From 84d9a3c065418990381b67fef56eec8ba5db5b6a Mon Sep 17 00:00:00 2001 From: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Thu, 14 Sep 2023 11:50:10 +0200 Subject: [PATCH] Modify S6338: Improve samples (#3072) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --- rules/S6338/secrets/rule.adoc | 69 +++++++++++++++++++++++++++++++++-- 1 file changed, 65 insertions(+), 4 deletions(-) diff --git a/rules/S6338/secrets/rule.adoc b/rules/S6338/secrets/rule.adoc index 3345408477..03eae64fd1 100644 --- a/rules/S6338/secrets/rule.adoc +++ b/rules/S6338/secrets/rule.adoc @@ -32,11 +32,72 @@ include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples -:example_secret: 4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg== -:example_name: storage_key -:example_env: STORAGE_KEY +==== Noncompliant code example -include::../../../shared_content/secrets/examples.adoc[] +[source,csharp,diff-id=1,diff-type=noncompliant] +---- +using Azure.Storage.Blobs; +using Azure.Storage; + +class Example +{ + static void Main(string[] args) + { + string account = "accountname"; + string accountKey = "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg=="; // Noncompliant + StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey); + + BlobServiceClient blobServiceClient = new BlobServiceClient( + new Uri($"https://{account}.blob.core.windows.net"), + sharedKeyCredential); + } +} +---- + +==== Compliant solution + +Using environment variables: + +[source,csharp,diff-id=1,diff-type=compliant] +---- +using System; +using Azure.Storage.Blobs; +using Azure.Storage; + +class Example +{ + static void Main(string[] args) + { + string account = Environment.GetEnvironmentVariable("ACCOUNT_NAME"); + string accountKey = Environment.GetEnvironmentVariable("ACCOUNT_KEY"); + StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey); + + BlobServiceClient blobServiceClient = new BlobServiceClient( + new Uri($"https://{account}.blob.core.windows.net"), + sharedKeyCredential); + } +} +---- + +Using a passwordless approach, thanks to https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-dotnet?tabs=visual-studio%2Cmanaged-identity%2Croles-azure-portal%2Csign-in-azure-cli%2Cidentity-visual-studio#sign-in-and-connect-your-app-code-to-azure-using-defaultazurecredential[DefaultAzureCredential]: + +[source,csharp] +---- +using System; +using Azure.Storage.Blobs; +using Azure.Identity; + +class Example +{ + static void Main(string[] args) + { + string account = Environment.GetEnvironmentVariable("ACCOUNT_NAME"); + var blobServiceClient = new BlobServiceClient( + new Uri($"https://{account}.blob.core.windows.net"), + new DefaultAzureCredential()); + } +} +---- //=== How does this work?