Create rule S6752: Artifactory tokens should not be disclosed (#3023)

2023-09-20 07:31:15 +00:00 · 2023-09-20 07:31:15 +00:00 · 7fbb1cf2ac
commit 7fbb1cf2ac
parent f3df25cbfb
3 changed files with 111 additions and 0 deletions
--- a/rules/S6752/metadata.json
+++ b/rules/S6752/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6752/secrets/metadata.json
+++ b/rules/S6752/secrets/metadata.json
@ -0,0 +1,59 @@
+{
+    "title": "Artifactory tokens should not be disclosed",
+    "type": "VULNERABILITY",
+    "code": {
+      "impacts": {
+        "SECURITY": "HIGH"
+      },
+      "attribute": "TRUSTWORTHY"
+    },
+    "status": "ready",
+    "remediation": {
+      "func": "Constant\/Issue",
+      "constantCost": "30min"
+    },
+    "tags": [
+      "cwe",
+      "cert"
+    ],
+    "extra": {
+      "replacementRules": [
+  
+      ]
+    },
+    "defaultSeverity": "Blocker",
+    "ruleSpecification": "RSPEC-6752",
+    "sqKey": "S6752",
+    "scope": "All",
+    "securityStandards": {
+      "CWE": [
+        798,
+        259
+      ],
+      "OWASP": [
+        "A3"
+      ],
+      "CERT": [
+        "MSC03-J."
+      ],
+      "OWASP Top 10 2021": [
+        "A7"
+      ],
+      "PCI DSS 3.2": [
+        "6.5.10"
+      ],
+      "PCI DSS 4.0": [
+        "6.2.4"
+      ],
+      "ASVS 4.0": [
+        "2.10.4",
+        "3.5.2",
+        "6.4.1"
+      ]
+    },
+    "defaultQualityProfiles": [
+      "Sonar way"
+    ],
+    "quickfix": "unknown"
+  }
+  
--- a/rules/S6752/secrets/rule.adoc
+++ b/rules/S6752/secrets/rule.adoc
@ -0,0 +1,50 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+Attackers with access to an Artifactory API key will be able to use this API
+with all the permissions the corresponding user has been granted with.
+
+=== What is the potential impact?
+
+The consequences vary depending on the compromised account entitlement but can
+range from proprietary information leaks to severe supply chain attacks.
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+In the case of Artifactory repositories, if they contain private code or
+software, attackers will be able to steal those. They could use this software
+for their own use, to look for further exploitable vulnerability, or disclose it
+publicly, with or without asking for a ransom.
+
+include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: AKCp8vLnDPZeVA29WylUNdaT54Pg2E9rx8gJWfbPCw2Wsb0UCAEmimIPFscGbJPYEUhXVBCRQ
+:example_name: artifactory_token
+:example_env: ARTIFACTORY_TOKEN
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks