diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 852b40655f1..29ba0ee4a0d 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -3392,6 +3392,7 @@ "S7027": "sonar-architecture 1.0.0.1901", "S7044": "sonar-security 10.7.0.32997", "S7091": "sonar-architecture 1.0.0.1901", + "S7134": "sonar-architecture master", "S818": "sonar-java 4.15.0.12310", "S864": "sonar-java 4.15.0.12310", "S881": "sonar-java 4.15.0.12310", diff --git a/rules/S5408/cfamily/rule.adoc b/rules/S5408/cfamily/rule.adoc index 9263981a1bd..ccb41322be8 100644 --- a/rules/S5408/cfamily/rule.adoc +++ b/rules/S5408/cfamily/rule.adoc @@ -1,7 +1,6 @@ == Why is this an issue? -Declaring a function or a static member variable ``++constexpr++`` makes it implicitly inline. - +Declaring a function ``++constexpr++`` makes it implicitly inline. In that situation, explicitly using the ``++inline++`` keyword would be redundant, and might lead to confusion if it's used in some cases but not others. It's better to simply omit it. @@ -11,22 +10,14 @@ In that situation, explicitly using the ``++inline++`` keyword would be redundan [source,cpp] ---- inline constexpr int addOne(int n) { return n+1; } // Noncompliant -struct A { -inline constexpr static int secretNumber = 0; // Noncompliant -}; ---- - === Compliant solution [source,cpp] ---- constexpr int addOne(int n) { return n+1; } -struct A { -constexpr static int secretNumber = 0; -}; ---- -  ifdef::env-github,rspecator-view[] diff --git a/rules/S6249/terraform/rule.adoc b/rules/S6249/terraform/rule.adoc index 8b0914292d2..4d285586569 100644 --- a/rules/S6249/terraform/rule.adoc +++ b/rules/S6249/terraform/rule.adoc @@ -8,6 +8,7 @@ include::../recommended.adoc[] No secure policy is attached to this bucket: +[source,terraform] ---- resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive bucket = "mynoncompliantbucketname" @@ -16,6 +17,7 @@ resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive A policy is defined but forces only HTTPs communication for some users: +[source,terraform] ---- resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive bucket = "mynoncompliantbucketname" @@ -31,13 +33,13 @@ resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" { { Sid = "HTTPSOnly" Effect = "Deny" - Principal = [ - "arn:aws:iam::123456789123:root" - ] # secondary location: only one principal is forced to use https + Principal = { + "AWS": "arn:aws:iam::123456789123:root" + } # secondary location: only one principal is forced to use https Action = "s3:*" Resource = [ - aws_s3_bucket.mynoncompliantbucketpolicy.arn, - "${aws_s3_bucket.mynoncompliantbucketpolicy.arn}/*", + aws_s3_bucket.mynoncompliantbucket.arn, + "${aws_s3_bucket.mynoncompliantbucket.arn}/*", ] Condition = { Bool = { @@ -70,7 +72,9 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" { { Sid = "HTTPSOnly" Effect = "Deny" - Principal = "*" + Principal = { + "AWS": "*" + } Action = "s3:*" Resource = [ aws_s3_bucket.mycompliantbucket.arn, diff --git a/rules/S6418/java/rule.adoc b/rules/S6418/java/rule.adoc index b592ca548b6..886dddc613d 100644 --- a/rules/S6418/java/rule.adoc +++ b/rules/S6418/java/rule.adoc @@ -1,4 +1,4 @@ -:detectson: variables/fields +:detections: variables/fields :defaultsensibility: 5 include::../description.adoc[] diff --git a/rules/S7130/csharp/metadata.json b/rules/S7130/csharp/metadata.json index 5df8d4ce1a2..2c63c085104 100644 --- a/rules/S7130/csharp/metadata.json +++ b/rules/S7130/csharp/metadata.json @@ -1,23 +1,2 @@ { - "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty", - "type": "CODE_SMELL", - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "1min" - }, - "tags": [ - ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-7130", - "sqKey": "S7130", - "scope": "All", - "defaultQualityProfiles": ["Sonar way"], - "quickfix": "targeted", - "code": { - "impacts": { - "MAINTAINABILITY": "MEDIUM" - }, - "attribute": "CLEAR" - } } diff --git a/rules/S7130/csharp/rule.adoc b/rules/S7130/csharp/rule.adoc index faa398ed8c6..e7ab4768e68 100644 --- a/rules/S7130/csharp/rule.adoc +++ b/rules/S7130/csharp/rule.adoc @@ -1,14 +1,4 @@ -When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault]. - -== Why is this an issue? - -Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to: - -* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code. - -* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process. - -* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage. +include::../description-dotnet.adoc[] === Code examples @@ -30,17 +20,6 @@ var items = new List { 1, 2, 3 }; int firstItem = items.First(); // Compliant ---- -== Resources - -=== Documentation - -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`] - -=== Articles & blog posts - -* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look] +include::../resources-dotnet.adoc[] include::../rspecator.adoc[] diff --git a/rules/S7130/description-dotnet.adoc b/rules/S7130/description-dotnet.adoc new file mode 100644 index 00000000000..3e1f578bb92 --- /dev/null +++ b/rules/S7130/description-dotnet.adoc @@ -0,0 +1,12 @@ +When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault]. + +== Why is this an issue? + +Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to: + +* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code. + +* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process. + +* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage. + diff --git a/rules/S7130/metadata.json b/rules/S7130/metadata.json index 2c63c085104..bd17ee9ddff 100644 --- a/rules/S7130/metadata.json +++ b/rules/S7130/metadata.json @@ -1,2 +1,23 @@ { + "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "1min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7130", + "sqKey": "S7130", + "scope": "All", + "defaultQualityProfiles": [ "Sonar way" ], + "quickfix": "targeted", + "code": { + "impacts": { + "MAINTAINABILITY": "MEDIUM" + }, + "attribute": "CLEAR" + } } diff --git a/rules/S7130/resources-dotnet.adoc b/rules/S7130/resources-dotnet.adoc new file mode 100644 index 00000000000..112dc06edab --- /dev/null +++ b/rules/S7130/resources-dotnet.adoc @@ -0,0 +1,13 @@ +== Resources + +=== Documentation + +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`] + +=== Articles & blog posts + +* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look] + diff --git a/rules/S7130/vbnet/metadata.json b/rules/S7130/vbnet/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7130/vbnet/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7130/vbnet/rule.adoc b/rules/S7130/vbnet/rule.adoc new file mode 100644 index 00000000000..3eddd11d473 --- /dev/null +++ b/rules/S7130/vbnet/rule.adoc @@ -0,0 +1,25 @@ +include::../description-dotnet.adoc[] + +=== Code examples + +==== Noncompliant code example + +[source,csharp,diff-id=1,diff-type=noncompliant] +---- +Dim Items As New list(Of Integer) From {1, 2, 3} + +Dim FirstItem As Integer = Items.FirstOrDefault() ' Noncompliant, this implies the collection might be empty, when we know it is not +---- + +==== Compliant solution + +[source,csharp,diff-id=1,diff-type=compliant] +---- +Dim Items As New list(Of Integer) From {1, 2, 3} + +Dim FirstItem As Integer = Items.First() ' Compliant +---- + +include::../resources-dotnet.adoc[] + +include::../rspecator.adoc[] diff --git a/rules/S7131/csharp/metadata.json b/rules/S7131/csharp/metadata.json new file mode 100644 index 00000000000..6746948bd61 --- /dev/null +++ b/rules/S7131/csharp/metadata.json @@ -0,0 +1,23 @@ +{ + "title": "A write lock should not be released when a read lock has been acquired and vice versa", + "type": "BUG", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7131", + "sqKey": "S7131", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "infeasible", + "code": { + "impacts": { + "RELIABILITY": "HIGH" + }, + "attribute": "LOGICAL" + } +} diff --git a/rules/S7131/csharp/rule.adoc b/rules/S7131/csharp/rule.adoc new file mode 100644 index 00000000000..535d058c374 --- /dev/null +++ b/rules/S7131/csharp/rule.adoc @@ -0,0 +1,100 @@ + +When using https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock[ReaderWriterLock] and https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim[ReaderWriterLockSlim] for managing read and write locks, you should not release a read lock while holding a write lock and vice versa, otherwise you might have runtime exceptions. +The locks should be always correctly paired so that the shared resource is accessed safely. + +This rule raises if: + +* you call https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.acquirewriterlock[ReaderWriterLock.AcquireWriterLock] or https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.upgradetowriterlock[ReaderWriterLock.UpgradeToWriterLock] and then use