Modify rule S6338: Use common text (#2832)

rules/S6338/secrets/metadata.json

@@ -16,6 +16,11 @@
     "cwe",
     "cert"
   ],
+  "extra": {
+    "replacementRules": [
+
+    ]
+  },
   "defaultSeverity": "Blocker",
   "ruleSpecification": "RSPEC-6338",
   "sqKey": "S6338",

rules/S6338/secrets/rule.adoc

@@ -1,25 +1,55 @@
+include::../../../shared_content/secrets/description.adoc[]
+
 == Why is this an issue?
 
-Azure Storage Account Keys are similar to the root password, allowing full access to Azure Storage Accounts.
+include::../../../shared_content/secrets/rationale.adoc[]
 
-If the application interacts with Azure Cloud Storage services, access keys should be secured and not be disclosed.
+=== What is the potential impact?
 
+Azure Storage Account Keys are used to authenticate and authorize access to
+Azure Storage resources, such as blobs, queues, tables, and files. These keys
+are used to authenticate requests made against the storage account.
 
-== Recommended Secure Coding Practices
+If an Azure Storage Account Key is leaked to an unintended audience, it can pose
+a significant security risk to your Azure Storage account.
 
-Only administrators should have access to storage account keys. To authorize an application to access an Azure Storage, it's recommended to create a service principal and assign it the required privileges only. https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-msi?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#authenticate-with-the-azure-identity-library[Azure Identity SDK] provides several options such as _DefaultAzureCredential_ that can be used to retrieve secrets from, for instance, environment variables.
+An attacker with access to your storage account key can potentially access and
+modify all the data stored in your storage account. They can also create new
+resources, delete existing ones, and perform other actions that can compromise
+the integrity and confidentiality of your data.
 
-Storage account keys should not be stored with the application code or saved anywhere in plain text accessible to others. Consider using an https://azure.microsoft.com/en-us/services/key-vault/[Azure Key Vault] to store and manage keys. 
+In addition, an attacker with access to your storage account key can also incur
+charges on your account by creating and using resources, which can result in
+unexpected billing charges.
 
-When credentials are disclosed in the application code, consider them as compromised and rotate them immediately.
+== How to fix it
 
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: 4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==
+:example_name: storage_key
+:example_env: STORAGE_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
 
 == Resources
 
-* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
-* https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal[docs.microsoft.com] - Manage storage account access keys
-* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
-* https://cwe.mitre.org/data/definitions/798[MITRE, CWE-798] - Use of Hard-coded Credentials
-* https://cwe.mitre.org/data/definitions/259[MITRE, CWE-259] - Use of Hard-coded Password
-* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
+include::../../../shared_content/secrets/resources/standards.adoc[]
 
+=== Documentation
+
+* Microsoft Documentation - https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal[Manage storage account access keys]
+
+//=== Benchmarks