Create rule S6752: Artifactory tokens should not be disclosed (#3023)
This commit is contained in:
github-actions[bot]
GitHub
parent
f3df25cbfb
commit
7fbb1cf2ac
2
rules/S6752/metadata.json
Normal file
2
rules/S6752/metadata.json
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
{
|
||||||
|
}
|
||||||
59
rules/S6752/secrets/metadata.json
Normal file
59
rules/S6752/secrets/metadata.json
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
{
|
||||||
|
"title": "Artifactory tokens should not be disclosed",
|
||||||
|
"type": "VULNERABILITY",
|
||||||
|
"code": {
|
||||||
|
"impacts": {
|
||||||
|
"SECURITY": "HIGH"
|
||||||
|
},
|
||||||
|
"attribute": "TRUSTWORTHY"
|
||||||
|
},
|
||||||
|
"status": "ready",
|
||||||
|
"remediation": {
|
||||||
|
"func": "Constant\/Issue",
|
||||||
|
"constantCost": "30min"
|
||||||
|
},
|
||||||
|
"tags": [
|
||||||
|
"cwe",
|
||||||
|
"cert"
|
||||||
|
],
|
||||||
|
"extra": {
|
||||||
|
"replacementRules": [
|
||||||
|
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"defaultSeverity": "Blocker",
|
||||||
|
"ruleSpecification": "RSPEC-6752",
|
||||||
|
"sqKey": "S6752",
|
||||||
|
"scope": "All",
|
||||||
|
"securityStandards": {
|
||||||
|
"CWE": [
|
||||||
|
798,
|
||||||
|
259
|
||||||
|
],
|
||||||
|
"OWASP": [
|
||||||
|
"A3"
|
||||||
|
],
|
||||||
|
"CERT": [
|
||||||
|
"MSC03-J."
|
||||||
|
],
|
||||||
|
"OWASP Top 10 2021": [
|
||||||
|
"A7"
|
||||||
|
],
|
||||||
|
"PCI DSS 3.2": [
|
||||||
|
"6.5.10"
|
||||||
|
],
|
||||||
|
"PCI DSS 4.0": [
|
||||||
|
"6.2.4"
|
||||||
|
],
|
||||||
|
"ASVS 4.0": [
|
||||||
|
"2.10.4",
|
||||||
|
"3.5.2",
|
||||||
|
"6.4.1"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"defaultQualityProfiles": [
|
||||||
|
"Sonar way"
|
||||||
|
],
|
||||||
|
"quickfix": "unknown"
|
||||||
|
}
|
||||||
|
|
||||||
50
rules/S6752/secrets/rule.adoc
Normal file
50
rules/S6752/secrets/rule.adoc
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
include::../../../shared_content/secrets/description.adoc[]
|
||||||
|
|
||||||
|
== Why is this an issue?
|
||||||
|
|
||||||
|
include::../../../shared_content/secrets/rationale.adoc[]
|
||||||
|
|
||||||
|
Attackers with access to an Artifactory API key will be able to use this API
|
||||||
|
with all the permissions the corresponding user has been granted with.
|
||||||
|
|
||||||
|
=== What is the potential impact?
|
||||||
|
|
||||||
|
The consequences vary depending on the compromised account entitlement but can
|
||||||
|
range from proprietary information leaks to severe supply chain attacks.
|
||||||
|
|
||||||
|
include::../../../shared_content/secrets/impact/data_compromise.adoc[]
|
||||||
|
|
||||||
|
In the case of Artifactory repositories, if they contain private code or
|
||||||
|
software, attackers will be able to steal those. They could use this software
|
||||||
|
for their own use, to look for further exploitable vulnerability, or disclose it
|
||||||
|
publicly, with or without asking for a ransom.
|
||||||
|
|
||||||
|
include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
|
||||||
|
|
||||||
|
== How to fix it
|
||||||
|
|
||||||
|
include::../../../shared_content/secrets/fix/revoke.adoc[]
|
||||||
|
|
||||||
|
include::../../../shared_content/secrets/fix/recent_use.adoc[]
|
||||||
|
|
||||||
|
include::../../../shared_content/secrets/fix/vault.adoc[]
|
||||||
|
|
||||||
|
=== Code examples
|
||||||
|
|
||||||
|
:example_secret: AKCp8vLnDPZeVA29WylUNdaT54Pg2E9rx8gJWfbPCw2Wsb0UCAEmimIPFscGbJPYEUhXVBCRQ
|
||||||
|
:example_name: artifactory_token
|
||||||
|
:example_env: ARTIFACTORY_TOKEN
|
||||||
|
|
||||||
|
include::../../../shared_content/secrets/examples.adoc[]
|
||||||
|
|
||||||
|
//=== How does this work?
|
||||||
|
|
||||||
|
//=== Pitfalls
|
||||||
|
|
||||||
|
//=== Going the extra mile
|
||||||
|
|
||||||
|
== Resources
|
||||||
|
|
||||||
|
include::../../../shared_content/secrets/resources/standards.adoc[]
|
||||||
|
|
||||||
|
//=== Benchmarks
|
||||||
Loading…
x
Reference in New Issue
Block a user