From 64ab6905ed99164d8257f3de968ff63074dec7f5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 12:30:24 +0000 Subject: [PATCH 1/9] Create rule S7152: Datadog secrets should not be disclosed (APPSEC-2240) (#4487) --- rules/S7152/metadata.json | 2 ++ rules/S7152/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7152/secrets/rule.adoc | 42 +++++++++++++++++++++++ 3 files changed, 100 insertions(+) create mode 100644 rules/S7152/metadata.json create mode 100644 rules/S7152/secrets/metadata.json create mode 100644 rules/S7152/secrets/rule.adoc diff --git a/rules/S7152/metadata.json b/rules/S7152/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7152/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7152/secrets/metadata.json b/rules/S7152/secrets/metadata.json new file mode 100644 index 00000000000..da1e8f17a75 --- /dev/null +++ b/rules/S7152/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Datadog secrets should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7152", + "sqKey": "S7152", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7152/secrets/rule.adoc b/rules/S7152/secrets/rule.adoc new file mode 100644 index 00000000000..4538f5a51d5 --- /dev/null +++ b/rules/S7152/secrets/rule.adoc @@ -0,0 +1,42 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + + +=== What is the potential impact? + +If an attacker gains access to a Datadog API or Application keys, they might be able to gain access to Datadog APIs. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/recent_use.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: dd98e81b00ee8f8bab4849cf7e8e493f +:example_name: datadog.api_key +:example_env: DATADOG_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +=== Documentation + +* Datadog - https://docs.datadoghq.com/account_management/api-app-keys/[API and Application Keys] + +include::../../../shared_content/secrets/resources/standards.adoc[] From 8093bf5e8a46d071c23ea4fa785b5b45b379c7f2 Mon Sep 17 00:00:00 2001 From: Jonas Wielage Date: Wed, 13 Nov 2024 13:43:20 +0100 Subject: [PATCH 2/9] Modify S2068: Description should not recommend customizing it with tokens (#4496) --- rules/S2068/php/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S2068/php/rule.adoc b/rules/S2068/php/rule.adoc index ae3a8ee3e12..d49be41c3eb 100644 --- a/rules/S2068/php/rule.adoc +++ b/rules/S2068/php/rule.adoc @@ -1,4 +1,4 @@ -include::../description.adoc[] +include::../description-no-recommend.adoc[] include::../ask-yourself.adoc[] From 1d3e50e6e2f6d31de137dcb8c16ee09e4632dc38 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 15:59:09 +0100 Subject: [PATCH 3/9] Create rule S7159: Replicate API tokens should not be disclosed (#4494) --- rules/S7159/metadata.json | 2 ++ rules/S7159/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7159/secrets/rule.adoc | 34 +++++++++++++++++++ 3 files changed, 92 insertions(+) create mode 100644 rules/S7159/metadata.json create mode 100644 rules/S7159/secrets/metadata.json create mode 100644 rules/S7159/secrets/rule.adoc diff --git a/rules/S7159/metadata.json b/rules/S7159/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7159/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7159/secrets/metadata.json b/rules/S7159/secrets/metadata.json new file mode 100644 index 00000000000..c5e53aba824 --- /dev/null +++ b/rules/S7159/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Replicate API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7159", + "sqKey": "S7159", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7159/secrets/rule.adoc b/rules/S7159/secrets/rule.adoc new file mode 100644 index 00000000000..8a7c8be29e7 --- /dev/null +++ b/rules/S7159/secrets/rule.adoc @@ -0,0 +1,34 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +include::../../../shared_content/secrets/impact/malware_distribution.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: r8_M8gWqxABxDhQlJnSbMbbJJf7dNIvxtU4M2ZEQ +:example_name: replicate-api-key +:example_env: REPLICATE_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + From 51b85e712b37a30612eddf79c6f76df95fa4001d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 16:14:45 +0100 Subject: [PATCH 4/9] Create rule S7151: Hugging Face access tokens should not be disclosed (#4486) --- rules/S7151/metadata.json | 2 ++ rules/S7151/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7151/secrets/rule.adoc | 41 ++++++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 rules/S7151/metadata.json create mode 100644 rules/S7151/secrets/metadata.json create mode 100644 rules/S7151/secrets/rule.adoc diff --git a/rules/S7151/metadata.json