 </pre>
 <h2>Resources</h2>
 <h3>Documentation</h3>
 <ul>
-  <li> <a href="https://openjdk.org/jeps/513">JEP 513: Flexible Constructor Bodies</a> </li>
+  <li><a href="https://openjdk.org/jeps/513">JEP 513: Flexible Constructor Bodies</a></li>
 </ul>
 
diff --git a/sonarpedia.json b/sonarpedia.json
index 1a2ce10ad22..25454a0501f 100644
--- a/sonarpedia.json
+++ b/sonarpedia.json
@@ -3,9 +3,9 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2026-02-26T08:20:43.956169Z",
+  "latest-update": "2026-02-27T13:15:37.935044048Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false
   }
-}
+}
\ No newline at end of file