From 2336aba6a7d7f68b72f8d01769c26ca7a1c1d9a8 Mon Sep 17 00:00:00 2001 From: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Date: Wed, 2 Aug 2023 15:17:24 +0200 Subject: [PATCH] Modify rule S6648: Add language AzureResourceManager (Bicep) (#2277) [Specification ticket](https://sonarsource.atlassian.net/browse/APPSEC-803) [Implementation ticket](https://sonarsource.atlassian.net/browse/SONARIAC-896) Main PR for ARM templates: https://github.com/SonarSource/rspec/pull/2250 ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: pierre-loup-tristant-sonarsource Co-authored-by: Rudy Regazzoni <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com> --- .../header_names/allowed_framework_names.adoc | 3 ++ .../how-to-fix-it/arm.adoc | 34 +++++++++++++++++ .../how-to-fix-it/bicep.adoc | 19 ++++++++++ rules/S6648/azureresourcemanager/rule.adoc | 38 ++----------------- 4 files changed, 59 insertions(+), 35 deletions(-) create mode 100644 rules/S6648/azureresourcemanager/how-to-fix-it/arm.adoc create mode 100644 rules/S6648/azureresourcemanager/how-to-fix-it/bicep.adoc diff --git a/docs/header_names/allowed_framework_names.adoc b/docs/header_names/allowed_framework_names.adoc index ca69c74b54..28fa91474b 100644 --- a/docs/header_names/allowed_framework_names.adoc +++ b/docs/header_names/allowed_framework_names.adoc @@ -105,3 +105,6 @@ * CommonCrypto * CryptoSwift * IDZSwiftCommonCrypto +// Azure resource manager +* ARM templates +* Bicep diff --git a/rules/S6648/azureresourcemanager/how-to-fix-it/arm.adoc b/rules/S6648/azureresourcemanager/how-to-fix-it/arm.adoc new file mode 100644 index 0000000000..d45c381469 --- /dev/null +++ b/rules/S6648/azureresourcemanager/how-to-fix-it/arm.adoc @@ -0,0 +1,34 @@ +== How to fix it in ARM templates + +=== Code examples + +==== Noncompliant code example + +[source,json,diff-id=1,diff-type=noncompliant] +---- +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "secretValue": { + "type": "securestring", + "defaultValue": "S3CR3T" + } + } +} +---- + +==== Compliant solution + +[source,json,diff-id=1,diff-type=compliant] +---- +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "secretValue": { + "type": "securestring" + } + } +} +---- \ No newline at end of file diff --git a/rules/S6648/azureresourcemanager/how-to-fix-it/bicep.adoc b/rules/S6648/azureresourcemanager/how-to-fix-it/bicep.adoc new file mode 100644 index 0000000000..17f90e6e29 --- /dev/null +++ b/rules/S6648/azureresourcemanager/how-to-fix-it/bicep.adoc @@ -0,0 +1,19 @@ +== How to fix it in Bicep + +=== Code examples + +==== Noncompliant code example + +[source,bicep,diff-id=1,diff-type=noncompliant] +---- +@secure() +param secureStringWithDefaultValue string = 'S3CR3T' // Noncompliant +---- + +==== Compliant solution + +[source,bicep,diff-id=1,diff-type=compliant] +---- +@secure() +param secureStringWithDefaultValue string +---- \ No newline at end of file diff --git a/rules/S6648/azureresourcemanager/rule.adoc b/rules/S6648/azureresourcemanager/rule.adoc index 84246d5487..715f5e3788 100644 --- a/rules/S6648/azureresourcemanager/rule.adoc +++ b/rules/S6648/azureresourcemanager/rule.adoc @@ -10,41 +10,9 @@ Secure parameters can be assigned a default value which will be used if the para If the default value contains a secret, it will be disclosed to all accounts that have read access to the deployment history. -== How to fix it in ARM Templates - -=== Code examples - -==== Noncompliant code example - -[source,json,diff-id=1,diff-type=noncompliant] ----- -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "secretValue": { - "type": "securestring", - "defaultValue": "S3CR3T" - } - } -} ----- - -==== Compliant solution - -[source,json,diff-id=1,diff-type=compliant] ----- -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "secretValue": { - "type": "securestring" - } - } -} ----- +include::how-to-fix-it/arm.adoc[] +include::how-to-fix-it/bicep.adoc[] == Resources === Documentation @@ -70,4 +38,4 @@ ifdef::env-github,rspecator-view[] The default value -endif::env-github,rspecator-view[] \ No newline at end of file +endif::env-github,rspecator-view[]