Modify rule S6648: Add language AzureResourceManager (Bicep) (#2277)

[Specification ticket](https://sonarsource.atlassian.net/browse/APPSEC-803) [Implementation ticket](https://sonarsource.atlassian.net/browse/SONARIAC-896) Main PR for ARM templates: https://github.com/SonarSource/rspec/pull/2250 ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Rudy Regazzoni <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com>
2023-08-02 15:17:24 +02:00 · 2023-08-02 15:17:24 +02:00 · 2336aba6a7
commit 2336aba6a7
parent da1a2a77e3
4 changed files with 59 additions and 35 deletions
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@ -105,3 +105,6 @@
 * CommonCrypto
 * CryptoSwift
 * IDZSwiftCommonCrypto
+// Azure resource manager
+* ARM templates
+* Bicep
--- a/rules/S6648/azureresourcemanager/how-to-fix-it/arm.adoc
+++ b/rules/S6648/azureresourcemanager/how-to-fix-it/arm.adoc
@ -0,0 +1,34 @@
+== How to fix it in ARM templates
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,json,diff-id=1,diff-type=noncompliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "secretValue": {
+      "type": "securestring",
+      "defaultValue": "S3CR3T"
+    }
+  }
+}
+----
+
+==== Compliant solution
+
+[source,json,diff-id=1,diff-type=compliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "secretValue": {
+      "type": "securestring"
+    }
+  }
+}
+----
--- a/rules/S6648/azureresourcemanager/how-to-fix-it/bicep.adoc
+++ b/rules/S6648/azureresourcemanager/how-to-fix-it/bicep.adoc
@ -0,0 +1,19 @@
+== How to fix it in Bicep
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,bicep,diff-id=1,diff-type=noncompliant]
+----
+@secure()
+param secureStringWithDefaultValue string = 'S3CR3T' // Noncompliant
+----
+
+==== Compliant solution
+
+[source,bicep,diff-id=1,diff-type=compliant]
+----
+@secure()
+param secureStringWithDefaultValue string
+----
--- a/rules/S6648/azureresourcemanager/rule.adoc
+++ b/rules/S6648/azureresourcemanager/rule.adoc
@ -10,41 +10,9 @@ Secure parameters can be assigned a default value which will be used if the para

 If the default value contains a secret, it will be disclosed to all accounts that have read access to the deployment history. 

-== How to fix it in ARM Templates
-
-=== Code examples
-
-==== Noncompliant code example
-
-[source,json,diff-id=1,diff-type=noncompliant]
----
-{
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-  "contentVersion": "1.0.0.0",
-  "parameters": {
-    "secretValue": {
-      "type": "securestring",
-      "defaultValue": "S3CR3T"
-    }
-  }
-}
----
-
-==== Compliant solution
-
-[source,json,diff-id=1,diff-type=compliant]
----
-{
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-  "contentVersion": "1.0.0.0",
-  "parameters": {
-    "secretValue": {
-      "type": "securestring"
-    }
-  }
-}
----
+include::how-to-fix-it/arm.adoc[]

+include::how-to-fix-it/bicep.adoc[]

 == Resources
 === Documentation
@ -70,4 +38,4 @@ ifdef::env-github,rspecator-view[]

 The default value 

-endif::env-github,rspecator-view[]
+endif::env-github,rspecator-view[]