https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.releasereaderlock[ReaderWriterLock.ReleaseReaderLock] +* you call https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.enterwritelock[ReaderWriterLockSlim.EnterWriteLock] or https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.tryenterwritelock[ReaderWriterLockSlim.TryEnterWriteLock] and then use https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.exitreadlock[ReaderWriterLockSlim.ExitReadLock] +* you call https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.acquirereaderlock[ReaderWriterLock.AcquireReaderLock] or https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.downgradefromwriterlock[ReaderWriterLock.DowngradeFromWriterLock] and then use https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.releasewriterlock[ReaderWriterLock.ReleaseWriterLock] +* or you call https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.enterreadlock[ReaderWriterLockSlim.EnterReadLock], https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.tryenterreadlock[ReaderWriterLockSlim.TryEnterReadLock], https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.enterupgradeablereadlock[ReaderWriterLockSlim.EnterUpgradeableReadLock] or https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.tryenterupgradeablereadlock[ReaderWriterLockSlim.TryEnterUpgradeableReadLock] and then use https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.exitwritelock[ReaderWriterLockSlim.ExitWriteLock] + + +== Why is this an issue? + +If you use the `ReaderWriterLockSlim` class, you will get a https://learn.microsoft.com/en-us/dotnet/api/system.threading.lockrecursionexception[LockRecursionException]. +In the case of `ReaderWriterLock`, you'll get a runtime exception for trying to release a lock that is not owned by the calling thread. + + +=== Code examples + +==== Noncompliant code example + +[source,csharp,diff-id=1,diff-type=noncompliant] +---- +public class Example +{ + private static ReaderWriterLock rwLock = new(); + + public void Writer() + { + rwLock.AcquireWriterLock(2000); + try + { + // ... + } + finally + { + rwLock.ReleaseReaderLock(); // Noncompliant, will throw runtime exception + } + } + + public void Reader() + { + rwLock.AcquireReaderLock(2000); + try + { + // ... + } + finally + { + rwLock.ReleaseWriterLock(); // Noncompliant, will throw runtime exception + } + } +} +---- + +==== Compliant solution + +[source,csharp,diff-id=1,diff-type=compliant] +---- +public class Example +{ + private static ReaderWriterLock rwLock = new(); + + public static void Writer() + { + rwLock.AcquireWriterLock(2000); + try + { + // ... + } + finally + { + rwLock.ReleaseWriterLock(); + } + } + + public static void Reader() + { + rwLock.AcquireReaderLock(2000); + try + { + // ... + } + finally + { + rwLock.ReleaseReaderLock(); + } + } +} +---- + +== Resources + +=== Documentation + +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock[ReaderWriterLock Class] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim[ReaderWriterLockSlim] + +include::../rspecator.adoc[] \ No newline at end of file diff --git a/rules/S7131/message.adoc b/rules/S7131/message.adoc new file mode 100644 index 00000000000..d6364cd3472 --- /dev/null +++ b/rules/S7131/message.adoc @@ -0,0 +1,3 @@ +=== Message + +You should not release this [reader/writer] lock when [reader/writer] lock was acquired diff --git a/rules/S7131/metadata.json b/rules/S7131/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7131/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7131/rspecator.adoc b/rules/S7131/rspecator.adoc new file mode 100644 index 00000000000..38bc5e559c4 --- /dev/null +++ b/rules/S7131/rspecator.adoc @@ -0,0 +1,9 @@ +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::message.adoc[] + +endif::env-github,rspecator-view[] \ No newline at end of file diff --git a/rules/S7153/metadata.json b/rules/S7153/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7153/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7153/secrets/metadata.json b/rules/S7153/secrets/metadata.json new file mode 100644 index 00000000000..2068aa7c7b8 --- /dev/null +++ b/rules/S7153/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "eBay OAuth credentials should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7153", + "sqKey": "S7153", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7153/secrets/rule.adoc b/rules/S7153/secrets/rule.adoc new file mode 100644 index 00000000000..337b320e4ab --- /dev/null +++ b/rules/S7153/secrets/rule.adoc @@ -0,0 +1,44 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +If an attacker gains access to a eBay OAuth credentials, they might be able to authenticate as users or applications. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +==== Financial loss + +Financial losses can occur when a secret used to access eBay APIs is disclosed as part of the source code of +client applications. + +As eBay provides APIs that allow user or applications to sell or to buy products, an attacker could use the secret to change price or buy items using the organization's account. + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: PRD-fe5d9474b718-6817-4a97-a50b-5752 +:example_name: ebay.client-secret +:example_env: EBAY_CLIENT_SECRET + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +=== Documentation + +- eBay Developer Program - https://developer.ebay.com/api-docs/static/oauth-credentials.html[Getting your OAuth credentials] + +include::../../../shared_content/secrets/resources/standards.adoc[] diff --git a/rules/S7155/metadata.json b/rules/S7155/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7155/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7155/secrets/metadata.json b/rules/S7155/secrets/metadata.json new file mode 100644 index 00000000000..903c4c89bab --- /dev/null +++ b/rules/S7155/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "CircleCI API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7155", + "sqKey": "S7155", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7155/secrets/rule.adoc b/rules/S7155/secrets/rule.adoc new file mode 100644 index 00000000000..7d513d8b1b0 --- /dev/null +++ b/rules/S7155/secrets/rule.adoc @@ -0,0 +1,52 @@ + +include::../../../shared_content/secrets/description.adoc[] + +If attackers gain access to a CircleCI API token, they might be able to modify projects and jobs running on the CircleCI platform. + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +The exact impact of compromising a CircleCI API token varies depending on the permissions granted and its type (personal or project token). It can range from loss of sensitive data and source code to severe supply chain attacks. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: CCIPAT_FERZRjTN451xnDCy1y9gWn_79fb6ca4d0e5f833612eee17de397a9dca0a9e9f +:example_name: cci-api-token +:example_env: CCI_API_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +=== Going the extra mile + +include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[] + +== Resources + +=== Documentation + +* CircleCI Docs - https://circleci.com/docs/managing-api-tokens/[Managing API Tokens] +* CircleCI Docs - https://circleci.com/docs/api-developers-guide/[CircleCI API developer’s guide] + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks diff --git a/rules/S7158/java/metadata.json b/rules/S7158/java/metadata.json new file mode 100644 index 00000000000..7142ff20cfb --- /dev/null +++ b/rules/S7158/java/metadata.json @@ -0,0 +1,24 @@ +{ + "title": "\"String.isEmpty()\" should be used to test for emptiness", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "2min" + }, + "tags": [], + "defaultSeverity": "Minor", + "ruleSpecification": "RSPEC-7158", + "sqKey": "S7158", + "scope": "All", + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "targeted", + "code": { + "impacts": { + "MAINTAINABILITY": "LOW" + }, + "attribute": "CLEAR" + } +} diff --git a/rules/S7158/java/rule.adoc b/rules/S7158/java/rule.adoc new file mode 100644 index 00000000000..7eb6bab3efe --- /dev/null +++ b/rules/S7158/java/rule.adoc @@ -0,0 +1,28 @@ +== Why is this an issue? + +Calling `String.isEmpty()` clearly communicates the code's intention, which is to test if the string is empty. Using `String.length() == 0` is less direct and makes the code less readable. + +== How to fix it + +=== Code examples + +==== Noncompliant code example +[source,java,diff-id=1,diff-type=noncompliant] +---- +if ("string".length() == 0) { /* … */ } // Noncompliant + +if ("string".length() > 0) { /* … */ } // Noncompliant +---- + +==== Compliant solution +[source,java,diff-id=1,diff-type=compliant] +---- +if ("string".isEmpty()){ /* … */ } + +if (!"string".isEmpty()){ /* … */ } +---- + +== Resources +=== Documentation + +* Java Documentation - https://docs.oracle.com/javase/7/docs/api/java/lang/String.html#isEmpty()[java.lang.String.isEmpty() method] diff --git a/rules/S7158/metadata.json b/rules/S7158/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7158/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7163/metadata.json b/rules/S7163/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7163/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7163/secrets/metadata.json b/rules/S7163/secrets/metadata.json new file mode 100644 index 00000000000..6a4fec8d0cc --- /dev/null +++ b/rules/S7163/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Mandrill API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7163", + "sqKey": "S7163", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7163/secrets/rule.adoc b/rules/S7163/secrets/rule.adoc new file mode 100644 index 00000000000..8bc2b0d9dc4 --- /dev/null +++ b/rules/S7163/secrets/rule.adoc @@ -0,0 +1,35 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: API key + +include::../../../shared_content/secrets/impact/phishing.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: md-tYmfLurJdDlP4wDdOqEzZA +:example_name: mandrill-api-key +:example_env: MANDRILL_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] \ No newline at end of file diff --git a/rules/S7167/metadata.json b/rules/S7167/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7167/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7167/secrets/metadata.json b/rules/S7167/secrets/metadata.json new file mode 100644 index 00000000000..780d2093215 --- /dev/null +++ b/rules/S7167/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Mergify application keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7167", + "sqKey": "S7167", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7167/secrets/rule.adoc b/rules/S7167/secrets/rule.adoc new file mode 100644 index 00000000000..bf5cb2e6f98 --- /dev/null +++ b/rules/S7167/secrets/rule.adoc @@ -0,0 +1,33 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: mergify_application_key_cm9vdDp4OjA6MDpyb290Oi9yb290 +:example_name: mergify-app-key +:example_env: MERGIFY_APP_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] diff --git a/rules/S7169/metadata.json b/rules/S7169/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7169/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7169/secrets/metadata.json b/rules/S7169/secrets/metadata.json new file mode 100644 index 00000000000..6383c626dfc --- /dev/null +++ b/rules/S7169/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Coveo API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7169", + "sqKey": "S7169", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7169/secrets/rule.adoc b/rules/S7169/secrets/rule.adoc new file mode 100644 index 00000000000..3b0185b7464 --- /dev/null +++ b/rules/S7169/secrets/rule.adoc @@ -0,0 +1,33 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: xx31c5e664-c410-42f2-832f-1864e233de28 +:example_name: coveo-api-key +:example_env: COVEO_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] diff --git a/rules/S7170/metadata.json b/rules/S7170/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7170/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7170/secrets/metadata.json b/rules/S7170/secrets/metadata.json new file mode 100644 index 00000000000..c138fb007d1 --- /dev/null +++ b/rules/S7170/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "HubSpot secrets should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7170", + "sqKey": "S7170", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7170/secrets/rule.adoc b/rules/S7170/secrets/rule.adoc new file mode 100644 index 00000000000..d4377676e40 --- /dev/null +++ b/rules/S7170/secrets/rule.adoc @@ -0,0 +1,45 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Hubspot credentials can be used for varieties of actions on the Hubspot services, +including managing CRM, CMS, marketing automation, customer service and +analytics. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: secret + + +include::../../../shared_content/secrets/impact/phishing.adoc[] + +include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: pat-na1-6d04652d-107a-4742-964d-34dabf69843c +:example_name: hubspot-api-key +:example_env: HUBSPOT_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] +