Deploying to gh-pages from @ e7a426a 🚀

rules/S6418/cfamily-description.html

@@ -2,39 +2,142 @@
 <h2 id="_description">Description</h2>
 <div class="sectionbody">
 <div class="paragraph">
-<p>FIXME: add a description</p>
+<p>Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.</p>
+</div>
+<div class="paragraph">
+<p>In the past, it has led to the following vulnerabilities:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25510">CVE-2022-25510</a></p>
+</li>
+<li>
+<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42635">CVE-2021-42635</a></p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Secrets should be stored outside of the source code in a configuration file or a management service for secrets.</p>
+</div>
+<div class="paragraph">
+<p>This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value.
+The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.</p>
 </div>
 </div>
 </div>
 <div class="sect1">
-<h2 id="_why_is_this_an_issue">Why is this an issue?</h2>
+<h2 id="_ask_yourself_whether">Ask Yourself Whether</h2>
 <div class="sectionbody">
+<div class="ulist">
+<ul>
+<li>
+<p>The secret allows access to a sensitive component like a database, a file storage, an API, or a service.</p>
+</li>
+<li>
+<p>The secret is used in a production environment.</p>
+</li>
+<li>
+<p>Application re-distribution is required before updating the secret.</p>
+</li>
+</ul>
+</div>
 <div class="paragraph">
-<p>FIXME: remove the unused optional headers (that are commented out)</p>
+<p>There would be a risk if you answered yes to any of those questions.</p>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="_recommended_secure_coding_practices">Recommended Secure Coding Practices</h2>
+<div class="sectionbody">
+<div class="ulist">
+<ul>
+<li>
+<p>Store the secret in a configuration file that is not pushed to the code repository.</p>
+</li>
+<li>
+<p>Use your cloud provider&#8217;s service for managing secrets.</p>
+</li>
+<li>
+<p>If a secret has been disclosed through the source code: revoke it and create a new one.</p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="_sensitive_code_example">Sensitive Code Example</h2>
+<div class="sectionbody">
+<div class="listingblock">
+<div class="content">
+<pre class="highlight"><code class="language-cpp" data-lang="cpp">char const *mySecret = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37";</code></pre>
 </div>
 </div>
 </div>
+</div>
+<div class="sect1">
+<h2 id="_see">See</h2>
+<div class="sectionbody">
+<div class="ulist">
+<ul>
+<li>
+<p>OWASP - <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">Top 10 2021 Category A7 - Identification and Authentication Failures</a></p>
+</li>
+<li>
+<p>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication">Top 10 2017 Category A2 - Broken Authentication</a></p>
+</li>
+<li>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a></p>
+</li>
+<li>
+<p>MSC - <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">MSC03-J - Never hard code sensitive information</a></p>
+</li>
+</ul>
+</div>
+<hr>
+</div>
+</div>
 <div class="sect1">
-<h2 id="_how_to_fix_it">How to fix it</h2>
+<h2 id="_implementation_specification">Implementation Specification</h2>
 <div class="sectionbody">
+<div class="paragraph">
+<p>(visible only on this page)</p>
+</div>
+<div class="sect2">
+<h3 id="_message">Message</h3>
+<div class="paragraph">
+<p>"xxxxx" detected here, make sure this is not a hard-coded secret.</p>
+</div>
+</div>
 <div class="sect2">
-<h3 id="_code_examples">Code examples</h3>
-<div class="sect3">
-<h4 id="_noncompliant_code_example">Noncompliant code example</h4>
+<h3 id="_parameters">Parameters</h3>
+<div class="sidebarblock">
+<div class="content">
+<div class="title">secretWords</div>
 <div class="listingblock">
 <div class="content">
-<pre class="highlight"><code class="language-cpp" data-lang="cpp">FIXME</code></pre>
+<pre>api[_.-]?key, auth, credential, secret, token</pre>
+</div>
+</div>
+<div class="paragraph">
+<p>Comma separated list of words identifying potential secret</p>
 </div>
 </div>
 </div>
-<div class="sect3">
-<h4 id="_compliant_solution">Compliant solution</h4>
+<div class="sidebarblock">
+<div class="content">
+<div class="title">randomnessSensibility</div>
 <div class="listingblock">
 <div class="content">
-<pre class="highlight"><code class="language-cpp" data-lang="cpp">FIXME</code></pre>
+<pre>7</pre>
+</div>
+</div>
+<div class="paragraph">
+<p>Allows to tune the Randomness Sensibility (from 0 to 10)</p>
 </div>
 </div>
 </div>
+<hr>
 </div>
 </div>
 </div>

