diff --git a/rules/S2068/php/rule.adoc b/rules/S2068/php/rule.adoc index ae3a8ee3e12..d49be41c3eb 100644 --- a/rules/S2068/php/rule.adoc +++ b/rules/S2068/php/rule.adoc @@ -1,4 +1,4 @@ -include::../description.adoc[] +include::../description-no-recommend.adoc[] include::../ask-yourself.adoc[] diff --git a/rules/S6249/terraform/rule.adoc b/rules/S6249/terraform/rule.adoc index 8b0914292d2..4d285586569 100644 --- a/rules/S6249/terraform/rule.adoc +++ b/rules/S6249/terraform/rule.adoc @@ -8,6 +8,7 @@ include::../recommended.adoc[] No secure policy is attached to this bucket: +[source,terraform] ---- resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive bucket = "mynoncompliantbucketname" @@ -16,6 +17,7 @@ resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive A policy is defined but forces only HTTPs communication for some users: +[source,terraform] ---- resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive bucket = "mynoncompliantbucketname" @@ -31,13 +33,13 @@ resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" { { Sid = "HTTPSOnly" Effect = "Deny" - Principal = [ - "arn:aws:iam::123456789123:root" - ] # secondary location: only one principal is forced to use https + Principal = { + "AWS": "arn:aws:iam::123456789123:root" + } # secondary location: only one principal is forced to use https Action = "s3:*" Resource = [ - aws_s3_bucket.mynoncompliantbucketpolicy.arn, - "${aws_s3_bucket.mynoncompliantbucketpolicy.arn}/*", + aws_s3_bucket.mynoncompliantbucket.arn, + "${aws_s3_bucket.mynoncompliantbucket.arn}/*", ] Condition = { Bool = { @@ -70,7 +72,9 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" { { Sid = "HTTPSOnly" Effect = "Deny" - Principal = "*" + Principal = { + "AWS": "*" + } Action = "s3:*" Resource = [ aws_s3_bucket.mycompliantbucket.arn, diff --git a/rules/S7130/csharp/metadata.json b/rules/S7130/csharp/metadata.json index 5df8d4ce1a2..2c63c085104 100644 --- a/rules/S7130/csharp/metadata.json +++ b/rules/S7130/csharp/metadata.json @@ -1,23 +1,2 @@ { - "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty", - "type": "CODE_SMELL", - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "1min" - }, - "tags": [ - ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-7130", - "sqKey": "S7130", - "scope": "All", - "defaultQualityProfiles": ["Sonar way"], - "quickfix": "targeted", - "code": { - "impacts": { - "MAINTAINABILITY": "MEDIUM" - }, - "attribute": "CLEAR" - } } diff --git a/rules/S7130/csharp/rule.adoc b/rules/S7130/csharp/rule.adoc index faa398ed8c6..e7ab4768e68 100644 --- a/rules/S7130/csharp/rule.adoc +++ b/rules/S7130/csharp/rule.adoc @@ -1,14 +1,4 @@ -When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault]. - -== Why is this an issue? - -Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to: - -* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code. - -* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process. - -* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage. +include::../description-dotnet.adoc[] === Code examples @@ -30,17 +20,6 @@ var items = new List { 1, 2, 3 }; int firstItem = items.First(); // Compliant ---- -== Resources - -=== Documentation - -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`] - -=== Articles & blog posts - -* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look] +include::../resources-dotnet.adoc[] include::../rspecator.adoc[] diff --git a/rules/S7130/description-dotnet.adoc b/rules/S7130/description-dotnet.adoc new file mode 100644 index 00000000000..3e1f578bb92 --- /dev/null +++ b/rules/S7130/description-dotnet.adoc @@ -0,0 +1,12 @@ +When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault]. + +== Why is this an issue? + +Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to: + +* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code. + +* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process. + +* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage. + diff --git a/rules/S7130/metadata.json b/rules/S7130/metadata.json index 2c63c085104..bd17ee9ddff 100644 --- a/rules/S7130/metadata.json +++ b/rules/S7130/metadata.json @@ -1,2 +1,23 @@ { + "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "1min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7130", + "sqKey": "S7130", + "scope": "All", + "defaultQualityProfiles": [ "Sonar way" ], + "quickfix": "targeted", + "code": { + "impacts": { + "MAINTAINABILITY": "MEDIUM" + }, + "attribute": "CLEAR" + } } diff --git a/rules/S7130/resources-dotnet.adoc b/rules/S7130/resources-dotnet.adoc new file mode 100644 index 00000000000..112dc06edab --- /dev/null +++ b/rules/S7130/resources-dotnet.adoc @@ -0,0 +1,13 @@ +== Resources + +=== Documentation + +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`] + +=== Articles & blog posts + +* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look] + diff --git a/rules/S7130/vbnet/metadata.json b/rules/S7130/vbnet/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7130/vbnet/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7130/vbnet/rule.adoc b/rules/S7130/vbnet/rule.adoc new file mode 100644 index 00000000000..3eddd11d473 --- /dev/null +++ b/rules/S7130/vbnet/rule.adoc @@ -0,0 +1,25 @@ +include::../description-dotnet.adoc[] + +=== Code examples + +==== Noncompliant code example + +[source,csharp,diff-id=1,diff-type=noncompliant] +---- +Dim Items As New list(Of Integer) From {1, 2, 3} + +Dim FirstItem As Integer = Items.FirstOrDefault() ' Noncompliant, this implies the collection might be empty, when we know it is not +---- + +==== Compliant solution + +[source,csharp,diff-id=1,diff-type=compliant] +---- +Dim Items As New list(Of Integer) From {1, 2, 3} + +Dim FirstItem As Integer = Items.First() ' Compliant +---- + +include::../resources-dotnet.adoc[] + +include::../rspecator.adoc[] diff --git a/rules/S7150/metadata.json b/rules/S7150/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7150/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7150/secrets/metadata.json b/rules/S7150/secrets/metadata.json new file mode 100644 index 00000000000..0f06ca760fb --- /dev/null +++ b/rules/S7150/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Anthropic API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7150", + "sqKey": "S7150", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7150/secrets/rule.adoc b/rules/S7150/secrets/rule.adoc new file mode 100644 index 00000000000..f9b53cf59f6 --- /dev/null +++ b/rules/S7150/secrets/rule.adoc @@ -0,0 +1,40 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Anthropic API keys give access to a personal or organization's account and allows +to use AI on their behalf. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: API key + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: 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 +:example_name: anthropic-api-key +:example_env: ANTHROPIC_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + diff --git a/rules/S7151/metadata.json b/rules/S7151/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7151/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7151/secrets/metadata.json b/rules/S7151/secrets/metadata.json new file mode 100644 index 00000000000..829302defc3 --- /dev/null +++ b/rules/S7151/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Hugging Face access tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7151", + "sqKey": "S7151", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7151/secrets/rule.adoc b/rules/S7151/secrets/rule.adoc new file mode 100644 index 00000000000..b3d6332d252 --- /dev/null +++ b/rules/S7151/secrets/rule.adoc @@ -0,0 +1,41 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +include::../../../shared_content/secrets/impact/malware_distribution.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: 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 +:example_name: huggingface-access-token +:example_env: HUGGINGFACE_ACCESS_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks diff --git a/rules/S7152/metadata.json b/rules/S7152/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7152/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7152/secrets/metadata.json b/rules/S7152/secrets/metadata.json new file mode 100644 index 00000000000..da1e8f17a75 --- /dev/null +++ b/rules/S7152/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Datadog secrets should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7152", + "sqKey": "S7152", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7152/secrets/rule.adoc b/rules/S7152/secrets/rule.adoc new file mode 100644 index 00000000000..4538f5a51d5 --- /dev/null +++ b/rules/S7152/secrets/rule.adoc @@ -0,0 +1,42 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + + +=== What is the potential impact? + +If an attacker gains access to a Datadog API or Application keys, they might be able to gain access to Datadog APIs. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/recent_use.