From f4690e5118248b821426794fa635dd42e383ce15 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 11:33:24 +0100 Subject: [PATCH 01/13] Create rule S7153 (#4488) --- rules/S7153/metadata.json | 2 ++ rules/S7153/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7153/secrets/rule.adoc | 44 ++++++++++++++++++++++++ 3 files changed, 102 insertions(+) create mode 100644 rules/S7153/metadata.json create mode 100644 rules/S7153/secrets/metadata.json create mode 100644 rules/S7153/secrets/rule.adoc diff --git a/rules/S7153/metadata.json b/rules/S7153/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7153/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7153/secrets/metadata.json b/rules/S7153/secrets/metadata.json new file mode 100644 index 00000000000..2068aa7c7b8 --- /dev/null +++ b/rules/S7153/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "eBay OAuth credentials should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7153", + "sqKey": "S7153", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7153/secrets/rule.adoc b/rules/S7153/secrets/rule.adoc new file mode 100644 index 00000000000..337b320e4ab --- /dev/null +++ b/rules/S7153/secrets/rule.adoc @@ -0,0 +1,44 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +If an attacker gains access to a eBay OAuth credentials, they might be able to authenticate as users or applications. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +==== Financial loss + +Financial losses can occur when a secret used to access eBay APIs is disclosed as part of the source code of +client applications. + +As eBay provides APIs that allow user or applications to sell or to buy products, an attacker could use the secret to change price or buy items using the organization's account. + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: PRD-fe5d9474b718-6817-4a97-a50b-5752 +:example_name: ebay.client-secret +:example_env: EBAY_CLIENT_SECRET + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +=== Documentation + +- eBay Developer Program - https://developer.ebay.com/api-docs/static/oauth-credentials.html[Getting your OAuth credentials] + +include::../../../shared_content/secrets/resources/standards.adoc[] From a0be31ce6772463d5dd09fd33dc2e0cc39ce2d0d Mon Sep 17 00:00:00 2001 From: Pavel Mikula <57188685+pavel-mikula-sonarsource@users.noreply.github.com> Date: Thu, 14 Nov 2024 13:25:46 +0100 Subject: [PATCH 02/13] NET-668 Modify S7130: Add vbnet rspec (#4499) --- rules/S7130/csharp/metadata.json | 21 --------------------- rules/S7130/csharp/rule.adoc | 25 ++----------------------- rules/S7130/description-dotnet.adoc | 12 ++++++++++++ rules/S7130/metadata.json | 21 +++++++++++++++++++++ rules/S7130/resources-dotnet.adoc | 13 +++++++++++++ rules/S7130/vbnet/metadata.json | 2 ++ rules/S7130/vbnet/rule.adoc | 25 +++++++++++++++++++++++++ 7 files changed, 75 insertions(+), 44 deletions(-) create mode 100644 rules/S7130/description-dotnet.adoc create mode 100644 rules/S7130/resources-dotnet.adoc create mode 100644 rules/S7130/vbnet/metadata.json create mode 100644 rules/S7130/vbnet/rule.adoc diff --git a/rules/S7130/csharp/metadata.json b/rules/S7130/csharp/metadata.json index 5df8d4ce1a2..2c63c085104 100644 --- a/rules/S7130/csharp/metadata.json +++ b/rules/S7130/csharp/metadata.json @@ -1,23 +1,2 @@ { - "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty", - "type": "CODE_SMELL", - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "1min" - }, - "tags": [ - ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-7130", - "sqKey": "S7130", - "scope": "All", - "defaultQualityProfiles": ["Sonar way"], - "quickfix": "targeted", - "code": { - "impacts": { - "MAINTAINABILITY": "MEDIUM" - }, - "attribute": "CLEAR" - } } diff --git a/rules/S7130/csharp/rule.adoc b/rules/S7130/csharp/rule.adoc index faa398ed8c6..e7ab4768e68 100644 --- a/rules/S7130/csharp/rule.adoc +++ b/rules/S7130/csharp/rule.adoc @@ -1,14 +1,4 @@ -When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault]. - -== Why is this an issue? - -Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to: - -* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code. - -* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process. - -* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage. +include::../description-dotnet.adoc[] === Code examples @@ -30,17 +20,6 @@ var items = new List { 1, 2, 3 }; int firstItem = items.First(); // Compliant ---- -== Resources - -=== Documentation - -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`] -* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`] - -=== Articles & blog posts - -* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look] +include::../resources-dotnet.adoc[] include::../rspecator.adoc[] diff --git a/rules/S7130/description-dotnet.adoc b/rules/S7130/description-dotnet.adoc new file mode 100644 index 00000000000..3e1f578bb92 --- /dev/null +++ b/rules/S7130/description-dotnet.adoc @@ -0,0 +1,12 @@ +When working with collections that are known to be non-empty, using https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[First] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[Single] is generally preferred over https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[FirstOrDefault] or https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[SingleOrDefault]. + +== Why is this an issue? + +Using `FirstOrDefault` or `SingleOrDefault` on collections that are known to be non-empty is an issue due to: + +* Code Clarity and intent: When you use `FirstOrDefault` or `SingleOrDefault`, it implies that the collection might be empty, which can be misleading if you know it is not. It can be confusing for other developers who read your code, making it harder for them to understand the actual constraints and behavior of the collection. This leads to confusion and harder-to-maintain code. + +* Error handling: If the developer's intend is for the collection not to be empty, using `FirstOrDefault` and `SingleOrDefault` can lead to subtle bugs. These methods return a default value (`null` for reference types and `default` for value types) when the collection is empty, potentially causing issues like `NullReferenceException` later in the code. In contrast, `First` or `Single` will throw an `InvalidOperationException` immediately if the collection is empty, making it easier to detect and address issues early in the development process. + +* Code coverage: Potentially, having to check if the result is `null`, you introduces a condition that cannot be fully tested, impacting the code coverage. + diff --git a/rules/S7130/metadata.json b/rules/S7130/metadata.json index 2c63c085104..bd17ee9ddff 100644 --- a/rules/S7130/metadata.json +++ b/rules/S7130/metadata.json @@ -1,2 +1,23 @@ { + "title": "First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "1min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7130", + "sqKey": "S7130", + "scope": "All", + "defaultQualityProfiles": [ "Sonar way" ], + "quickfix": "targeted", + "code": { + "impacts": { + "MAINTAINABILITY": "MEDIUM" + }, + "attribute": "CLEAR" + } } diff --git a/rules/S7130/resources-dotnet.adoc b/rules/S7130/resources-dotnet.adoc new file mode 100644 index 00000000000..112dc06edab --- /dev/null +++ b/rules/S7130/resources-dotnet.adoc @@ -0,0 +1,13 @@ +== Resources + +=== Documentation + +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.single[`Single`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.first[`First`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.singleordefault[`SingleOrDefault`] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.linq.enumerable.firstordefault[`FirstOrDefault`] + +=== Articles & blog posts + +* https://medium.com/@anyanwuraphaelc/first-vs-firstordefault-single-vs-singleordefault-a-high-level-look-d24db17a2bc3[First vs FirstOrDefault, Single vs SingleOrDefault: A High-level Look] + diff --git a/rules/S7130/vbnet/metadata.json b/rules/S7130/vbnet/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7130/vbnet/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7130/vbnet/rule.adoc b/rules/S7130/vbnet/rule.adoc new file mode 100644 index 00000000000..3eddd11d473 --- /dev/null +++ b/rules/S7130/vbnet/rule.adoc @@ -0,0 +1,25 @@ +include::../description-dotnet.adoc[] + +=== Code examples + +==== Noncompliant code example + +[source,csharp,diff-id=1,diff-type=noncompliant] +---- +Dim Items As New list(Of Integer) From {1, 2, 3} + +Dim FirstItem As Integer = Items.FirstOrDefault() ' Noncompliant, this implies the collection might be empty, when we know it is not +---- + +==== Compliant solution + +[source,csharp,diff-id=1,diff-type=compliant] +---- +Dim Items As New list(Of Integer) From {1, 2, 3} + +Dim