Merge branch 'master' into ft/hidden-friends

SonarSource · Jun 27, 2024 · db60b75 · db60b75
2 parents 95e4c72 + 629afcc
commit db60b75
Show file tree

Hide file tree

Showing 6 changed files with 158 additions and 8 deletions.
diff --git a/.github/workflows/update_coverage.yml b/.github/workflows/update_coverage.yml
@@ -5,6 +5,8 @@ on:
 
 jobs:
   update_coverage:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     env:
       TMP_BRANCH: temporary/coverage_update
@@ -93,10 +95,17 @@ jobs:
         steps.wait-for-build.outputs.conclusion != 'success'
       run: exit 1
 
+    - name: get secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # 3.0.1
+        with:
+          secrets: |
+            development/kv/data/slack token | slack_token;
+
     - name: 'Notify on slack about the failure'
       if: ${{ failure() }}
       env:
-        SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }}
+        SLACK_API_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).slack_token }}
       working-directory: 'rspec/rspec-tools'
       run: |
         pipenv run rspec-tools notify-failure-on-slack \

diff --git a/rspec-tools/rspec_template/single_language/secrets/metadata.json b/rspec-tools/rspec_template/single_language/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "SECRET_TYPE should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-${RSPEC_ID}",
+  "sqKey": "S${RSPEC_ID}",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rspec-tools/rspec_template/single_language/secrets/rule.adoc b/rspec-tools/rspec_template/single_language/secrets/rule.adoc
@@ -0,0 +1,48 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+// Optional: Give a general description of the secret and what it's used for.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+// Set value that can be used to refer to the type of secret in, for example:
+// "An attacker can use this {secret_type} to ..."
+:secret_type: secret
+
+// Where possible, use predefined content for common impacts. This content can
+// be found in the folder "shared_content/secrets/impact".
+
+//include::../../../shared_content/secrets/impact/some_impact.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: example_secret_value
+:example_name: java-property-name
+:example_env: ENV_VAR_NAME
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks
diff --git a/rspec-tools/rspec_tools/create_rule.py b/rspec-tools/rspec_tools/create_rule.py
@@ -113,7 +113,9 @@ def _fill_multi_lang_template_files(self, rule_dir: Path, rule_number: int, lang
 
   def _fill_single_lang_template_files(self, rule_dir: Path, rule_number: int, language: str):
     common_template = self.TEMPLATE_PATH / 'single_language' / 'common'
-    lang_specific_template = self.TEMPLATE_PATH / 'single_language' / 'language_specific'
+    lang_specific_template = self.TEMPLATE_PATH / 'single_language' / language
+    if not Path(lang_specific_template).exists():
+      lang_specific_template = self.TEMPLATE_PATH / 'single_language' / 'language_specific'
     copy_directory_content(common_template, rule_dir)
 
     lang_dir = rule_dir /language

diff --git a/rules/S6864/kubernetes/rule.adoc b/rules/S6864/kubernetes/rule.adoc
@@ -39,7 +39,7 @@ node failure.
 
 === Code examples
 
-To avoid potential issues specify a memory limit for each container.
+To avoid potential issues, either specify a memory limit for each container in a pod specification or create a resource of a kind, `LimitRange`, that sets a default memory limit for all containers in all pod specifications belonging to the same namespace.
 
 ==== Noncompliant code example
 
@@ -55,6 +55,18 @@ spec:
       image: nginx
 ----
 
+[source,yaml,diff-id=2,diff-type=noncompliant]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+spec:
+  containers:
+    - name: web # Noncompliant
+      image: nginx
+----
+
 ==== Compliant solution
 
 [source,yaml,diff-id=1,diff-type=compliant]
@@ -72,11 +84,35 @@ spec:
           memory: 100Mi
 ----
 
+[source,yaml,diff-id=2,diff-type=compliant]
+----
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: mem-limit-range
+  namespace: default-mem-example
+spec:
+  limits:
+    - type: Container
+      default:
+        memory: 100Mi
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+  namespace: default-mem-example
+spec:
+  containers:
+    - name: web
+      image: nginx
+----
+
 === How does this work?
 
 A limit can be set through the property `resources.limits.memory` of a
 container. Alternatively, a default limit for a namespace can be set with
-`LimitRange`.
+`LimitRange` through `spec.limits[].default.memory`.
 
 == Resources
 

diff --git a/rules/S6909/java/rule.adoc b/rules/S6909/java/rule.adoc
@@ -27,7 +27,7 @@ public class DatabaseExample {
     public void updateTodayOrders(Connection connection, List<Order> orders) {
             Date today = java.sql.Date.valueOf(LocalDate.now());
             String insertQuery = "INSERT INTO Order (id, price, executionDate) VALUES (?, ?, ?)";
-            PreparedStatement preparedStatement = connection.prepareStatement(SQL_INSERT);
+            PreparedStatement preparedStatement = connection.prepareStatement(insertQuery);
 
             for(Order order: orders) {
                 preparedStatement.setString(1, order.id());
@@ -50,10 +50,9 @@ public class DatabaseExample {
     public void updateTodayOrders(Connection connection, List<Order> orders) {
             Date today = java.sql.Date.valueOf(LocalDate.now());
             String insertQuery = "INSERT INTO Order (id, price, executionDate) VALUES (?, ?, ?)";
-            preparedStatement.setDate(3, today); // Compliant
-
-            PreparedStatement preparedStatement = connection.prepareStatement(SQL_INSERT);
+            PreparedStatement preparedStatement = connection.prepareStatement(insertQuery);
 
+            preparedStatement.setDate(3, today); // Compliant
             for(Order order: orders) {
                 preparedStatement.setString(1, order.id());
                 preparedStatement.setString(2, order.price());