rspec/rules/S6418/description.adoc

Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.


In the past, it has led to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25510[CVE-2022-25510]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42635[CVE-2021-42635]

Secrets should be stored outside of the source code in a configuration file or a management service for secrets. 


This rule detects {detections} having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value.
The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.
Revert "Create rule S6418 (#1821)" (#1995) This reverts commit c9577afe581cc8010cd8831b423374ace562cf62. 2023-06-01 14:05:46 +02:00			`Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.`
Create rule S6418: Hard-coded secrets are security-sensitive (#911) 2022-04-13 10:10:31 +02:00

Revert "Create rule S6418 (#1821)" (#1995) This reverts commit c9577afe581cc8010cd8831b423374ace562cf62. 2023-06-01 14:05:46 +02:00			`In the past, it has led to the following vulnerabilities:`

			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25510[CVE-2022-25510]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42635[CVE-2021-42635]`

			`Secrets should be stored outside of the source code in a configuration file or a management service for secrets.`


Create rule S6418 (#4470) * Add csharp to rule S6418 * initial commit * update wording to be about c# * revert greg's change * Update Default detections/sensitivity --------- Co-authored-by: alex-meseldzija-sonarsource <alex-meseldzija-sonarsource@users.noreply.github.com> Co-authored-by: Alex Meseldzija <alexander.meseldzija@sonarsource.com> Co-authored-by: Gregory Paidis <115458417+gregory-paidis-sonarsource@users.noreply.github.com> 2024-11-05 18:07:55 +00:00			`This rule detects {detections} having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value.`
Revert "Create rule S6418 (#1821)" (#1995) This reverts commit c9577afe581cc8010cd8831b423374ace562cf62. 2023-06-01 14:05:46 +02:00			`The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.`