rules/S6418/cfamily-metadata.json

@@ -1 +1 @@
-{"title":"Hard-coded secrets are security-sensitive","type":"SECURITY_HOTSPOT","code":{"impacts":{"SECURITY":"HIGH"},"attribute":"TRUSTWORTHY"},"status":"ready","remediation":{"func":"Constant/Issue","constantCost":"30min"},"tags":["cwe"],"extra":{"replacementRules":[],"legacyKeys":[]},"defaultSeverity":"Blocker","ruleSpecification":"RSPEC-6418","sqKey":"S6418","scope":"Main","securityStandards":{"CWE":[798],"OWASP":["A2"],"OWASP Top 10 2021":["A7"],"PCI DSS 3.2":["6.5.10"],"PCI DSS 4.0":["6.2.4"],"ASVS 4.0":["2.10.4","3.5.2","6.4.1"]},"defaultQualityProfiles":["Sonar way"],"quickfix":"unknown","allKeys":["S6418"],"prUrl":"https://github.com/SonarSource/rspec/pull/4427","branch":"rule/S6418-add-cfamily","languagesSupport":[{"name":"cfamily","status":"ready"},{"name":"java","status":"ready"},{"name":"python","status":"ready"}]}
+{"title":"Hard-coded secrets are security-sensitive","type":"SECURITY_HOTSPOT","code":{"impacts":{"SECURITY":"HIGH"},"attribute":"TRUSTWORTHY"},"status":"ready","remediation":{"func":"Constant/Issue","constantCost":"30min"},"tags":["cwe","cert"],"extra":{"replacementRules":[],"legacyKeys":[]},"defaultSeverity":"Blocker","ruleSpecification":"RSPEC-6418","sqKey":"S6418","scope":"Main","securityStandards":{"CERT":["MSC03-J."],"CWE":[798]},"defaultQualityProfiles":["Sonar way"],"quickfix":"unknown","allKeys":["S6418"],"prUrl":"https://github.com/SonarSource/rspec/pull/4427","branch":"rule/S6418-add-cfamily","languagesSupport":[{"name":"cfamily","status":"ready"},{"name":"java","status":"ready"},{"name":"python","status":"ready"}]}

