diff --git a/rules/S6686/metadata.json b/rules/S6686/metadata.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/rules/S6686/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6686/secrets/metadata.json b/rules/S6686/secrets/metadata.json new file mode 100644 index 0000000000..87c877ee0e --- /dev/null +++ b/rules/S6686/secrets/metadata.json @@ -0,0 +1,58 @@ +{ + "title": "Clarifai API keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6686", + "sqKey": "S6686", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6686/secrets/rule.adoc b/rules/S6686/secrets/rule.adoc new file mode 100644 index 0000000000..5d652a3fdb --- /dev/null +++ b/rules/S6686/secrets/rule.adoc @@ -0,0 +1,55 @@ +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +If a Clarifai API key leaks to an unintended audience, it could potentially lead +to unauthorized access to the Clarifai account and its associated data. This +could result in the compromise of sensitive data or financial loss. + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +==== Noncompliant code example + +[source,python,diff-id=1,diff-type=noncompliant] +---- +from clarifai_grpc.grpc.api.status import status_code_pb2 + +metadata = (('authorization','Key d819f799b90bc8dbaffd83661782dbb7'),) +---- + +==== Compliant solution + +[source,python,diff-id=1,diff-type=compliant] +---- +import os +from clarifai_grpc.grpc.api.status import status_code_pb2 + +metadata = (('authorization',os.environ["CLARIFAI_API_KEY"]),) +---- + + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks diff --git a/shared_content/secrets/fix/vault.adoc b/shared_content/secrets/fix/vault.adoc index b9f932e179..c2f7f567c5 100644 --- a/shared_content/secrets/fix/vault.adoc +++ b/shared_content/secrets/fix/vault.adoc @@ -1,7 +1,7 @@ **Use a secret vault** A secret vault should be used to generate and store the new secret. This -will ensure the secret's security and any further unexpected disclosure. +will ensure the secret's security and prevent any further unexpected disclosure. Depending on the development platform and the leaked secret type, multiple solutions are currently available. diff --git a/shared_content/secrets/impact/data_compromise.adoc b/shared_content/secrets/impact/data_compromise.adoc new file mode 100644 index 0000000000..87b27fa87f --- /dev/null +++ b/shared_content/secrets/impact/data_compromise.adoc @@ -0,0 +1,10 @@ +==== Compromise of sensitive data + +If the affected service is used to store or process personally identifiable +information or other sensitive data, attackers knowing an authentication secret +could be able to access it. Depending on the type of data that is compromised, +it could lead to privacy violations, identity theft, financial loss, or other +negative outcomes. + +In most cases, a company suffering a sensitive data compromise will face a +reputational loss when the security issue is publicly disclosed.