CPP-5813 Split S2068 into password and secrets (new rule S6418)

rules/S2068/cfamily/metadata.json

@@ -1,4 +1,5 @@
 {
+  "title": "Hard-coded passwords are security-sensitive",
   "tags": [
     "cwe",
     "cert"

rules/S2068/cfamily/rule.adoc

@@ -1,15 +1,15 @@
-Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.
+Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.
 
 
 In the past, it has led to the following vulnerabilities:
 
 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]
 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]
 
-Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets. 
+Passwords should be stored outside of the code in a configuration file, a database, or a management service for secrets. 
 
 
-This rule looks for hard-coded credentials in variable names that match any of the patterns from the provided list.
+This rule looks for hard-coded passwords in variable names that match any of the patterns from the provided list.
 
 include::../ask-yourself.adoc[]
 
@@ -36,7 +36,6 @@ dbi_conn_set_option(conn, "password", password.c_str()); // Compliant
 
 * OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
 * OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
-* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials]
 * CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password]
 * Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password]
 

rules/S6418/cfamily/metadata.json

@@ -1,2 +1,15 @@
 {
-}
+    "tags": [
+      "cwe",
+      "cert"
+    ],
+    "securityStandards": {
+      "CERT": [
+        "MSC03-J."
+      ],
+      "CWE": [
+        798
+      ]
+    }
+  }
+

rules/S6418/cfamily/rule.adoc

@@ -1,44 +1,31 @@
-FIXME: add a description
+include::../description.adoc[]
 
-// If you want to factorize the description uncomment the following line and create the file.
-//include::../description.adoc[]
+include::../ask-yourself.adoc[]
 
-== Why is this an issue?
+include::../recommended.adoc[]
 
-FIXME: remove the unused optional headers (that are commented out)
+== Sensitive Code Example
 
-//=== What is the potential impact?
-
-== How to fix it
-//== How to fix it in FRAMEWORK NAME
-
-=== Code examples
-
-==== Noncompliant code example
-
-[source,cpp,diff-id=1,diff-type=noncompliant]
+[source,cpp]
 ----
-FIXME
+char const *mySecret = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37";
 ----
 
-==== Compliant solution
 
-[source,cpp,diff-id=1,diff-type=compliant]
-----
-FIXME
-----
 
-//=== How does this work?
+include::../see.adoc[]
+
+* MSC - https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[MSC03-J - Never hard code sensitive information] 
+
 
-//=== Pitfalls
+ifdef::env-github,rspecator-view[]
+'''
+== Implementation Specification
+(visible only on this page)
 
-//=== Going the extra mile
+include::../message.adoc[]
 
+include::../parameters.adoc[]
 
-//== Resources
-//=== Documentation
-//=== Articles & blog posts
-//=== Conference presentations
-//=== Standards
-//=== External coding guidelines
-//=== Benchmarks
+'''
+endif::env-github,rspecator-view[]