From 6fdcbf41d418e15eee2584ce0c4814a804503a66 Mon Sep 17 00:00:00 2001 From: sebastien-andrivet-sonarsource Date: Tue, 12 Sep 2023 11:38:33 +0200 Subject: [PATCH] Update rule description --- rules/S6760/metadata.json | 3 +- rules/S6760/secrets/metadata.json | 59 ++++++++++++++++++++------- rules/S6760/secrets/rule.adoc | 66 ++++++++++++++++++++++--------- 3 files changed, 94 insertions(+), 34 deletions(-) diff --git a/rules/S6760/metadata.json b/rules/S6760/metadata.json index 2c63c085104..0967ef424bc 100644 --- a/rules/S6760/metadata.json +++ b/rules/S6760/metadata.json @@ -1,2 +1 @@ -{ -} +{} diff --git a/rules/S6760/secrets/metadata.json b/rules/S6760/secrets/metadata.json index 6273db667dd..f4696aec2ed 100644 --- a/rules/S6760/secrets/metadata.json +++ b/rules/S6760/secrets/metadata.json @@ -1,25 +1,56 @@ { - "title": "FIXME", - "type": "CODE_SMELL", + "title": "Yandex tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, "status": "ready", "remediation": { "func": "Constant\/Issue", - "constantCost": "5min" + "constantCost": "30min" }, "tags": [ + "cwe", + "cert" ], - "defaultSeverity": "Major", + "extra": { + "replacementRules": [] + }, + "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6760", "sqKey": "S6760", "scope": "All", - "defaultQualityProfiles": ["Sonar way"], - "quickfix": "unknown", - "code": { - "impacts": { - "MAINTAINABILITY": "HIGH", - "RELIABILITY": "MEDIUM", - "SECURITY": "LOW" - }, - "attribute": "CONVENTIONAL" - } + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" } diff --git a/rules/S6760/secrets/rule.adoc b/rules/S6760/secrets/rule.adoc index 4bd440f87a8..884ee87685b 100644 --- a/rules/S6760/secrets/rule.adoc +++ b/rules/S6760/secrets/rule.adoc @@ -1,31 +1,58 @@ -FIXME: add a description - -// If you want to factorize the description uncomment the following line and create the file. -//include::../description.adoc[] +include::../../../shared_content/secrets/description.adoc[] == Why is this an issue? -FIXME: remove the unused optional headers (that are commented out) +include::../../../shared_content/secrets/rationale.adoc[] + +If an attacker gains access to a Yandex token or key, they might be able to compromise your Yandex Cloud environment. This includes control over any applications or services that are running, as well as data that are managed by the account. + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/non_repudiation.adoc[] -//=== What is the potential impact? +include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[] == How to fix it -//== How to fix it in FRAMEWORK NAME + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples ==== Noncompliant code example -[source,text,diff-id=1,diff-type=noncompliant] +[source,javascript,diff-id=1,diff-type=noncompliant] ---- -FIXME +import { Session, cloudApi, serviceClients } from '@yandex-cloud/nodejs-sdk'; + +const { resourcemanager: { cloud_service: { ListCloudsRequest } } } = cloudApi; + +const session = new Session({ iamToken: 't1.7euelSbPyceKx87JqpuRl1qZiY-Ryi3rnpWaksrKaZqUppnLncmDnpeajZvl8_dZNAFl-e8ENXMH_t3z9xljfmT57wQ1cwf-.-LErty1vRh4S__VEp-aDnM5huB5MEfm_Iu1u2IzNgyrn0emiWDYA6rSQXDvzjE0O3HBbUlqoDeCmXYYInzZ6Cg' }); // Noncompliant +const cloudService = session.client(serviceClients.CloudServiceClient); + +const response = await cloudService.list(ListCloudsRequest.fromPartial({ + pageSize: 100, +})); ---- ==== Compliant solution -[source,text,diff-id=1,diff-type=compliant] +[source,javascript,diff-id=1,diff-type=compliant] ---- -FIXME +import { Session, cloudApi, serviceClients } from '@yandex-cloud/nodejs-sdk'; + +const { resourcemanager: { cloud_service: { ListCloudsRequest } } } = cloudApi; + +const session = new Session({ iamToken: process.env.YANDEX_TOKEN }); +const cloudService = session.client(serviceClients.CloudServiceClient); + +const response = await cloudService.list(ListCloudsRequest.fromPartial({ + pageSize: 100, +})); ---- //=== How does this work? @@ -34,11 +61,14 @@ FIXME //=== Going the extra mile +== Resources + +=== Documentation + +https://cloud.yandex.com/en/docs/iam/concepts/authorization/oauth-token[Yandex OAuth token] + +https://cloud.yandex.com/en/docs/iam/concepts/authorization/iam-token[Yandex IAM token] + +https://cloud.yandex.com/en/docs/iam/concepts/authorization/api-key[Yandex API key] -//== Resources -//=== Documentation -//=== Articles & blog posts -//=== Conference presentations -//=== Standards -//=== External coding guidelines -//=== Benchmarks +include::../../../shared_content/secrets/resources/standards.adoc[]