Update rule description

SonarSource · Sep 19, 2023 · d798132 · d798132
1 parent e8a27d5
commit d798132
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 42 deletions.
diff --git a/rules/S6753/metadata.json b/rules/S6753/metadata.json
@@ -1,2 +1 @@
-{
-}
+{}
diff --git a/rules/S6753/secrets/metadata.json b/rules/S6753/secrets/metadata.json
@@ -1,25 +1,56 @@
 {
-  "title": "FIXME",
-  "type": "CODE_SMELL",
+  "title": "Zuplo API keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
-    "constantCost": "5min"
+    "constantCost": "30min"
   },
   "tags": [
+    "cwe",
+    "cert"
   ],
-  "defaultSeverity": "Major",
+  "extra": {
+    "replacementRules": []
+  },
+  "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-6753",
   "sqKey": "S6753",
   "scope": "All",
-  "defaultQualityProfiles": ["Sonar way"],
-  "quickfix": "unknown",
-  "code": {
-    "impacts": {
-      "MAINTAINABILITY": "HIGH",
-      "RELIABILITY": "MEDIUM",
-      "SECURITY": "LOW"
-    },
-    "attribute": "CONVENTIONAL"
-  }
-}
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S6753/secrets/rule.adoc b/rules/S6753/secrets/rule.adoc
@@ -1,44 +1,48 @@
-FIXME: add a description
-
-// If you want to factorize the description uncomment the following line and create the file.
-//include::../description.adoc[]
+include::../../../shared_content/secrets/description.adoc[]
 
 == Why is this an issue?
 
-FIXME: remove the unused optional headers (that are commented out)
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the credentials.
+
+:secret_type: credentials
+
+include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[]
 
-//=== What is the potential impact?
 
 == How to fix it
-//== How to fix it in FRAMEWORK NAME
 
-=== Code examples
+include::../../../shared_content/secrets/fix/revoke.adoc[]
 
-==== Noncompliant code example
+include::../../../shared_content/secrets/fix/vault.adoc[]
 
-[source,text,diff-id=1,diff-type=noncompliant]
-----
-FIXME
-----
+=== Code examples
 
-==== Compliant solution
+:example_secret: zpka_213d294a9a5a44619cd6a02e55a20417_5f43e4d0
+:example_name: zapi_key
+:example_env: ZAPI_KEY
 
-[source,text,diff-id=1,diff-type=compliant]
-----
-FIXME
-----
+include::../../../shared_content/secrets/examples.adoc[]
 
 //=== How does this work?
 
 //=== Pitfalls
 
 //=== Going the extra mile
 
+== Resources
+
+=== Documentation
+
+* Zuplo API documentation - https://zuplo.com/docs/articles/api-key-management[API Keys Overview]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
 
-//== Resources
-//=== Documentation
-//=== Articles & blog posts
-//=== Conference presentations
-//=== Standards
-//=== External coding guidelines
-//=== Benchmarks
+//=== Benchmarks
-Original file line number
+Diff line change
@@ -1,2 +1 @@
-    {
-    }
+    {}