Merge branch 'master' into rule/add-RSPEC-S7161

SonarSource · Nov 14, 2024 · 8a38ac4 · 8a38ac4
2 parents bbaf63f + 19f97f6
commit 8a38ac4
Show file tree

Hide file tree

Showing 27 changed files with 687 additions and 51 deletions.
diff --git a/rules/S2068/php/rule.adoc b/rules/S2068/php/rule.adoc
@@ -1,4 +1,4 @@
-include::../description.adoc[]
+include::../description-no-recommend.adoc[]
 
 include::../ask-yourself.adoc[]
 

diff --git a/rules/S6249/terraform/rule.adoc b/rules/S6249/terraform/rule.adoc
@@ -8,6 +8,7 @@ include::../recommended.adoc[]
 
 No secure policy is attached to this bucket:
 
+[source,terraform]
 ----
 resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive 
   bucket = "mynoncompliantbucketname"
@@ -16,6 +17,7 @@ resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive
 
 A policy is defined but forces only HTTPs communication for some users:
 
+[source,terraform]
 ----
 resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive 
   bucket = "mynoncompliantbucketname"
@@ -31,13 +33,13 @@ resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" {
       {
         Sid       = "HTTPSOnly"
         Effect    = "Deny"
-        Principal = [
-          "arn:aws:iam::123456789123:root"
-        ] # secondary location: only one principal is forced to use https
+        Principal = {
+          "AWS": "arn:aws:iam::123456789123:root"
+        } # secondary location: only one principal is forced to use https
         Action    = "s3:*"
         Resource = [
-          aws_s3_bucket.mynoncompliantbucketpolicy.arn,
-          "${aws_s3_bucket.mynoncompliantbucketpolicy.arn}/*",
+          aws_s3_bucket.mynoncompliantbucket.arn,
+          "${aws_s3_bucket.mynoncompliantbucket.arn}/*",
         ]
         Condition = {
           Bool = {
@@ -70,7 +72,9 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" {
       {
         Sid       = "HTTPSOnly"
         Effect    = "Deny"
-        Principal = "*"
+        Principal = {
+          "AWS": "*"
+        }
         Action    = "s3:*"
         Resource = [
           aws_s3_bucket.mycompliantbucket.arn,

diff --git a/rules/S7130/csharp/metadata.json b/rules/S7130/csharp/metadata.json
@@ -1,23 +1,2 @@
 {
-  "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty",
-  "type": "CODE_SMELL",
-  "status": "ready",
-  "remediation": {
-    "func": "Constant\/Issue",
-    "constantCost": "1min"
-  },
-  "tags": [
-  ],
-  "defaultSeverity": "Major",
-  "ruleSpecification": "RSPEC-7130",
-  "sqKey": "S7130",
-  "scope": "All",
-  "defaultQualityProfiles": ["Sonar way"],
-  "quickfix": "targeted",
-  "code": {
-    "impacts": {
-      "MAINTAINABILITY": "MEDIUM"
-    },
-    "attribute": "CLEAR"
-  }
 }
diff --git a/rules/S7130/csharp/rule.adoc b/rules/S7130/csharp/rule.adoc
@@ -1,14 +1,4 @@
-When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault].
-
-== Why is this an issue?
-
-Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to:
-
-* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code.
-
-* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process.
-
-* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage.
+include::../description-dotnet.adoc[]
 
 === Code examples
 
@@ -30,17 +20,6 @@ var items = new List<int> { 1, 2, 3 };
 int firstItem = items.First(); // Compliant
 ----
 
-== Resources
-
-=== Documentation
-
-* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`]
-* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`]
-* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`]
-* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`] 
-
-=== Articles & blog posts
-
-* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look]
+include::../resources-dotnet.adoc[]
 
 include::../rspecator.adoc[]
diff --git a/rules/S7130/description-dotnet.adoc b/rules/S7130/description-dotnet.adoc
@@ -0,0 +1,12 @@
+When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault].
+
+== Why is this an issue?
+
+Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to:
+
+* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code.
+
+* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process.
+
+* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage.
+
diff --git a/rules/S7130/metadata.json b/rules/S7130/metadata.json
@@ -1,2 +1,23 @@
 {
+  "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "1min"
+  },
+  "tags": [
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7130",
+  "sqKey": "S7130",
+  "scope": "All",
+  "defaultQualityProfiles": [ "Sonar way" ],
+  "quickfix": "targeted",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "CLEAR"
+  }
 }
diff --git a/rules/S7130/resources-dotnet.adoc b/rules/S7130/resources-dotnet.adoc
@@ -0,0 +1,13 @@
+== Resources
+
+=== Documentation
+
+* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`]
+* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`]
+* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`]
+* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`]
+
+=== Articles & blog posts
+
+* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look]
+
diff --git a/rules/S7130/vbnet/metadata.json b/rules/S7130/vbnet/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7130/vbnet/rule.adoc b/rules/S7130/vbnet/rule.adoc
@@ -0,0 +1,25 @@
+include::../description-dotnet.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=1,diff-type=noncompliant]
+----
+Dim Items As New list(Of Integer) From {1, 2, 3}
+
+Dim FirstItem As Integer = Items.FirstOrDefault() ' Noncompliant, this implies the collection might be empty, when we know it is not
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=1,diff-type=compliant]
+----
+Dim Items As New list(Of Integer) From {1, 2, 3}
+
+Dim FirstItem As Integer = Items.First() ' Compliant
+----
+
+include::../resources-dotnet.adoc[]
+
+include::../rspecator.adoc[]
diff --git a/rules/S7150/metadata.json b/rules/S7150/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7150/secrets/metadata.json b/rules/S7150/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "Anthropic API keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7150",
+  "sqKey": "S7150",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7150/secrets/rule.adoc b/rules/S7150/secrets/rule.adoc
@@ -0,0 +1,40 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+Anthropic API keys give access to a personal or organization's account and allows
+to use AI on their behalf.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+:secret_type: API key
+
+include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/financial_loss.adoc[]
+
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: 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
+:example_name: anthropic-api-key
+:example_env: ANTHROPIC_API_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
diff --git a/rules/S7151/metadata.json b/rules/S7151/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7151/secrets/metadata.json b/rules/S7151/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "Hugging Face access tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7151",
+  "sqKey": "S7151",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7151/secrets/rule.adoc b/rules/S7151/secrets/rule.adoc
@@ -0,0 +1,41 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+include::../../../shared_content/secrets/impact/data_modification.adoc[]
+
+include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: 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
+:example_name: huggingface-access-token
+:example_env: HUGGINGFACE_ACCESS_TOKEN
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks
diff --git a/rules/S7152/metadata.json b/rules/S7152/metadata.json
@@ -0,0 +1,2 @@
+{
+}