rspec/rules/S6437/java/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

[source,java]
----
import org.h2.security.SHA256;

String inputString = "s3cr37";
byte[] key         = inputString.getBytes();

SHA256.getHMAC(key, message);  // Noncompliant
----

== Compliant Solution

Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager[AWS Secrets Manager]:

[source,java]
----
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
import org.h2.security.SHA256;

public static void doSomething(SecretsManagerClient secretsClient, String secretName) {
  GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()
    .secretId(secretName)
    .build();

  GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);
  String secret                        = valueResponse.secretString();

  byte[] key = secret.getBytes();
  SHA256.getHMAC(key, message);
}
----

Using https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli[Azure Key Vault Secret]:

[source,java]
----
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
import org.h2.security.SHA256;

public static void doSomething(SecretClient secretClient, String secretName) {
  KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);
  String secret = retrievedSecret.getValue();

  byte[] key = secret.getBytes();
  SHA256.getHMAC(key, message);
}
----


== See

* https://aws.amazon.com/fr/secrets-manager/[AWS] - Secret Manager
* https://azure.microsoft.com/fr-fr/services/key-vault/[Azure] - Key Vault
* https://cloud.google.com/secret-manager[GCP] - Secret Manager
* https://www.vaultproject.io/[Hashicorp Vault] - Secret Management
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials
* https://cwe.mitre.org/data/definitions/259.html[MITRE, CWE-259] - Use of Hard-coded Password
* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information


ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)

=== Message

Revoke and change this password, as it is compromised.

=== Highlighting

Highlight the credential use and its initialization.

'''
endif::env-github,rspecator-view[]
Create rule S6437: Credentials should not be hard-coded (#1080) 2022-09-12 11:29:36 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			`[source,java]`
			`----`
			`import org.h2.security.SHA256;`

			`String inputString = "s3cr37";`
			`byte[] key = inputString.getBytes();`

			`SHA256.getHMAC(key, message); // Noncompliant`
			`----`

			`== Compliant Solution`

			`Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager[AWS Secrets Manager]:`

			`[source,java]`
			`----`
			`import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;`
			`import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;`
			`import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;`
			`import org.h2.security.SHA256;`

			`public static void doSomething(SecretsManagerClient secretsClient, String secretName) {`
			`GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()`
			`.secretId(secretName)`
			`.build();`

			`GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);`
			`String secret = valueResponse.secretString();`

			`byte[] key = secret.getBytes();`
			`SHA256.getHMAC(key, message);`
			`}`
			`----`

			`Using https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli[Azure Key Vault Secret]:`

			`[source,java]`
			`----`
			`import com.azure.identity.DefaultAzureCredentialBuilder;`
			`import com.azure.security.keyvault.secrets.SecretClient;`
			`import com.azure.security.keyvault.secrets.SecretClientBuilder;`
			`import com.azure.security.keyvault.secrets.models.KeyVaultSecret;`
			`import org.h2.security.SHA256;`

			`public static void doSomething(SecretClient secretClient, String secretName) {`
			`KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);`
			`String secret = retrievedSecret.getValue();`

			`byte[] key = secret.getBytes();`
			`SHA256.getHMAC(key, message);`
			`}`
			`----`


			`== See`

			`* https://aws.amazon.com/fr/secrets-manager/[AWS] - Secret Manager`
			`* https://azure.microsoft.com/fr-fr/services/key-vault/[Azure] - Key Vault`
			`* https://cloud.google.com/secret-manager[GCP] - Secret Manager`
			`* https://www.vaultproject.io/[Hashicorp Vault] - Secret Management`
			`* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures`
			`* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication`
			`* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials`
			`* https://cwe.mitre.org/data/definitions/259.html[MITRE, CWE-259] - Use of Hard-coded Password`
			`* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information`


			`ifdef::env-github,rspecator-view[]`
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`=== Message`

			`Revoke and change this password, as it is compromised.`

			`=== Highlighting`

			`Highlight the credential use and its initialization.`

			`'''`
			`endif::env-github,rspecator-view[]`