From 5b31725f8142a81c9ab63aa6470b42d7bdc2c1f1 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 4 Nov 2024 17:13:23 +0100
Subject: [PATCH] Create rule S7137: RubyGems.org API keys should not be
 disclosed (APPSEC-1862) (#4464)

---
 rules/S7137/metadata.json         |  2 ++
 rules/S7137/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++
 rules/S7137/secrets/rule.adoc     | 43 ++++++++++++++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100644 rules/S7137/metadata.json
 create mode 100644 rules/S7137/secrets/metadata.json
 create mode 100644 rules/S7137/secrets/rule.adoc

diff --git a/rules/S7137/metadata.json b/rules/S7137/metadata.json
new file mode 100644
index 00000000000..2c63c085104
--- /dev/null
+++ b/rules/S7137/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7137/secrets/metadata.json b/rules/S7137/secrets/metadata.json
new file mode 100644
index 00000000000..d08788e821f
--- /dev/null
+++ b/rules/S7137/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "RubyGems.org API keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7137",
+  "sqKey": "S7137",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7137/secrets/rule.adoc b/rules/S7137/secrets/rule.adoc
new file mode 100644
index 00000000000..7c25e69cf6f
--- /dev/null
+++ b/rules/S7137/secrets/rule.adoc
@@ -0,0 +1,43 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If an attacker gains access to a RubyGems.org API key, they might be able to gain access to any private package linked to this token.
+
+=== What is the potential impact?
+
+The exact impact of the compromise of an RubyGems.org API key varies depending on the permissions granted to this token. It can range from loss of sensitive data and source code to severe supply chain attacks.
+
+include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: rubygems_cec9db9373ea171daaaa0bf2337edce187f09558cb19c1b2
+:example_name: rubygems.api-key
+:example_env: RUBYGEMS_API_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+=== Going the extra mile
+
+include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[]
+
+== Resources
+
+=== Documentation
+
+RubyGems.org - https://guides.rubygems.org/api-key-scopes/[API key scopes]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+