Update rule description

SonarSource · Sep 20, 2023 · 6fdcbf4 · 6fdcbf4
1 parent e3fa026
commit 6fdcbf4
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 34 deletions.
diff --git a/rules/S6760/metadata.json b/rules/S6760/metadata.json
@@ -1,2 +1 @@
-{
-}
+{}
diff --git a/rules/S6760/secrets/metadata.json b/rules/S6760/secrets/metadata.json
@@ -1,25 +1,56 @@
 {
-  "title": "FIXME",
-  "type": "CODE_SMELL",
+  "title": "Yandex tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
-    "constantCost": "5min"
+    "constantCost": "30min"
   },
   "tags": [
+    "cwe",
+    "cert"
   ],
-  "defaultSeverity": "Major",
+  "extra": {
+    "replacementRules": []
+  },
+  "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-6760",
   "sqKey": "S6760",
   "scope": "All",
-  "defaultQualityProfiles": ["Sonar way"],
-  "quickfix": "unknown",
-  "code": {
-    "impacts": {
-      "MAINTAINABILITY": "HIGH",
-      "RELIABILITY": "MEDIUM",
-      "SECURITY": "LOW"
-    },
-    "attribute": "CONVENTIONAL"
-  }
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
 }
diff --git a/rules/S6760/secrets/rule.adoc b/rules/S6760/secrets/rule.adoc
@@ -1,31 +1,58 @@
-FIXME: add a description
-
-// If you want to factorize the description uncomment the following line and create the file.
-//include::../description.adoc[]
+include::../../../shared_content/secrets/description.adoc[]
 
 == Why is this an issue?
 
-FIXME: remove the unused optional headers (that are commented out)
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If an attacker gains access to a Yandex token or key, they might be able to compromise your Yandex Cloud environment. This includes control over any applications or services that are running, as well as data that are managed by the account.
+
+=== What is the potential impact?
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+include::../../../shared_content/secrets/impact/non_repudiation.adoc[]
 
-//=== What is the potential impact?
+include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[]
 
 == How to fix it
-//== How to fix it in FRAMEWORK NAME
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
 
 === Code examples
 
 ==== Noncompliant code example
 
-[source,text,diff-id=1,diff-type=noncompliant]
+[source,javascript,diff-id=1,diff-type=noncompliant]
 ----
-FIXME
+import { Session, cloudApi, serviceClients } from '@yandex-cloud/nodejs-sdk';
+
+const { resourcemanager: { cloud_service: { ListCloudsRequest } } } = cloudApi;
+
+const session = new Session({ iamToken: 't1.7euelSbPyceKx87JqpuRl1qZiY-Ryi3rnpWaksrKaZqUppnLncmDnpeajZvl8_dZNAFl-e8ENXMH_t3z9xljfmT57wQ1cwf-.-LErty1vRh4S__VEp-aDnM5huB5MEfm_Iu1u2IzNgyrn0emiWDYA6rSQXDvzjE0O3HBbUlqoDeCmXYYInzZ6Cg' }); // Noncompliant
+const cloudService = session.client(serviceClients.CloudServiceClient);
+
+const response = await cloudService.list(ListCloudsRequest.fromPartial({
+    pageSize: 100,
+}));
 ----
 
 ==== Compliant solution
 
-[source,text,diff-id=1,diff-type=compliant]
+[source,javascript,diff-id=1,diff-type=compliant]
 ----
-FIXME
+import { Session, cloudApi, serviceClients } from '@yandex-cloud/nodejs-sdk';
+
+const { resourcemanager: { cloud_service: { ListCloudsRequest } } } = cloudApi;
+
+const session = new Session({ iamToken: process.env.YANDEX_TOKEN });
+const cloudService = session.client(serviceClients.CloudServiceClient);
+
+const response = await cloudService.list(ListCloudsRequest.fromPartial({
+    pageSize: 100,
+}));
 ----
 
 //=== How does this work?
@@ -34,11 +61,14 @@ FIXME
 
 //=== Going the extra mile
 
+== Resources
+
+=== Documentation
+
+https://cloud.yandex.com/en/docs/iam/concepts/authorization/oauth-token[Yandex OAuth token]
+
+https://cloud.yandex.com/en/docs/iam/concepts/authorization/iam-token[Yandex IAM token]
+
+https://cloud.yandex.com/en/docs/iam/concepts/authorization/api-key[Yandex API key]
 
-//== Resources
-//=== Documentation
-//=== Articles & blog posts
-//=== Conference presentations
-//=== Standards
-//=== External coding guidelines
-//=== Benchmarks
+include::../../../shared_content/secrets/resources/standards.adoc[]
-Original file line number
+Diff line change
@@ -1,2 +1 @@
-    {
-    }
+    {}