diff --git a/rules/S7146/metadata.json b/rules/S7146/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7146/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7146/secrets/metadata.json b/rules/S7146/secrets/metadata.json new file mode 100644 index 00000000000..b8f073816ab --- /dev/null +++ b/rules/S7146/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "NuGet.org API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7146", + "sqKey": "S7146", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7146/secrets/rule.adoc b/rules/S7146/secrets/rule.adoc new file mode 100644 index 00000000000..14cb45b6ab6 --- /dev/null +++ b/rules/S7146/secrets/rule.adoc @@ -0,0 +1,43 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +If an attacker gains access to a NuGet.org API key, they might be able to gain access to any private package linked to this token. + +=== What is the potential impact? + +The exact impact of the compromise of an NuGet.org API key varies depending on the permissions granted to this token. It can range from loss of sensitive data and source code to severe supply chain attacks. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: oy2brfuhn45jupm5idtgjbmdlmmpisdgrl52g4koahuq2y +:example_name: nuget.api-key +:example_env: NUGET_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +=== Going the extra mile + +include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[] + +== Resources + +=== Documentation + +Microsoft Learn - https://learn.microsoft.com/en-us/nuget/nuget-org/scoped-api-keys[NuGet.org Scoped API keys] + +include::../../../shared_content/secrets/resources/standards.adoc[] +