From 9343f9a8f14926a282cc9dd158becd633b10648b Mon Sep 17 00:00:00 2001 From: Egon Okerman Date: Tue, 19 Sep 2023 16:26:52 +0200 Subject: [PATCH] Secret bootstraping: Adding template metadata and rule description --- rules/S6782/secrets/metadata.json | 78 ++++++++++++++++++++++--------- rules/S6782/secrets/rule.adoc | 64 +++++++++++++++---------- 2 files changed, 96 insertions(+), 46 deletions(-) diff --git a/rules/S6782/secrets/metadata.json b/rules/S6782/secrets/metadata.json index dba48191c53..a1b71235978 100644 --- a/rules/S6782/secrets/metadata.json +++ b/rules/S6782/secrets/metadata.json @@ -1,25 +1,59 @@ { - "title": "FIXME", - "type": "CODE_SMELL", - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "5min" - }, - "tags": [ - ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-6782", - "sqKey": "S6782", - "scope": "All", - "defaultQualityProfiles": ["Sonar way"], - "quickfix": "unknown", - "code": { - "impacts": { - "MAINTAINABILITY": "HIGH", - "RELIABILITY": "MEDIUM", - "SECURITY": "LOW" + "title": "Docker Hub tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" }, - "attribute": "CONVENTIONAL" + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6782", + "sqKey": "S6782", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" } -} + \ No newline at end of file diff --git a/rules/S6782/secrets/rule.adoc b/rules/S6782/secrets/rule.adoc index 4bd440f87a8..733c22d4b55 100644 --- a/rules/S6782/secrets/rule.adoc +++ b/rules/S6782/secrets/rule.adoc @@ -1,32 +1,51 @@ -FIXME: add a description - -// If you want to factorize the description uncomment the following line and create the file. -//include::../description.adoc[] +include::../../../shared_content/secrets/description.adoc[] == Why is this an issue? -FIXME: remove the unused optional headers (that are commented out) +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +The consequences vary greatly depending on the situation and the secret-exposed +audience. Still, two main scenarios should be considered. + +include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[] + +include::../../../shared_content/secrets/impact/blockchain_data_exposure.adoc[] + +include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[] + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +include::../../../shared_content/secrets/impact/malware_distribution.adoc[] -//=== What is the potential impact? +include::../../../shared_content/secrets/impact/non_repudiation.adoc[] + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/phishing.adoc[] + +include::../../../shared_content/secrets/impact/security_downgrade.adoc[] + +include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[] == How to fix it -//== How to fix it in FRAMEWORK NAME -=== Code examples +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/recent_use.adoc[] -==== Noncompliant code example +include::../../../shared_content/secrets/fix/vault.adoc[] -[source,text,diff-id=1,diff-type=noncompliant] ----- -FIXME ----- +=== Code examples -==== Compliant solution +:example_secret: ghp_xd8KRQmqM8eGCdegBLeO5AJ4oS0VN3yWXWcw +:example_name: client_secret +:example_env: CLIENT_SECRET -[source,text,diff-id=1,diff-type=compliant] ----- -FIXME ----- +include::../../../shared_content/secrets/examples.adoc[] //=== How does this work? @@ -34,11 +53,8 @@ FIXME //=== Going the extra mile +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] -//== Resources -//=== Documentation -//=== Articles & blog posts -//=== Conference presentations -//=== Standards -//=== External coding guidelines //=== Benchmarks