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: dd98e81b00ee8f8bab4849cf7e8e493f +:example_name: datadog.api_key +:example_env: DATADOG_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +=== Documentation + +* Datadog - https://docs.datadoghq.com/account_management/api-app-keys/[API and Application Keys] + +include::../../../shared_content/secrets/resources/standards.adoc[] diff --git a/rules/S7153/metadata.json b/rules/S7153/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7153/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7153/secrets/metadata.json b/rules/S7153/secrets/metadata.json new file mode 100644 index 00000000000..2068aa7c7b8 --- /dev/null +++ b/rules/S7153/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "eBay OAuth credentials should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7153", + "sqKey": "S7153", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7153/secrets/rule.adoc b/rules/S7153/secrets/rule.adoc new file mode 100644 index 00000000000..337b320e4ab --- /dev/null +++ b/rules/S7153/secrets/rule.adoc @@ -0,0 +1,44 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +If an attacker gains access to a eBay OAuth credentials, they might be able to authenticate as users or applications. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +==== Financial loss + +Financial losses can occur when a secret used to access eBay APIs is disclosed as part of the source code of +client applications. + +As eBay provides APIs that allow user or applications to sell or to buy products, an attacker could use the secret to change price or buy items using the organization's account. + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: PRD-fe5d9474b718-6817-4a97-a50b-5752 +:example_name: ebay.client-secret +:example_env: EBAY_CLIENT_SECRET + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +=== Documentation + +- eBay Developer Program - https://developer.ebay.com/api-docs/static/oauth-credentials.html[Getting your OAuth credentials] + +include::../../../shared_content/secrets/resources/standards.adoc[] diff --git a/rules/S7155/metadata.json b/rules/S7155/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7155/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7155/secrets/metadata.json b/rules/S7155/secrets/metadata.json new file mode 100644 index 00000000000..903c4c89bab --- /dev/null +++ b/rules/S7155/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "CircleCI API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7155", + "sqKey": "S7155", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7155/secrets/rule.adoc b/rules/S7155/secrets/rule.adoc new file mode 100644 index 00000000000..7d513d8b1b0 --- /dev/null +++ b/rules/S7155/secrets/rule.adoc @@ -0,0 +1,52 @@ + +include::../../../shared_content/secrets/description.adoc[] + +If attackers gain access to a CircleCI API token, they might be able to modify projects and jobs running on the CircleCI platform. + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +The exact impact of compromising a CircleCI API token varies depending on the permissions granted and its type (personal or project token). It can range from loss of sensitive data and source code to severe supply chain attacks. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: CCIPAT_FERZRjTN451xnDCy1y9gWn_79fb6ca4d0e5f833612eee17de397a9dca0a9e9f +:example_name: cci-api-token +:example_env: CCI_API_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +=== Going the extra mile + +include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[] + +== Resources + +=== Documentation + +* CircleCI Docs - https://circleci.com/docs/managing-api-tokens/[Managing API Tokens] +* CircleCI Docs - https://circleci.com/docs/api-developers-guide/[CircleCI API developer’s guide] + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks diff --git a/rules/S7159/metadata.json b/rules/S7159/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7159/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7159/secrets/metadata.json b/rules/S7159/secrets/metadata.json new file mode 100644 index 00000000000..c5e53aba824 --- /dev/null +++ b/rules/S7159/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Replicate API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7159", + "sqKey": "S7159", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7159/secrets/rule.adoc b/rules/S7159/secrets/rule.adoc new file mode 100644 index 00000000000..8a7c8be29e7 --- /dev/null +++ b/rules/S7159/secrets/rule.adoc @@ -0,0 +1,34 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +include::../../../shared_content/secrets/impact/malware_distribution.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: r8_M8gWqxABxDhQlJnSbMbbJJf7dNIvxtU4M2ZEQ +:example_name: replicate-api-key +:example_env: REPLICATE_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] +