Create rule S7137: RubyGems.org API keys should not be disclosed (APP…

…SEC-1862) (#4464)
SonarSource · Nov 4, 2024 · 5b31725 · 5b31725
1 parent fd53368
commit 5b31725
Show file tree

Hide file tree

Showing 3 changed files with 101 additions and 0 deletions.
diff --git a/rules/S7137/metadata.json b/rules/S7137/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7137/secrets/metadata.json b/rules/S7137/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "RubyGems.org API keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7137",
+  "sqKey": "S7137",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7137/secrets/rule.adoc b/rules/S7137/secrets/rule.adoc
@@ -0,0 +1,43 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If an attacker gains access to a RubyGems.org API key, they might be able to gain access to any private package linked to this token.
+
+=== What is the potential impact?
+
+The exact impact of the compromise of an RubyGems.org API key varies depending on the permissions granted to this token. It can range from loss of sensitive data and source code to severe supply chain attacks.
+
+include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: rubygems_cec9db9373ea171daaaa0bf2337edce187f09558cb19c1b2
+:example_name: rubygems.api-key
+:example_env: RUBYGEMS_API_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+=== Going the extra mile
+
+include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[]
+
+== Resources
+
+=== Documentation
+
+RubyGems.org - https://guides.rubygems.org/api-key-scopes/[API key scopes]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+