FirstItem As Integer = Items.First() ' Compliant +---- + +include::../resources-dotnet.adoc[] + +include::../rspecator.adoc[] From 9f98b3b50d91e4f1ff5814fb5de5732d2da78832 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 13:45:36 +0100 Subject: [PATCH 03/13] Create rule S7155: CircleCI secrets should not be disclosed (APPSEC-2239) (#4490) --- rules/S7155/metadata.json | 2 ++ rules/S7155/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7155/secrets/rule.adoc | 52 ++++++++++++++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100644 rules/S7155/metadata.json create mode 100644 rules/S7155/secrets/metadata.json create mode 100644 rules/S7155/secrets/rule.adoc diff --git a/rules/S7155/metadata.json b/rules/S7155/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7155/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7155/secrets/metadata.json b/rules/S7155/secrets/metadata.json new file mode 100644 index 00000000000..903c4c89bab --- /dev/null +++ b/rules/S7155/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "CircleCI API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7155", + "sqKey": "S7155", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7155/secrets/rule.adoc b/rules/S7155/secrets/rule.adoc new file mode 100644 index 00000000000..7d513d8b1b0 --- /dev/null +++ b/rules/S7155/secrets/rule.adoc @@ -0,0 +1,52 @@ + +include::../../../shared_content/secrets/description.adoc[] + +If attackers gain access to a CircleCI API token, they might be able to modify projects and jobs running on the CircleCI platform. + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +The exact impact of compromising a CircleCI API token varies depending on the permissions granted and its type (personal or project token). It can range from loss of sensitive data and source code to severe supply chain attacks. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: CCIPAT_FERZRjTN451xnDCy1y9gWn_79fb6ca4d0e5f833612eee17de397a9dca0a9e9f +:example_name: cci-api-token +:example_env: CCI_API_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +=== Going the extra mile + +include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[] + +== Resources + +=== Documentation + +* CircleCI Docs - https://circleci.com/docs/managing-api-tokens/[Managing API Tokens] +* CircleCI Docs - https://circleci.com/docs/api-developers-guide/[CircleCI API developer’s guide] + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks From 19f97f60ba74c6deb13b79ed792aa467595880bd Mon Sep 17 00:00:00 2001 From: GabinL21 <67428953+GabinL21@users.noreply.github.com> Date: Thu, 14 Nov 2024 14:03:27 +0100 Subject: [PATCH 04/13] Modify rule S6249: fix Terraform code examples (#4502) --- rules/S6249/terraform/rule.adoc | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/rules/S6249/terraform/rule.adoc b/rules/S6249/terraform/rule.adoc index 8b0914292d2..4d285586569 100644 --- a/rules/S6249/terraform/rule.adoc +++ b/rules/S6249/terraform/rule.adoc @@ -8,6 +8,7 @@ include::../recommended.adoc[] No secure policy is attached to this bucket: +[source,terraform] ---- resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive bucket = "mynoncompliantbucketname" @@ -16,6 +17,7 @@ resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive A policy is defined but forces only HTTPs communication for some users: +[source,terraform] ---- resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive bucket = "mynoncompliantbucketname" @@ -31,13 +33,13 @@ resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" { { Sid = "HTTPSOnly" Effect = "Deny" - Principal = [ - "arn:aws:iam::123456789123:root" - ] # secondary location: only one principal is forced to use https + Principal = { + "AWS": "arn:aws:iam::123456789123:root" + } # secondary location: only one principal is forced to use https Action = "s3:*" Resource = [ - aws_s3_bucket.mynoncompliantbucketpolicy.arn, - "${aws_s3_bucket.mynoncompliantbucketpolicy.arn}/*", + aws_s3_bucket.mynoncompliantbucket.arn, + "${aws_s3_bucket.mynoncompliantbucket.arn}/*", ] Condition = { Bool = { @@ -70,7 +72,9 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" { { Sid = "HTTPSOnly" Effect = "Deny" - Principal = "*" + Principal = { + "AWS": "*" + } Action = "s3:*" Resource = [ aws_s3_bucket.mycompliantbucket.arn, From 6c69789850f9dd74ed0da110bee8804916ee4738 