diff --git a/.github/workflows/update_coverage.yml b/.github/workflows/update_coverage.yml index 7ab51f4bb5d..73b032a20e1 100644 --- a/.github/workflows/update_coverage.yml +++ b/.github/workflows/update_coverage.yml @@ -5,6 +5,8 @@ on: jobs: update_coverage: + permissions: + id-token: write runs-on: ubuntu-latest env: TMP_BRANCH: temporary/coverage_update @@ -93,10 +95,17 @@ jobs: steps.wait-for-build.outputs.conclusion != 'success' run: exit 1 + - name: get secrets + id: secrets + uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # 3.0.1 + with: + secrets: | + development/kv/data/slack token | slack_token; + - name: 'Notify on slack about the failure' if: ${{ failure() }} env: - SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }} + SLACK_API_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).slack_token }} working-directory: 'rspec/rspec-tools' run: | pipenv run rspec-tools notify-failure-on-slack \ diff --git a/rspec-tools/rspec_template/single_language/secrets/metadata.json b/rspec-tools/rspec_template/single_language/secrets/metadata.json new file mode 100644 index 00000000000..3db69aaaf66 --- /dev/null +++ b/rspec-tools/rspec_template/single_language/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "SECRET_TYPE should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-${RSPEC_ID}", + "sqKey": "S${RSPEC_ID}", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rspec-tools/rspec_template/single_language/secrets/rule.adoc b/rspec-tools/rspec_template/single_language/secrets/rule.adoc new file mode 100644 index 00000000000..bae2119bf94 --- /dev/null +++ b/rspec-tools/rspec_template/single_language/secrets/rule.adoc @@ -0,0 +1,48 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +// Optional: Give a general description of the secret and what it's used for. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +// Set value that can be used to refer to the type of secret in, for example: +// "An attacker can use this {secret_type} to ..." +:secret_type: secret + +// Where possible, use predefined content for common impacts. This content can +// be found in the folder "shared_content/secrets/impact". + +//include::../../../shared_content/secrets/impact/some_impact.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: example_secret_value +:example_name: java-property-name +:example_env: ENV_VAR_NAME + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks diff --git a/rspec-tools/rspec_tools/create_rule.py b/rspec-tools/rspec_tools/create_rule.py index c9f57af1535..c56fa67c2e5 100644 --- a/rspec-tools/rspec_tools/create_rule.py +++ b/rspec-tools/rspec_tools/create_rule.py @@ -113,7 +113,9 @@ def _fill_multi_lang_template_files(self, rule_dir: Path, rule_number: int, lang def _fill_single_lang_template_files(self, rule_dir: Path, rule_number: int, language: str): common_template = self.TEMPLATE_PATH / 'single_language' / 'common' - lang_specific_template = self.TEMPLATE_PATH / 'single_language' / 'language_specific' + lang_specific_template = self.TEMPLATE_PATH / 'single_language' / language + if not Path(lang_specific_template).exists(): + lang_specific_template = self.TEMPLATE_PATH / 'single_language' / 'language_specific' copy_directory_content(common_template, rule_dir) lang_dir = rule_dir /language diff --git a/rules/S6864/kubernetes/rule.adoc b/rules/S6864/kubernetes/rule.adoc index 093543db5eb..e223ef440b1 100644 --- a/rules/S6864/kubernetes/rule.adoc +++ b/rules/S6864/kubernetes/rule.adoc @@ -39,7 +39,7 @@ node failure. === Code examples -To avoid potential issues specify a memory limit for each container. +To avoid potential issues, either specify a memory limit for each container in a pod specification or create a resource of a kind, `LimitRange`, that sets a default memory limit for all containers in all pod specifications belonging to the same namespace. ==== Noncompliant code example @@ -55,6 +55,18 @@ spec: image: nginx ---- +[source,yaml,diff-id=2,diff-type=noncompliant] +---- +apiVersion: v1 +kind: Pod +metadata: + name: example +spec: + containers: + - name: web # Noncompliant + image: nginx +---- + ==== Compliant solution [source,yaml,diff-id=1,diff-type=compliant] @@ -72,11 +84,35 @@ spec: memory: 100Mi ---- +[source,yaml,diff-id=2,diff-type=compliant] +---- +apiVersion: v1 +kind: LimitRange +metadata: + name: mem-limit-range + namespace: default-mem-example +spec: + limits: + - type: Container + default: + memory: 100Mi +--- +apiVersion: v1 +kind: Pod +metadata: + name: example + namespace: default-mem-example +spec: + containers: + - name: web + image: nginx +---- + === How does this work? A limit can be set through the property `resources.limits.memory` of a container. Alternatively, a default limit for a namespace can be set with -`LimitRange`. +`LimitRange` through `spec.limits[].default.memory`. == Resources diff --git a/rules/S6909/java/rule.adoc b/rules/S6909/java/rule.adoc index 14e0b64d3c6..5697e129010 100644 --- a/rules/S6909/java/rule.adoc +++ b/rules/S6909/java/rule.adoc @@ -27,7 +27,7 @@ public class DatabaseExample { public void updateTodayOrders(Connection connection, List orders) { Date today = java.sql.Date.valueOf(LocalDate.now()); String insertQuery = "INSERT INTO Order (id, price, executionDate) VALUES (?, ?, ?)"; - PreparedStatement preparedStatement = connection.prepareStatement(SQL_INSERT); + PreparedStatement preparedStatement = connection.prepareStatement(insertQuery); for(Order order: orders) { preparedStatement.setString(1, order.id()); @@ -50,10 +50,9 @@ public class DatabaseExample { public void updateTodayOrders(Connection connection, List orders) { Date today = java.sql.Date.valueOf(LocalDate.now()); String insertQuery = "INSERT INTO Order (id, price, executionDate) VALUES (?, ?, ?)"; - preparedStatement.setDate(3, today); // Compliant - - PreparedStatement preparedStatement = connection.prepareStatement(SQL_INSERT); + PreparedStatement preparedStatement = connection.prepareStatement(insertQuery); + preparedStatement.setDate(3, today); // Compliant for(Order order: orders) { preparedStatement.setString(1, order.id()); preparedStatement.setString(2, order.price());