From c36fc7cc5f536118b943c9c65c11eff66d96e11c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:42:40 +0100 Subject: [PATCH 1/5] Create rule S7144: Bitbucket keys should not be disclosed (APPSEC-1864) (#4476) --- rules/S7144/metadata.json | 2 + rules/S7144/secrets/metadata.json | 56 ++++++++++++++++++++++++++++ rules/S7144/secrets/rule.adoc | 62 +++++++++++++++++++++++++++++++ 3 files changed, 120 insertions(+) create mode 100644 rules/S7144/metadata.json create mode 100644 rules/S7144/secrets/metadata.json create mode 100644 rules/S7144/secrets/rule.adoc diff --git a/rules/S7144/metadata.json b/rules/S7144/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7144/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7144/secrets/metadata.json b/rules/S7144/secrets/metadata.json new file mode 100644 index 00000000000..aad41af302d --- /dev/null +++ b/rules/S7144/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "BitBucket OAuth credentials should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7144", + "sqKey": "S7144", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7144/secrets/rule.adoc b/rules/S7144/secrets/rule.adoc new file mode 100644 index 00000000000..1fb4e62c57d --- /dev/null +++ b/rules/S7144/secrets/rule.adoc @@ -0,0 +1,62 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +If attackers gain access to a BitBucket OAuth credentials, they will be able to interact with BitBucket API on behalf of the compromised account. + +=== What is the potential impact? + +Bitbucket keys allow external services to access resources on a user’s behalf with the OAuth 2.0 protocol. +They are used to authenticate applications, services, or APIs using BitBucket for login and access-control. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/recent_use.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + + +==== Noncompliant code example + +[source,java,diff-id=1,diff-type=noncompliant,subs="attributes"] +---- +props.set("bitbucket.oauth-key", "MP76PZGLQmw63rxZYJ") // Noncompliant +props.set("bitbucket.oauth-secret", "ASgzPac3EPbXHbTSw6DyUagJZ8ThnUFG") // Noncompliant +---- + +==== Compliant solution + +[source,java,diff-id=1,diff-type=compliant,subs="attributes"] +---- +props.set("bitbucket.oauth-key", System.getenv("BITBUCKET_OAUTH_KEY") +props.set("bitbucket.oauth-secret", System.getenv("BITBUCKET_OAUTH_SECRET") +---- + + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +* Bitbucket Support - https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/[Use OAuth on Bitbucket Cloud] + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks From 25b5633b3633e966c979110c9b55ff82678bd895 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 10:50:35 +0000 Subject: [PATCH 2/5] Create rule S7148: Mailchimp API keys should not be disclosed (APPSEC-2242) (#4482) --- rules/S7148/metadata.json | 2 ++ rules/S7148/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7148/secrets/rule.adoc | 35 +++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 rules/S7148/metadata.json create mode 100644 rules/S7148/secrets/metadata.json create mode 100644 rules/S7148/secrets/rule.adoc diff --git a/rules/S7148/metadata.json b/rules/S7148/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7148/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7148/secrets/metadata.json b/rules/S7148/secrets/metadata.json new file mode 100644 index 00000000000..3e3725f2469 --- /dev/null +++ b/rules/S7148/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Mailchimp API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7148", + "sqKey": "S7148", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7148/secrets/rule.adoc b/rules/S7148/secrets/rule.adoc new file mode 100644 index 00000000000..3583f1b936f --- /dev/null +++ b/rules/S7148/secrets/rule.adoc @@ -0,0 +1,35 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: API key + +include::../../../shared_content/secrets/impact/phishing.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: c16e8cb733ddd860d2d8d8a9bdd00c44-us10 +:example_name: mailchimp-api-key +:example_env: MAILCHIMP_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] From d870aef0b52b002b4cec9be3c61578286e16080c Mon Sep 17 00:00:00 2001 From: Jonas Wielage Date: Tue, 12 Nov 2024 12:08:46 +0100 Subject: [PATCH 3/5] SONARIAC-1789 Align software quality impact and defaultSeverities on IaC Rules (#4485) --- rules/S6869/kubernetes/metadata.json | 2 +- rules/S7018/docker/metadata.json | 4 +--- rules/S7019/docker/metadata.json | 2 +- rules/S7019/docker/rule.adoc | 10 ++++++++-- rules/S7020/docker/metadata.json | 4 ++-- rules/S7021/docker/metadata.json | 2 +- rules/S7023/docker/metadata.json | 2 +- rules/S7026/docker/metadata.json | 2 +- rules/S7030/docker/metadata.json | 2 +- rules/S7031/docker/metadata.json | 4 ++-- 10 files changed, 19 insertions(+), 15 deletions(-) diff --git a/rules/S6869/kubernetes/metadata.json b/rules/S6869/kubernetes/metadata.json index 71145c2488f..5c536161f3d 100644 --- a/rules/S6869/kubernetes/metadata.json +++ b/rules/S6869/kubernetes/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-6869", "sqKey": "S6869", "scope": "All", diff --git a/rules/S7018/docker/metadata.json b/rules/S7018/docker/metadata.json index 5bc765f9727..f009c1fe577 100644 --- a/rules/S7018/docker/metadata.json +++ b/rules/S7018/docker/metadata.json @@ -16,9 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "MEDIUM", - "RELIABILITY": "LOW", - "SECURITY": "LOW" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7019/docker/metadata.json b/rules/S7019/docker/metadata.json index 1d9e68151b0..a9d6d4a998f 100644 --- a/rules/S7019/docker/metadata.json +++ b/rules/S7019/docker/metadata.json @@ -17,7 +17,7 @@ "code": { "impacts": { "MAINTAINABILITY": "MEDIUM", - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc index 79152084ec6..b58061fac80 100644 --- a/rules/S7019/docker/rule.adoc +++ b/rules/S7019/docker/rule.adoc @@ -1,8 +1,14 @@ -In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions. The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell. This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers. +In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions. +The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell. +This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers. == Why is this an issue? -Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues. When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals. This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it. Moreover, the exec form provides more control and predictability over the execution of the command. It does not invoke a command shell, which means it does not have the potential side effects of shell processing. +Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues. +When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals. +This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it. +Moreover, the exec form provides more control and predictability over the execution of the command. +It does not invoke a command shell, which means it does not have the potential side effects of shell processing. == How to fix it diff --git a/rules/S7020/docker/metadata.json b/rules/S7020/docker/metadata.json index 62292bbcb69..8f40622e68d 100644 --- a/rules/S7020/docker/metadata.json +++ b/rules/S7020/docker/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-7020", "sqKey": "S7020", "scope": "All", @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7021/docker/metadata.json b/rules/S7021/docker/metadata.json index 7c12987c1cb..1fa351169f1 100644 --- a/rules/S7021/docker/metadata.json +++ b/rules/S7021/docker/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7023/docker/metadata.json b/rules/S7023/docker/metadata.json index 7b193e8ebaa..a528370c661 100644 --- a/rules/S7023/docker/metadata.json +++ b/rules/S7023/docker/metadata.json @@ -17,7 +17,7 @@ "code": { "impacts": { "MAINTAINABILITY": "MEDIUM", - "RELIABILITY": "HIGH", + "RELIABILITY": "MEDIUM", "SECURITY": "MEDIUM" }, "attribute": "CONVENTIONAL" diff --git a/rules/S7026/docker/metadata.json b/rules/S7026/docker/metadata.json index ad5dcccf5a3..0ec2a048309 100644 --- a/rules/S7026/docker/metadata.json +++ b/rules/S7026/docker/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "MEDIUM" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7030/docker/metadata.json b/rules/S7030/docker/metadata.json index b98d3cffc47..1d35df87ea8 100644 --- a/rules/S7030/docker/metadata.json +++ b/rules/S7030/docker/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-7030", "sqKey": "S7030", "scope": "All", diff --git a/rules/S7031/docker/metadata.json b/rules/S7031/docker/metadata.json index 664fcabba17..d8dc207f3b0 100644 --- a/rules/S7031/docker/metadata.json +++ b/rules/S7031/docker/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-7031", "sqKey": "S7031", "scope": "All", @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } From a7bff601e5049a553b7155f423df2e2b1b6fe9e8 Mon Sep 17 00:00:00 2001 From: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Date: Tue, 12 Nov 2024 12:27:14 +0100 Subject: [PATCH 4/5] Remove mention to "pornographic material" in shared `phising.adoc` (#4480) --- shared_content/secrets/impact/phishing.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared_content/secrets/impact/phishing.adoc b/shared_content/secrets/impact/phishing.adoc index e3cab8b0067..50e49792572 100644 --- a/shared_content/secrets/impact/phishing.adoc +++ b/shared_content/secrets/impact/phishing.adoc @@ -5,7 +5,7 @@ a malicious domain controlled by the attacker. Spam can cause users to be exposed to the following: -* Unsolicited, inappropriate content, such as pornographic material +* Unsolicited, inappropriate content * Fraudulent attempts to trick users into sending information or money * Abusive or hateful statements * False advertising or fraudulent claims From 90bbc1c99eced2b40c81eef31e8e87025c2319aa Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 17:23:43 +0100 Subject: [PATCH 5/5] Create rule S7149: Doppler auth tokens should not be disclosed (#4483) --- rules/S7149/metadata.json | 2 ++ rules/S7149/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7149/secrets/rule.adoc | 34 +++++++++++++++++++ 3 files changed, 92 insertions(+) create mode 100644 rules/S7149/metadata.json create mode 100644 rules/S7149/secrets/metadata.json create mode 100644 rules/S7149/secrets/rule.adoc diff --git a/rules/S7149/metadata.json b/rules/S7149/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7149/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7149/secrets/metadata.json b/rules/S7149/secrets/metadata.json new file mode 100644 index 00000000000..ce101068f6e --- /dev/null +++ b/rules/S7149/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Doppler auth tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7149", + "sqKey": "S7149", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7149/secrets/rule.adoc b/rules/S7149/secrets/rule.adoc new file mode 100644 index 00000000000..bab910e1fb5 --- /dev/null +++ b/rules/S7149/secrets/rule.adoc @@ -0,0 +1,34 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: dp.ct.bAqhcVzrhy5cRHkOlNTc0Ve6w5NUDCpcutm8vGE9myi +:example_name: doppler-auth-token +:example_env: DOPPLER_AUTH_TOKEN + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] +