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:41:51 +0100 Subject: [PATCH 05/13] Create rule S7163: Mandrill API keys should not be disclosed (#4500) --- rules/S7163/metadata.json | 2 ++ rules/S7163/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7163/secrets/rule.adoc | 35 +++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 rules/S7163/metadata.json create mode 100644 rules/S7163/secrets/metadata.json create mode 100644 rules/S7163/secrets/rule.adoc diff --git a/rules/S7163/metadata.json b/rules/S7163/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7163/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7163/secrets/metadata.json b/rules/S7163/secrets/metadata.json new file mode 100644 index 00000000000..6a4fec8d0cc --- /dev/null +++ b/rules/S7163/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Mandrill API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7163", + "sqKey": "S7163", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7163/secrets/rule.adoc b/rules/S7163/secrets/rule.adoc new file mode 100644 index 00000000000..8bc2b0d9dc4 --- /dev/null +++ b/rules/S7163/secrets/rule.adoc @@ -0,0 +1,35 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: API key + +include::../../../shared_content/secrets/impact/phishing.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: md-tYmfLurJdDlP4wDdOqEzZA +:example_name: mandrill-api-key +:example_env: MANDRILL_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] \ No newline at end of file From 064a3a01dde92812cb6ac44e786d45a6ef48a53c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:42:02 +0100 Subject: [PATCH 06/13] Create rule S7167: Mergify application keys should not be disclosed (#4505) --- rules/S7167/metadata.json | 2 ++ rules/S7167/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7167/secrets/rule.adoc | 33 ++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 rules/S7167/metadata.json create mode 100644 rules/S7167/secrets/metadata.json create mode 100644 rules/S7167/secrets/rule.adoc diff --git a/rules/S7167/metadata.json b/rules/S7167/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7167/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7167/secrets/metadata.json b/rules/S7167/secrets/metadata.json new file mode 100644 index 00000000000..780d2093215 --- /dev/null +++ b/rules/S7167/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Mergify application keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7167", + "sqKey": "S7167", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7167/secrets/rule.adoc b/rules/S7167/secrets/rule.adoc new file mode 100644 index 00000000000..bf5cb2e6f98 --- /dev/null +++ b/rules/S7167/secrets/rule.adoc @@ -0,0 +1,33 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: mergify_application_key_cm9vdDp4OjA6MDpyb290Oi9yb290 +:example_name: mergify-app-key +:example_env: MERGIFY_APP_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] From 423514e941f1221b370f260284128b8ddf87b667 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:43:14 +0100 Subject: [PATCH 07/13] NET-589 Create rule S7131: You should not release a write lock when a read lock has been acquired and vice versa (#4433) --- rules/S7131/csharp/metadata.json | 23 +++++++ rules/S7131/csharp/rule.adoc | 100 +++++++++++++++++++++++++++++++ rules/S7131/message.adoc | 3 + rules/S7131/metadata.json | 2 + rules/S7131/rspecator.adoc | 9 +++ 5 files changed, 137 insertions(+) create mode 100644 rules/S7131/csharp/metadata.json create mode 100644 rules/S7131/csharp/rule.adoc create mode 100644 rules/S7131/message.adoc create mode 100644 rules/S7131/metadata.json create mode 100644 rules/S7131/rspecator.adoc diff --git a/rules/S7131/csharp/metadata.json b/rules/S7131/csharp/metadata.json new file mode 100644 index 00000000000..6746948bd61 --- /dev/null +++ b/rules/S7131/csharp/metadata.json @@ -0,0 +1,23 @@ +{ + "title": "A write lock should not be released when a read lock has been acquired and vice versa", + "type": "BUG", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7131", + "sqKey": "S7131", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "infeasible", + "code": { + "impacts": { + "RELIABILITY": "HIGH" + }, + "attribute": "LOGICAL" + } +} diff --git a/rules/S7131/csharp/rule.adoc b/rules/S7131/csharp/rule.adoc new file mode 100644 index 00000000000..535d058c374 --- /dev/null +++ b/rules/S7131/csharp/rule.adoc @@ -0,0 +1,100 @@ + +When using https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock[ReaderWriterLock] and https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim[ReaderWriterLockSlim] for managing read and write locks, you should not release a read lock while holding a write lock and vice versa, otherwise you might have runtime exceptions. +The locks should be always correctly paired so that the shared resource is accessed safely. + +This rule raises if: + +* you call https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.acquirewriterlock[ReaderWriterLock.AcquireWriterLock] or https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.upgradetowriterlock[ReaderWriterLock.UpgradeToWriterLock] and then use https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.releasereaderlock[ReaderWriterLock.ReleaseReaderLock] +* you call https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.enterwritelock[ReaderWriterLockSlim.EnterWriteLock] or https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.tryenterwritelock[ReaderWriterLockSlim.TryEnterWriteLock] and then use https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.exitreadlock[ReaderWriterLockSlim.ExitReadLock] +* you call https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.acquirereaderlock[ReaderWriterLock.AcquireReaderLock] or https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.downgradefromwriterlock[ReaderWriterLock.DowngradeFromWriterLock] and then use https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.releasewriterlock[ReaderWriterLock.ReleaseWriterLock] +* or you call https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.enterreadlock[ReaderWriterLockSlim.EnterReadLock], https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.tryenterreadlock[ReaderWriterLockSlim.TryEnterReadLock], https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.enterupgradeablereadlock[ReaderWriterLockSlim.EnterUpgradeableReadLock] or https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.tryenterupgradeablereadlock[ReaderWriterLockSlim.TryEnterUpgradeableReadLock] and then use https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.exitwritelock[ReaderWriterLockSlim.ExitWriteLock] + + +== Why is this an issue? + +If you use the `ReaderWriterLockSlim` class, you will get a https://learn.microsoft.com/en-us/dotnet/api/system.threading.lockrecursionexception[LockRecursionException]. +In the case of `ReaderWriterLock`, you'll get a runtime exception for trying to release a lock that is not owned by the calling thread. + + +=== Code examples + +==== Noncompliant code example + +[source,csharp,diff-id=1,diff-type=noncompliant] +---- +public class Example +{ + private static ReaderWriterLock rwLock = new(); + + public void Writer() + { + rwLock.AcquireWriterLock(2000); + try + { + // ... + } + finally + { + rwLock.ReleaseReaderLock(); // Noncompliant, will throw runtime exception + } + } + + public void Reader() + { + rwLock.AcquireReaderLock(2000); + try + { + // ... + } + finally + { + rwLock.ReleaseWriterLock(); // Noncompliant, will throw runtime exception + } + } +} +---- + +==== Compliant solution + +[source,csharp,diff-id=1,diff-type=compliant] +---- +public class Example +{ + private static ReaderWriterLock rwLock = new(); + + public static void Writer() + { + rwLock.AcquireWriterLock(2000); + try + { + // ... + } + finally + { + rwLock.ReleaseWriterLock(); + } + } + + public static void Reader() + { + rwLock.AcquireReaderLock(2000); + try + { + // ... + } + finally + { + rwLock.ReleaseReaderLock(); + } + } +} +---- + +== Resources + +=== Documentation + +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock[ReaderWriterLock Class] +* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim[ReaderWriterLockSlim] + +include::../rspecator.adoc[] \ No newline at end of file diff --git a/rules/S7131/message.adoc b/rules/S7131/message.adoc new file mode 100644 index 00000000000..d6364cd3472 --- /dev/null +++ b/rules/S7131/message.adoc @@ -0,0 +1,3 @@ +=== Message + +You should not release this [reader/writer] lock when [reader/writer] lock was acquired diff --git a/rules/S7131/metadata.json b/rules/S7131/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7131/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7131/rspecator.adoc b/rules/S7131/rspecator.adoc