b/rules/S7151/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7151/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7151/secrets/metadata.json b/rules/S7151/secrets/metadata.json new file mode 100644 index 00000000000..829302defc3 --- /dev/null +++ b/rules/S7151/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Hugging Face access tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7151", + "sqKey": "S7151", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7151/secrets/rule.adoc b/rules/S7151/secrets/rule.adoc new file mode 100644 index 00000000000..b3d6332d252 --- /dev/null +++ b/rules/S7151/secrets/rule.adoc @@ -0,0 +1,41 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +include::../../../shared_content/secrets/impact/malware_distribution.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: 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 +:example_name: huggingface-access-token +:example_env: HUGGINGFACE_ACCESS_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks From 007eef436230982dba217c38bcda8451712c0805 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 16:32:24 +0100 Subject: [PATCH 5/9] Create rule S7150(secrets): Anthropic API keys should not be disclosed (#4484) --- rules/S7150/metadata.json | 2 ++ rules/S7150/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7150/secrets/rule.adoc | 40 ++++++++++++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 rules/S7150/metadata.json create mode 100644 rules/S7150/secrets/metadata.json create mode 100644 rules/S7150/secrets/rule.adoc diff --git a/rules/S7150/metadata.json b/rules/S7150/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7150/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7150/secrets/metadata.json b/rules/S7150/secrets/metadata.json new file mode 100644 index 00000000000..0f06ca760fb --- /dev/null +++ b/rules/S7150/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Anthropic API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7150", + "sqKey": "S7150", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7150/secrets/rule.adoc b/rules/S7150/secrets/rule.adoc new file mode 100644 index 00000000000..f9b53cf59f6 --- /dev/null +++ b/rules/S7150/secrets/rule.adoc @@ -0,0 +1,40 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Anthropic API keys give access to a personal or organization's account and allows +to use AI on their behalf. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: API key + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: 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 +:example_name: anthropic-api-key +:example_env: ANTHROPIC_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + From f4690e5118248b821426794fa635dd42e383ce15 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 11:33:24 +0100 Subject: [PATCH 6/9] Create rule S7153 (#4488) --- rules/S7153/metadata.json | 2 ++ rules/S7153/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7153/secrets/rule.adoc | 44 ++++++++++++++++++++++++ 3 files changed, 102 insertions(+) create mode 100644 rules/S7153/metadata.json create mode 100644 rules/S7153/secrets/metadata.json create mode 100644 rules/S7153/secrets/rule.adoc diff --git a/rules/S7153/metadata.json b/rules/S7153/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7153/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7153/secrets/metadata.json b/rules/S7153/secrets/metadata.json new file mode 100644 index 00000000000..2068aa7c7b8 --- /dev/null +++ b/rules/S7153/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "eBay OAuth credentials should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7153", + "sqKey": "S7153", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7153/secrets/rule.adoc b/rules/S7153/secrets/rule.adoc new file mode 100644 index 00000000000..337b320e4ab --- /dev/null +++ b/rules/S7153/secrets/rule.adoc @@ -0,0 +1,44 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +If an attacker gains access to a eBay OAuth credentials, they might be able to authenticate as users or applications. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +==== Financial loss + +Financial losses can occur when a secret used to access eBay APIs is disclosed as part of the source code of +client applications. + +As eBay provides APIs that allow user or applications to sell or to buy products, an attacker could use the secret to change price or buy items using the organization's account. + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: PRD-fe5d9474b718-6817-4a97-a50b-5752 +:example_name: ebay.client-secret +:example_env: EBAY_CLIENT_SECRET + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +=== Documentation + +- eBay Developer Program - https://developer.ebay.com/api-docs/static/oauth-credentials.html[Getting your OAuth credentials] + +include::../../../shared_content/secrets/resources/standards.adoc[] From a0be31ce6772463d5dd09fd33dc2e0cc39ce2d0d Mon Sep 17 00:00:00 2001 From: Pavel Mikula <57188685+pavel-mikula-sonarsource@users.noreply.github.com> Date: Thu, 14 Nov 2024 13:25:46 +0100 Subject: [PATCH 7/9] NET-668 Modify S7130: Add vbnet rspec (#4499) --- rules/S7130/csharp/metadata.json | 21 --------------------- rules/S7130/csharp/rule.adoc | 25 ++----------------------- rules/S7130/description-dotnet.adoc | 12 ++++++++++++ rules/S7130/metadata.json | 21 +++++++++++++++++++++ rules/S7130/resources-dotnet.adoc | 13 +++++++++++++ rules/S7130/vbnet/metadata.json | 2 ++ rules/S7130/vbnet/rule.adoc | 25 +++++++++++++++++++++++++ 7 files changed, 75 insertions(+), 44 deletions(-) create mode 100644 rules/S7130/description-dotnet.adoc create mode 100644 rules/S7130/resources-dotnet.adoc create mode 100644 rules/S7130/vbnet/metadata.json create mode 100644 rules/S7130/vbnet/rule.adoc diff --git a/rules/S7130/csharp/metadata.json b/rules/S7130/csharp/metadata.json index 5df8d4ce1a2..2c63c085104 100644 --- a/rules/S7130/csharp/metadata.json +++ b/rules/S7130/csharp/metadata.json @@ -1,23 +1,2 @@ { - "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty", - "type": "CODE_SMELL", - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "1min" - }, - "tags": [ - ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-7130", - "sqKey": "S7130", - "scope": "All", - "defaultQualityProfiles": ["Sonar way"], - "quickfix": "targeted", - "code": { - "impacts": { - "MAINTAINABILITY": "MEDIUM" - }, - "attribute": "CLEAR" - } } diff --git a/rules/S7130/csharp/rule.adoc b/rules/S7130/csharp/rule.adoc index faa398ed8c6..e7ab4768e68 100644 --- a/rules/S7130/csharp/rule.adoc +++ b/rules/S7130/csharp/rule.adoc @@ -1,14 +1,4 @@ -When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault]. - -== Why is this an issue? - -Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to: - -* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code. - -* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process. - -* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage. +include::../description-dotnet.adoc[] === Code examples @@ -30,17 +20,6 @@ var items = new List { 1, 2, 3 }; int firstItem = items.First(); // Compliant ---- -== Resources - -=== Documentation - -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`] - -=== Articles & blog posts - -* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look] +include::../resources-dotnet.adoc[] include::../rspecator.adoc[] diff --git a/rules/S7130/description-dotnet.adoc b/rules/S7130/description-dotnet.adoc new file mode 100644 index 00000000000..3e1f578bb92 --- /dev/null +++ b/rules/S7130/description-dotnet.adoc @@ -0,0 +1,12 @@ +When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault]. + +== Why is this an issue? + +Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to: + +* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code. + +* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process. + +* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage. + diff --git a/rules/S7130/metadata.json b/rules/S7130/metadata.json index 2c63c085104..bd17ee9ddff 100644 --- a/rules/S7130/metadata.json +++ b/rules/S7130/metadata.json @@ -1,2 +1,23 @@ { + "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "1min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7130", + "sqKey": "S7130", + "scope": "All", + "defaultQualityProfiles": [ "Sonar way" ], + "quickfix": "targeted", + "code": { + "impacts": { + "MAINTAINABILITY": "MEDIUM" + }, + "attribute": "CLEAR" + } } diff --git a/rules/S7130/resources-dotnet.adoc b/rules/S7130/resources-dotnet.adoc new file mode 100644 index 00000000000..112dc06edab --- /dev/null +++ b/rules/S7130/resources-dotnet.adoc @@ -0,0 +1,13 @@ +== Resources + +=== Documentation + +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`] + +=== Articles & blog posts + +* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look] + diff --git a/rules/S7130/vbnet/metadata.json b/rules/S7130/vbnet/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7130/vbnet/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7130/vbnet/rule.adoc b/rules/S7130/vbnet/rule.adoc new file mode 100644 index 00000000000..3eddd11d473 --- /dev/null +++ b/rules/S7130/vbnet/rule.adoc @@ -0,0 +1,25 @@ +include::../description-dotnet.adoc[] + +=== Code examples + +==== Noncompliant code example + +[source,csharp,diff-id=1,diff-type=noncompliant] +---- +Dim