Create rule S6686: Clarifai API keys should not be disclosed (#2819)

2023-08-09 14:26:46 +02:00 · 2023-08-09 14:26:46 +02:00 · 91b004957f
commit 91b004957f
parent ebeed4bb38
5 changed files with 126 additions and 1 deletions
--- a/rules/S6686/metadata.json
+++ b/rules/S6686/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6686/secrets/metadata.json
+++ b/rules/S6686/secrets/metadata.json
@ -0,0 +1,58 @@
+{
+  "title": "Clarifai API keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": [
+
+    ]
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6686",
+  "sqKey": "S6686",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
--- a/rules/S6686/secrets/rule.adoc
+++ b/rules/S6686/secrets/rule.adoc
@ -0,0 +1,55 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+If a Clarifai API key leaks to an unintended audience, it could potentially lead
+to unauthorized access to the Clarifai account and its associated data. This
+could result in the compromise of sensitive data or financial loss.
+
+include::../../../shared_content/secrets/impact/financial_loss.adoc[]
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,python,diff-id=1,diff-type=noncompliant]
+----
+from clarifai_grpc.grpc.api.status import status_code_pb2
+
+metadata = (('authorization','Key d819f799b90bc8dbaffd83661782dbb7'),)
+----
+
+==== Compliant solution
+
+[source,python,diff-id=1,diff-type=compliant]
+----
+import os
+from clarifai_grpc.grpc.api.status import status_code_pb2
+
+metadata = (('authorization',os.environ["CLARIFAI_API_KEY"]),)
+----
+
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks
--- a/shared_content/secrets/fix/vault.adoc
+++ b/shared_content/secrets/fix/vault.adoc
@ -1,7 +1,7 @@
 **Use a secret vault**

 A secret vault should be used to generate and store the new secret. This
-will ensure the secret's security and any further unexpected disclosure.
+will ensure the secret's security and prevent any further unexpected disclosure.

 Depending on the development platform and the leaked secret type, multiple
 solutions are currently available.
--- a/shared_content/secrets/impact/data_compromise.adoc
+++ b/shared_content/secrets/impact/data_compromise.adoc
@ -0,0 +1,10 @@
+==== Compromise of sensitive data
+
+If the affected service is used to store or process personally identifiable
+information or other sensitive data, attackers knowing an authentication secret
+could be able to access it. Depending on the type of data that is compromised,
+it could lead to privacy violations, identity theft, financial loss, or other
+negative outcomes.
+
+In most cases, a company suffering a sensitive data compromise will face a
+reputational loss when the security issue is publicly disclosed.