new file mode 100644 index 00000000000..38bc5e559c4 --- /dev/null +++ b/rules/S7131/rspecator.adoc @@ -0,0 +1,9 @@ +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::message.adoc[] + +endif::env-github,rspecator-view[] \ No newline at end of file From 41e6f81392e4a7fc7408c03e38e635dcdb7703fd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 17:03:15 +0100 Subject: [PATCH 08/13] Create rule S7158: String.isEmpty() should be used to test for emptiness (#4493) --- rules/S7158/java/metadata.json | 24 ++++++++++++++++++++++++ rules/S7158/java/rule.adoc | 28 ++++++++++++++++++++++++++++ rules/S7158/metadata.json | 2 ++ 3 files changed, 54 insertions(+) create mode 100644 rules/S7158/java/metadata.json create mode 100644 rules/S7158/java/rule.adoc create mode 100644 rules/S7158/metadata.json diff --git a/rules/S7158/java/metadata.json b/rules/S7158/java/metadata.json new file mode 100644 index 00000000000..7142ff20cfb --- /dev/null +++ b/rules/S7158/java/metadata.json @@ -0,0 +1,24 @@ +{ + "title": "\"String.isEmpty()\" should be used to test for emptiness", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "2min" + }, + "tags": [], + "defaultSeverity": "Minor", + "ruleSpecification": "RSPEC-7158", + "sqKey": "S7158", + "scope": "All", + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "targeted", + "code": { + "impacts": { + "MAINTAINABILITY": "LOW" + }, + "attribute": "CLEAR" + } +} diff --git a/rules/S7158/java/rule.adoc b/rules/S7158/java/rule.adoc new file mode 100644 index 00000000000..7eb6bab3efe --- /dev/null +++ b/rules/S7158/java/rule.adoc @@ -0,0 +1,28 @@ +== Why is this an issue? + +Calling `String.isEmpty()` clearly communicates the code's intention, which is to test if the string is empty. Using `String.length() == 0` is less direct and makes the code less readable. + +== How to fix it + +=== Code examples + +==== Noncompliant code example +[source,java,diff-id=1,diff-type=noncompliant] +---- +if ("string".length() == 0) { /* … */ } // Noncompliant + +if ("string".length() > 0) { /* … */ } // Noncompliant +---- + +==== Compliant solution +[source,java,diff-id=1,diff-type=compliant] +---- +if ("string".isEmpty()){ /* … */ } + +if (!"string".isEmpty()){ /* … */ } +---- + +== Resources +=== Documentation + +* Java Documentation - https://docs.oracle.com/javase/7/docs/api/java/lang/String.html#isEmpty()[java.lang.String.isEmpty() method] diff --git a/rules/S7158/metadata.json b/rules/S7158/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7158/metadata.json @@ -0,0 +1,2 @@ +{ +} From 251db04bc07802179b2b4c33c30ca8e6fd684917 Mon Sep 17 00:00:00 2001 From: Alban Auzeill Date: Thu, 14 Nov 2024 18:11:49 +0100 Subject: [PATCH 09/13] Modify rule S6418: Fix typo in a variable (#4513) --- rules/S6418/java/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S6418/java/rule.adoc b/rules/S6418/java/rule.adoc index b592ca548b6..886dddc613d 100644 --- a/rules/S6418/java/rule.adoc +++ b/rules/S6418/java/rule.adoc @@ -1,4 +1,4 @@ -:detectson: variables/fields +:detections: variables/fields :defaultsensibility: 5 include::../description.adoc[] From 953f1f031525768ddcba1077a37dbe1a94d4b3e3 Mon Sep 17 00:00:00 2001 From: SonarTech Date: Fri, 15 Nov 2024 02:45:59 +0000 Subject: [PATCH 10/13] update coverage information --- frontend/public/covered_rules.json | 1 + 1 file changed, 1 insertion(+) diff --git a/frontend/public/covered_rules.json b/frontend/public/covered_rules.json index 852b40655f1..29ba0ee4a0d 100644 --- a/frontend/public/covered_rules.json +++ b/frontend/public/covered_rules.json @@ -3392,6 +3392,7 @@ "S7027": "sonar-architecture 1.0.0.1901", "S7044": "sonar-security 10.7.0.32997", "S7091": "sonar-architecture 1.0.0.1901", + "S7134": "sonar-architecture master", "S818": "sonar-java 4.15.0.12310", "S864": "sonar-java 4.15.0.12310", "S881": "sonar-java 4.15.0.12310", From c83d7bff8403bcfd1e135f6cf8fc7841d733ea08 Mon Sep 17 00:00:00 2001 From: tomasz-kaminski-sonarsource <79814193+tomasz-kaminski-sonarsource@users.noreply.github.com> Date: Fri, 15 Nov 2024 10:51:09 +0100 Subject: [PATCH 11/13] S5408 Remove constexpr static data members from rspec (CPP-5809) --- rules/S5408/cfamily/rule.adoc | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/rules/S5408/cfamily/rule.adoc b/rules/S5408/cfamily/rule.adoc index 9263981a1bd..ccb41322be8 100644 --- a/rules/S5408/cfamily/rule.adoc +++ b/rules/S5408/cfamily/rule.adoc @@ -1,7 +1,6 @@ == Why is this an issue? -Declaring a function or a static member variable ``++constexpr++`` makes it implicitly inline. - +Declaring a function ``++constexpr++`` makes it implicitly inline. In that situation, explicitly using the ``++inline++`` keyword would be redundant, and might lead to confusion if it's used in some cases but not others. It's better to simply omit it. @@ -11,22 +10,14 @@ In that situation, explicitly using the ``++inline++`` keyword would be redundan [source,cpp] ---- inline constexpr int addOne(int n) { return n+1; } // Noncompliant -struct A { -inline constexpr static int secretNumber = 0; // Noncompliant -}; ---- - === Compliant solution [source,cpp] ---- constexpr int addOne(int n) { return n+1; } -struct A { -constexpr static int secretNumber = 0; -}; ---- -  ifdef::env-github,rspecator-view[] From 03d5cf98e74e3147680db2639a72e453aca6f071 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 11:47:55 +0100 Subject: [PATCH 12/13] Create rule S7169: Coveo API keys should not be disclosed (#4508) --- rules/S7169/metadata.json | 2 ++ rules/S7169/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7169/secrets/rule.adoc | 33 ++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 rules/S7169/metadata.json create mode 100644 rules/S7169/secrets/metadata.json create mode 100644 rules/S7169/secrets/rule.adoc diff --git a/rules/S7169/metadata.json b/rules/S7169/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7169/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7169/secrets/metadata.json b/rules/S7169/secrets/metadata.json new file mode 100644 index 00000000000..6383c626dfc --- /dev/null +++ b/rules/S7169/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Coveo API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7169", + "sqKey": "S7169", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7169/secrets/rule.adoc b/rules/S7169/secrets/rule.adoc new file mode 100644 index 00000000000..3b0185b7464 --- /dev/null +++ b/rules/S7169/secrets/rule.adoc @@ -0,0 +1,33 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: xx31c5e664-c410-42f2-832f-1864e233de28 +:example_name: coveo-api-key +:example_env: COVEO_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] From 9592b44aa4a9abd499e442b6c3f66380ffee6d47 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 14:59:58 +0100 Subject: [PATCH 13/13] Create rule S7170: HubSpot secrets should not be disclosed (#4510) * Create rule S7170 * Add text * Update rules/S7170/secrets/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S7170/secrets/rule.adoc --------- Co-authored-by: loris-s-sonarsource Co-authored-by: Loris Sierra Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> --- rules/S7170/metadata.json | 2 ++ rules/S7170/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7170/secrets/rule.adoc | 45 +++++++++++++++++++++++++ 3 files changed, 103 insertions(+) create mode 100644 rules/S7170/metadata.json create mode 100644 rules/S7170/secrets/metadata.json create mode 100644 rules/S7170/secrets/rule.adoc diff --git a/rules/S7170/metadata.json b/rules/S7170/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7170/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7170/secrets/metadata.json b/rules/S7170/secrets/metadata.json new file mode 100644 index 00000000000..c138fb007d1 --- /dev/null +++ b/rules/S7170/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "HubSpot secrets should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7170", + "sqKey": "S7170", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7170/secrets/rule.adoc b/rules/S7170/secrets/rule.adoc new file mode 100644 index 00000000000..d4377676e40 --- /dev/null +++ b/rules/S7170/secrets/rule.adoc @@ -0,0 +1,45 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Hubspot credentials can be used for varieties of actions on the Hubspot services, +including managing CRM, CMS, marketing automation, customer service and +analytics. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: secret + + +include::../../../shared_content/secrets/impact/phishing.adoc[] + +include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: pat-na1-6d04652d-107a-4742-964d-34dabf69843c +:example_name: hubspot-api-key +:example_env: HUBSPOT_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] +