rspec/rules/S6418/java/rule.adoc

include::../description.adoc[]

== Why is this an issue?

include::../why-is-it-an-issue.adoc[]

include::../how-does-it-work.adoc[]

== How to fix it
include::../recommended.adoc[]

=== Code examples

==== Noncompliant code example

[source,java]
----
private static final String MY_SECRET = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37";

public static void main(String[] args) {
  MyClass.callMyService(MY_SECRET);
}
----

==== Compliant solution

Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager[AWS Secrets Manager]:

[source,java]
----
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;

public static void main(String[] args) {
  SecretsManagerClient secretsClient = ...
  MyClass.doSomething(secretsClient, "MY_SERVICE_SECRET");
}

public static void doSomething(SecretsManagerClient secretsClient, String secretName) {
  GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()
    .secretId(secretName)
    .build();

  GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);
  String secret = valueResponse.secretString();
  // do something with the secret
  MyClass.callMyService(secret);
}
----

Using https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli[Azure Key Vault Secret]:

[source,java]
----
import com.azure.identity.DefaultAzureCredentialBuilder;

import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;

public static void main(String[] args) throws InterruptedException, IllegalArgumentException {
  String keyVaultName = System.getenv("KEY_VAULT_NAME");
  String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";

  SecretClient secretClient = new SecretClientBuilder()
    .vaultUrl(keyVaultUri)
    .credential(new DefaultAzureCredentialBuilder().build())
    .buildClient();

  MyClass.doSomething(secretClient, "MY_SERVICE_SECRET");
}

public static void doSomething(SecretClient secretClient, String secretName) {
  KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);
  String secret = retrievedSecret.getValue(),

  // do something with the secret
  MyClass.callMyService(secret);
}
----


=== How does this work?

include::../how-does-it-work.adoc[]

//=== Pitfalls

//=== Going the extra mile


== Resources
=== Documentation

include::../documentation.adoc[]

//=== Articles & blog posts
//=== Conference presentations
//=== Standards
//=== Benchmarks

ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../parameters.adoc[]
'''
endif::env-github,rspecator-view[]
Create rule S6418: Hard-coded secrets are security-sensitive (#911) 2022-04-13 10:10:31 +02:00			`include::../description.adoc[]`

Create rule S6418 (#1821) 2023-04-27 13:11:55 +02:00			`== Why is this an issue?`
Create rule S6418: Hard-coded secrets are security-sensitive (#911) 2022-04-13 10:10:31 +02:00
Create rule S6418 (#1821) 2023-04-27 13:11:55 +02:00			`include::../why-is-it-an-issue.adoc[]`

			`include::../how-does-it-work.adoc[]`

			`== How to fix it`
Create rule S6418: Hard-coded secrets are security-sensitive (#911) 2022-04-13 10:10:31 +02:00			`include::../recommended.adoc[]`

Create rule S6418 (#1821) 2023-04-27 13:11:55 +02:00			`=== Code examples`

			`==== Noncompliant code example`
Create rule S6418: Hard-coded secrets are security-sensitive (#911) 2022-04-13 10:10:31 +02:00
			`[source,java]`
			`----`
Add missing type in the "Sensitive Code Example" (#1041) 2022-06-10 09:16:12 +02:00			`private static final String MY_SECRET = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37";`
Create rule S6418: Hard-coded secrets are security-sensitive (#911) 2022-04-13 10:10:31 +02:00
			`public static void main(String[] args) {`
			`MyClass.callMyService(MY_SECRET);`
			`}`
			`----`

Create rule S6418 (#1821) 2023-04-27 13:11:55 +02:00			`==== Compliant solution`
Create rule S6418: Hard-coded secrets are security-sensitive (#911) 2022-04-13 10:10:31 +02:00
			`Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager[AWS Secrets Manager]:`

			`[source,java]`
			`----`
			`import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;`
			`import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;`

			`public static void main(String[] args) {`
			`SecretsManagerClient secretsClient = ...`
			`MyClass.doSomething(secretsClient, "MY_SERVICE_SECRET");`
			`}`

			`public static void doSomething(SecretsManagerClient secretsClient, String secretName) {`
			`GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()`
			`.secretId(secretName)`
			`.build();`

			`GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);`
			`String secret = valueResponse.secretString();`
			`// do something with the secret`
			`MyClass.callMyService(secret);`
			`}`
			`----`

			`Using https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli[Azure Key Vault Secret]:`

			`[source,java]`
			`----`
			`import com.azure.identity.DefaultAzureCredentialBuilder;`

			`import com.azure.security.keyvault.secrets.SecretClient;`
			`import com.azure.security.keyvault.secrets.SecretClientBuilder;`
			`import com.azure.security.keyvault.secrets.models.KeyVaultSecret;`

			`public static void main(String[] args) throws InterruptedException, IllegalArgumentException {`
			`String keyVaultName = System.getenv("KEY_VAULT_NAME");`
			`String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";`

			`SecretClient secretClient = new SecretClientBuilder()`
			`.vaultUrl(keyVaultUri)`
			`.credential(new DefaultAzureCredentialBuilder().build())`
			`.buildClient();`

			`MyClass.doSomething(secretClient, "MY_SERVICE_SECRET");`
			`}`

			`public static void doSomething(SecretClient secretClient, String secretName) {`
			`KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);`
			`String secret = retrievedSecret.getValue(),`

			`// do something with the secret`
			`MyClass.callMyService(secret);`
			`}`
			`----`


Create rule S6418 (#1821) 2023-04-27 13:11:55 +02:00			`=== How does this work?`

			`include::../how-does-it-work.adoc[]`

			`//=== Pitfalls`

			`//=== Going the extra mile`


			`== Resources`
			`=== Documentation`

			`include::../documentation.adoc[]`
Create rule S6418: Hard-coded secrets are security-sensitive (#911) 2022-04-13 10:10:31 +02:00
Create rule S6418 (#1821) 2023-04-27 13:11:55 +02:00			`//=== Articles & blog posts`
			`//=== Conference presentations`
			`//=== Standards`
			`//=== Benchmarks`
Create rule S6418: Hard-coded secrets are security-sensitive (#911) 2022-04-13 10:10:31 +02:00
			`ifdef::env-github,rspecator-view[]`
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`
			`include::../message.adoc[]`
			`include::../parameters.adoc[]`
			`'''`
			`endif::env-github,rspecator-view[]`