Items As New list(Of Integer) From {1, 2, 3} + +Dim FirstItem As Integer = Items.FirstOrDefault() ' Noncompliant, this implies the collection might be empty, when we know it is not +---- + +==== Compliant solution + +[source,csharp,diff-id=1,diff-type=compliant] +---- +Dim Items As New list(Of Integer) From {1, 2, 3} + +Dim FirstItem As Integer = Items.First() ' Compliant +---- + +include::../resources-dotnet.adoc[] + +include::../rspecator.adoc[] From 9f98b3b50d91e4f1ff5814fb5de5732d2da78832 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 13:45:36 +0100 Subject: [PATCH 8/9] Create rule S7155: CircleCI secrets should not be disclosed (APPSEC-2239) (#4490) --- rules/S7155/metadata.json | 2 ++ rules/S7155/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7155/secrets/rule.adoc | 52 ++++++++++++++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100644 rules/S7155/metadata.json create mode 100644 rules/S7155/secrets/metadata.json create mode 100644 rules/S7155/secrets/rule.adoc diff --git a/rules/S7155/metadata.json b/rules/S7155/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7155/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7155/secrets/metadata.json b/rules/S7155/secrets/metadata.json new file mode 100644 index 00000000000..903c4c89bab --- /dev/null +++ b/rules/S7155/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "CircleCI API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7155", + "sqKey": "S7155", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7155/secrets/rule.adoc b/rules/S7155/secrets/rule.adoc new file mode 100644 index 00000000000..7d513d8b1b0 --- /dev/null +++ b/rules/S7155/secrets/rule.adoc @@ -0,0 +1,52 @@ + +include::../../../shared_content/secrets/description.adoc[] + +If attackers gain access to a CircleCI API token, they might be able to modify projects and jobs running on the CircleCI platform. + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +The exact impact of compromising a CircleCI API token varies depending on the permissions granted and its type (personal or project token). It can range from loss of sensitive data and source code to severe supply chain attacks. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: CCIPAT_FERZRjTN451xnDCy1y9gWn_79fb6ca4d0e5f833612eee17de397a9dca0a9e9f +:example_name: cci-api-token +:example_env: CCI_API_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +=== Going the extra mile + +include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[] + +== Resources + +=== Documentation + +* CircleCI Docs - https://circleci.com/docs/managing-api-tokens/[Managing API Tokens] +* CircleCI Docs - https://circleci.com/docs/api-developers-guide/[CircleCI API developer’s guide] + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks From 19f97f60ba74c6deb13b79ed792aa467595880bd Mon Sep 17 00:00:00 2001 From: GabinL21 <67428953+GabinL21@users.noreply.github.com> Date: Thu, 14 Nov 2024 14:03:27 +0100 Subject: [PATCH 9/9] Modify rule S6249: fix Terraform code examples (#4502) --- rules/S6249/terraform/rule.adoc | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/rules/S6249/terraform/rule.adoc b/rules/S6249/terraform/rule.adoc index 8b0914292d2..4d285586569 100644 --- a/rules/S6249/terraform/rule.adoc +++ b/rules/S6249/terraform/rule.adoc @@ -8,6 +8,7 @@ include::../recommended.adoc[] No secure policy is attached to this bucket: +[source,terraform] ---- resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive bucket = "mynoncompliantbucketname" @@ -16,6 +17,7 @@ resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive A policy is defined but forces only HTTPs communication for some users: +[source,terraform] ---- resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive bucket = "mynoncompliantbucketname" @@ -31,13 +33,13 @@ resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" { { Sid = "HTTPSOnly" Effect = "Deny" - Principal = [ - "arn:aws:iam::123456789123:root" - ] # secondary location: only one principal is forced to use https + Principal = { + "AWS": "arn:aws:iam::123456789123:root" + } # secondary location: only one principal is forced to use https Action = "s3:*" Resource = [ - aws_s3_bucket.mynoncompliantbucketpolicy.arn, - "${aws_s3_bucket.mynoncompliantbucketpolicy.arn}/*", + aws_s3_bucket.mynoncompliantbucket.arn, + "${aws_s3_bucket.mynoncompliantbucket.arn}/*", ] Condition = { Bool = { @@ -70,7 +72,9 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" { { Sid = "HTTPSOnly" Effect = "Deny" - Principal = "*" + Principal = { + "AWS": "*" + } Action = "s3:*" Resource = [ aws_s3_bucket.mycompliantbucket.arn,