rules/S6418/default-description.html

@@ -2,39 +2,142 @@
 <h2 id="_description">Description</h2>
 <div class="sectionbody">
 <div class="paragraph">
-<p>FIXME: add a description</p>
+<p>Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.</p>
+</div>
+<div class="paragraph">
+<p>In the past, it has led to the following vulnerabilities:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25510">CVE-2022-25510</a></p>
+</li>
+<li>
+<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42635">CVE-2021-42635</a></p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Secrets should be stored outside of the source code in a configuration file or a management service for secrets.</p>
+</div>
+<div class="paragraph">
+<p>This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value.
+The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.</p>
 </div>
 </div>
 </div>
 <div class="sect1">
-<h2 id="_why_is_this_an_issue">Why is this an issue?</h2>
+<h2 id="_ask_yourself_whether">Ask Yourself Whether</h2>
 <div class="sectionbody">
+<div class="ulist">
+<ul>
+<li>
+<p>The secret allows access to a sensitive component like a database, a file storage, an API, or a service.</p>
+</li>
+<li>
+<p>The secret is used in a production environment.</p>
+</li>
+<li>
+<p>Application re-distribution is required before updating the secret.</p>
+</li>
+</ul>
+</div>
 <div class="paragraph">
-<p>FIXME: remove the unused optional headers (that are commented out)</p>
+<p>There would be a risk if you answered yes to any of those questions.</p>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="_recommended_secure_coding_practices">Recommended Secure Coding Practices</h2>
+<div class="sectionbody">
+<div class="ulist">
+<ul>
+<li>
+<p>Store the secret in a configuration file that is not pushed to the code repository.</p>
+</li>
+<li>
+<p>Use your cloud provider&#8217;s service for managing secrets.</p>
+</li>
+<li>
+<p>If a secret has been disclosed through the source code: revoke it and create a new one.</p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="_sensitive_code_example">Sensitive Code Example</h2>
+<div class="sectionbody">
+<div class="listingblock">
+<div class="content">
+<pre class="highlight"><code class="language-cpp" data-lang="cpp">char const *mySecret = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37";</code></pre>
 </div>
 </div>
 </div>
+</div>
+<div class="sect1">
+<h2 id="_see">See</h2>
+<div class="sectionbody">
+<div class="ulist">
+<ul>
+<li>
+<p>OWASP - <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">Top 10 2021 Category A7 - Identification and Authentication Failures</a></p>
+</li>
+<li>
+<p>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication">Top 10 2017 Category A2 - Broken Authentication</a></p>
+</li>
+<li>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a></p>
+</li>
+<li>
+<p>MSC - <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">MSC03-J - Never hard code sensitive information</a></p>
+</li>
+</ul>
+</div>
+<hr>
+</div>
+</div>
 <div class="sect1">
-<h2 id="_how_to_fix_it">How to fix it</h2>
+<h2 id="_implementation_specification">Implementation Specification</h2>
 <div class="sectionbody">
+<div class="paragraph">
+<p>(visible only on this page)</p>
+</div>
+<div class="sect2">
+<h3 id="_message">Message</h3>
+<div class="paragraph">
+<p>"xxxxx" detected here, make sure this is not a hard-coded secret.</p>
+</div>
+</div>
 <div class="sect2">
-<h3 id="_code_examples">Code examples</h3>
-<div class="sect3">
-<h4 id="_noncompliant_code_example">Noncompliant code example</h4>
+<h3 id="_parameters">Parameters</h3>
+<div class="sidebarblock">
+<div class="content">
+<div class="title">secretWords</div>
 <div class="listingblock">
 <div class="content">
-<pre class="highlight"><code class="language-cpp" data-lang="cpp">FIXME</code></pre>
+<pre>api[_.-]?key, auth, credential, secret, token</pre>
+</div>
+</div>
+<div class="paragraph">
+<p>Comma separated list of words identifying potential secret</p>
 </div>
 </div>
 </div>
-<div class="sect3">
-<h4 id="_compliant_solution">Compliant solution</h4>
+<div class="sidebarblock">
+<div class="content">
+<div class="title">randomnessSensibility</div>
 <div class="listingblock">
 <div class="content">
-<pre class="highlight"><code class="language-cpp" data-lang="cpp">FIXME</code></pre>
+<pre>7</pre>
+</div>
+</div>
+<div class="paragraph">
+<p>Allows to tune the Randomness Sensibility (from 0 to 10)</p>
 </div>
 </div>
 </div>
+<hr>
 </div>
 </div>
 </div>

rules/S6418/default-metadata.json

@@ -1 +1 @@
-{"title":"Hard-coded secrets are security-sensitive","type":"SECURITY_HOTSPOT","code":{"impacts":{"SECURITY":"HIGH"},"attribute":"TRUSTWORTHY"},"status":"ready","remediation":{"func":"Constant/Issue","constantCost":"30min"},"tags":["cwe"],"extra":{"replacementRules":[],"legacyKeys":[]},"defaultSeverity":"Blocker","ruleSpecification":"RSPEC-6418","sqKey":"S6418","scope":"Main","securityStandards":{"CWE":[798],"OWASP":["A2"],"OWASP Top 10 2021":["A7"],"PCI DSS 3.2":["6.5.10"],"PCI DSS 4.0":["6.2.4"],"ASVS 4.0":["2.10.4","3.5.2","6.4.1"]},"defaultQualityProfiles":["Sonar way"],"quickfix":"unknown","allKeys":["S6418"],"prUrl":"https://github.com/SonarSource/rspec/pull/4427","branch":"rule/S6418-add-cfamily","languagesSupport":[{"name":"cfamily","status":"ready"},{"name":"java","status":"ready"},{"name":"python","status":"ready"}]}
+{"title":"Hard-coded secrets are security-sensitive","type":"SECURITY_HOTSPOT","code":{"impacts":{"SECURITY":"HIGH"},"attribute":"TRUSTWORTHY"},"status":"ready","remediation":{"func":"Constant/Issue","constantCost":"30min"},"tags":["cwe","cert"],"extra":{"replacementRules":[],"legacyKeys":[]},"defaultSeverity":"Blocker","ruleSpecification":"RSPEC-6418","sqKey":"S6418","scope":"Main","securityStandards":{"CERT":["MSC03-J."],"CWE":[798]},"defaultQualityProfiles":["Sonar way"],"quickfix":"unknown","allKeys":["S6418"],"prUrl":"https://github.com/SonarSource/rspec/pull/4427","branch":"rule/S6418-add-cfamily","languagesSupport":[{"name":"cfamily","status":"ready"},{"name":"java","status":"ready"},{"name":"python","status":"ready"}]}