Create rule S7199 (#4676)

* Create rule S7199

* Add initial draft

* Mark rule as beta

* Generalize the contents, add commented out include directives for all available commons

* Move variables on top of the file for easy editing, add descriptions to impacts, fix ordering of common fixes

* Add generic impact text from S6652

* Fix unwanted whitespace change

* Add missing mandatory newlines between comments and includes

---------

Co-authored-by: teemu-rytilahti-sonarsource <teemu-rytilahti-sonarsource@users.noreply.github.com>
Co-authored-by: Teemu Rytilahti <teemu.rytilahti@sonarsource.com>

rules/S7199/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S7199/secrets/metadata.json

@@ -0,0 +1,56 @@
+{
+  "title": "Ionic personal access token should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "BLOCKER"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "beta",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7199",
+  "sqKey": "S7199",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}

rules/S7199/secrets/rule.adoc

@@ -0,0 +1,123 @@
+:example_env: SECRET
+:example_name: SECRET
+:example_secret: ion_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1
+
+// Set value that can be used to refer to the type of secret in, for example:
+// "An attacker can use this {secret_type} to ..."
+// Commonly used values: access token, api key, application secret, application key or consumer key, service password, OAuth token, deployment password
+:secret_type: secret
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+// Optional: Give a general description of the secret and what it's used for.
+
+include::../../../shared_content/secrets/impact/generic_impact.adoc[]
+
+// Uncomment the following line, if specifying detailed impacts from below:
+// include::../../../shared_content/secrets/impact/specific_impact_intro.adoc[]
+
+// Secret may allow hosting arbitrary files
+// include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
+
+// Secret may allow accessing or compromising sensitive data
+// include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+// Secret may allow uploading artifacts to services used elsewhere in the supply chain
+// This is specific for code and artifact repositories
+// include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+// Secret may be used to trigger workflows
+// This is webhook-specific
+// include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]
+
+// OAuth tokens may allow accessing 3rd party services
+// include::../../../shared_content/secrets/impact/oauth_token_compromise.adoc[]
+
+// Mailing service compromise may allow sending spam, which may result in account termination
+// include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[]
+
+// Sensitive information leak / identity impersonation, e.g., through leaked signing secret
+// include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
+
+// Audit trail discrepancies
+// include::../../../shared_content/secrets/impact/non_repudiation.adoc[]
+
+// Package repository secrets may allow access to source code etc.
+// include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+// Spamming automated calls may cause large bills and rate limited service access
+// include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[]
+
+// For blockchain specific tokens
+// include::../../../shared_content/secrets/impact/blockchain_data_exposure.adoc[]
+
+// Specific for banking / financial transaction tokens, causing financial loss
+// include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[]
+
+// Secret can be used to send spam or phish users
+// include::../../../shared_content/secrets/impact/phishing.adoc[]
+
+// Secret may allow modifying application data (object stores etc.)
+// include::../../../shared_content/secrets/impact/data_modification.adoc[]
+
+// Specific to services that are used to share PII (personal infos, chat logs, ..)
+// include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
+
+// Secret may allow accessing financial data, like CC information or confidential financial reports
+// include::../../../shared_content/secrets/impact/disclosure_of_financial_data.adoc[]
+
+// Secret may allow occurring financial losses through 3rd party API usage
+// include::../../../shared_content/secrets/impact/financial_loss.adoc[]
+
+// Secret may be used to modify dashboards to corrupt shown data
+// Requires setting service_name variable
+// :service_name: secret service
+// include::../../../shared_content/secrets/impact/dataviz_takeover.adoc[]
+
+// Secret is related to IaaS providers and can be used to change DNS, launch VMs, etc.
+// Requires setting service_name variable
+// :service_name: secret service
+// include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[]
+
+== How to fix it
+
+// 1. Revoke leaked secrets
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+// 2. Analyze recent use to identify misuse
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+// 3. Use a secret vault in the future
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+// 4. Never hard-code secrets
+
+include::../../../shared_content/secrets/fix/default.adoc[]
+
+// OAuth PKCE is very specific to OAuth 2.0
+// include::../../../shared_content/secrets/fix/oauth_pkce.adoc[]
+
+=== Code examples
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks