Deprecate the use of "owasp" tags on Rules or Issues (OWASP Top 10 - 2017) (#5569)

* Deprecate the use of the "owasp" tags on rules

* Update built-in-rule-tags.md

diff --git a/server/sonar-docs/src/pages/user-guide/built-in-rule-tags.md b/server/sonar-docs/src/pages/user-guide/built-in-rule-tags.md
index d4b2091b27a5dc9aa29186cbfd6a9ccc5aab3de6..15c41205691d9071b8362c6bdc78964fc7b06fc0 100644 (file)
--- a/server/sonar-docs/src/pages/user-guide/built-in-rule-tags.md
+++ b/server/sonar-docs/src/pages/user-guide/built-in-rule-tags.md
@@ -15,7 +15,7 @@ Tags are a way to categorize rules and issues. Issues inherit the tags on the ru
 * [cwe](https://rules.sonarsource.com/java/tag/cwe) - relates to a rule in the [Common Weakness Enumeration](http://cwe.mitre.org/). For more on CWE and on security-related rules in general, see [Security-related rules](/user-guide/security-rules/).
 * [design](https://rules.sonarsource.com/java/tag/design) - there is something questionable about the design of the code
 * [lock-in](https://rules.sonarsource.com/java/tag/lock-in) - environment-specific features are used
-* [owasp](https://rules.sonarsource.com/java/tag/owasp) - relates to a rule in the [OWASP Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) security standards. Note, that the OWASP Top Ten is a list of high-level vulnerabilities which translates to many, many potential rules.
+* [owasp](https://rules.sonarsource.com/java/tag/owasp) - relates to a rule in the [OWASP Top 10 2017](https://owasp.org/www-project-top-ten/2017/Top_10) security standard. Note, that the OWASP Top 10 is a list of high-level security risks which translates to many, many potential rules. "owasp-ax" tags should no longer be used, they should be considered as "deprecated" because they map to old "OWASP Top 10 2017". The "Security Category" facet should be used instead to filter on recent OWASP Top 10s (2021+).
 * [pitfall](https://rules.sonarsource.com/java/tag/pitfall) - nothing is wrong yet, but something could go wrong in the future; a trap has been set for the next person, and they'll probably fall into it and screw up the code.
 * [sans-top25](https://rules.sonarsource.com/java/tag/sans-top25) - This tag is based on outdated statistics and should no longer be used. Instead, it's recommended to rely on the "CWE Top 25" reports, which are available in [Enterprise Edition](https://redirect.sonarsource.com/editions/enterprise.html).
 * [suspicious](https://rules.sonarsource.com/java/tag/suspicious) - it's not guaranteed that this is a **bug**, but it looks suspiciously like one. At the very least, the code should be re-examined & likely refactored for clarity.