Merge branch 'master' into rule/add-RSPEC-S7150

SonarSource · Nov 12, 2024 · 1078159 · 1078159
2 parents 1f4466e + 90bbc1c
commit 1078159
Show file tree

Hide file tree

Showing 20 changed files with 325 additions and 16 deletions.
diff --git a/rules/S6869/kubernetes/metadata.json b/rules/S6869/kubernetes/metadata.json
@@ -8,7 +8,7 @@
   },
   "tags": [
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-6869",
   "sqKey": "S6869",
   "scope": "All",

diff --git a/rules/S7018/docker/metadata.json b/rules/S7018/docker/metadata.json
@@ -16,9 +16,7 @@
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "MEDIUM",
-      "RELIABILITY": "LOW",
-      "SECURITY": "LOW"
+      "MAINTAINABILITY": "LOW"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7019/docker/metadata.json b/rules/S7019/docker/metadata.json
@@ -17,7 +17,7 @@
   "code": {
     "impacts": {
       "MAINTAINABILITY": "MEDIUM",
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "MEDIUM"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc
@@ -1,8 +1,14 @@
-In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions. The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell. This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers.
+In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions.
+The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell.
+This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers.
 
 == Why is this an issue?
 
-Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues. When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals. This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it. Moreover, the exec form provides more control and predictability over the execution of the command. It does not invoke a command shell, which means it does not have the potential side effects of shell processing. 
+Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues.
+When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals.
+This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it.
+Moreover, the exec form provides more control and predictability over the execution of the command.
+It does not invoke a command shell, which means it does not have the potential side effects of shell processing.
 
 == How to fix it
 

diff --git a/rules/S7020/docker/metadata.json b/rules/S7020/docker/metadata.json
@@ -8,15 +8,15 @@
   },
   "tags": [
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-7020",
   "sqKey": "S7020",
   "scope": "All",
   "defaultQualityProfiles": ["Sonar way"],
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "LOW"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7021/docker/metadata.json b/rules/S7021/docker/metadata.json
@@ -16,7 +16,7 @@
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "RELIABILITY": "HIGH"
+      "RELIABILITY": "MEDIUM"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7023/docker/metadata.json b/rules/S7023/docker/metadata.json
@@ -17,7 +17,7 @@
   "code": {
     "impacts": {
       "MAINTAINABILITY": "MEDIUM",
-      "RELIABILITY": "HIGH",
+      "RELIABILITY": "MEDIUM",
       "SECURITY": "MEDIUM"
     },
     "attribute": "CONVENTIONAL"

diff --git a/rules/S7026/docker/metadata.json b/rules/S7026/docker/metadata.json
@@ -16,7 +16,7 @@
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "MEDIUM"
+      "MAINTAINABILITY": "LOW"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7030/docker/metadata.json b/rules/S7030/docker/metadata.json
@@ -8,7 +8,7 @@
   },
   "tags": [
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-7030",
   "sqKey": "S7030",
   "scope": "All",

diff --git a/rules/S7031/docker/metadata.json b/rules/S7031/docker/metadata.json
@@ -8,15 +8,15 @@
   },
   "tags": [
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Minor",
   "ruleSpecification": "RSPEC-7031",
   "sqKey": "S7031",
   "scope": "All",
   "defaultQualityProfiles": ["Sonar way"],
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH"
+      "MAINTAINABILITY": "LOW"
     },
     "attribute": "CONVENTIONAL"
   }

diff --git a/rules/S7144/metadata.json b/rules/S7144/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7144/secrets/metadata.json b/rules/S7144/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "BitBucket OAuth credentials should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7144",
+  "sqKey": "S7144",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7144/secrets/rule.adoc b/rules/S7144/secrets/rule.adoc
@@ -0,0 +1,62 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If attackers gain access to a BitBucket OAuth credentials, they will be able to interact with BitBucket API on behalf of the compromised account.
+
+=== What is the potential impact?
+
+Bitbucket keys allow external services to access resources on a user’s behalf with the OAuth 2.0 protocol.
+They are used to authenticate applications, services, or APIs using BitBucket for login and access-control.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+
+==== Noncompliant code example
+
+[source,java,diff-id=1,diff-type=noncompliant,subs="attributes"]
+----
+props.set("bitbucket.oauth-key", "MP76PZGLQmw63rxZYJ") // Noncompliant
+props.set("bitbucket.oauth-secret", "ASgzPac3EPbXHbTSw6DyUagJZ8ThnUFG") // Noncompliant
+----
+
+==== Compliant solution
+
+[source,java,diff-id=1,diff-type=compliant,subs="attributes"]
+----
+props.set("bitbucket.oauth-key", System.getenv("BITBUCKET_OAUTH_KEY")
+props.set("bitbucket.oauth-secret", System.getenv("BITBUCKET_OAUTH_SECRET")
+----
+
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+* Bitbucket Support - https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/[Use OAuth on Bitbucket Cloud]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks
diff --git a/rules/S7148/metadata.json b/rules/S7148/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7148/secrets/metadata.json b/rules/S7148/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "Mailchimp API keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7148",
+  "sqKey": "S7148",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7148/secrets/rule.adoc b/rules/S7148/secrets/rule.adoc
@@ -0,0 +1,35 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+:secret_type: API key
+
+include::../../../shared_content/secrets/impact/phishing.adoc[]
+
+include::../../../shared_content/secrets/impact/financial_loss.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: c16e8cb733ddd860d2d8d8a9bdd00c44-us10
+:example_name: mailchimp-api-key
+:example_env: MAILCHIMP_API_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
diff --git a/rules/S7149/metadata.json b/rules/S7149/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7149/secrets/metadata.json b/rules/S7149/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "Doppler auth tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7149",
+  "sqKey": "S7149",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}