ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modify S6698&S6703&S6697: Add a warning against default values (#3121)

Browse Source 
## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
This commit is contained in:
Loris S 2023-09-22 12:48:47 +02:00 committed by GitHub
parent 44e2e766ed
commit cf35afd3dd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/S6697/secrets/rule.adoc
View File

@ -38,6 +38,8 @@ They can be used to audit malicious use of password-leak-affected accounts.
include::../../../shared_content/secrets/fix/vault.adoc[]
include::../../../shared_content/secrets/fix/default.adoc[]
=== Code examples
==== Noncompliant code example

4
rules/S6698/secrets/rule.adoc
View File

@ -39,6 +39,8 @@ for this to happen.
include::../../../shared_content/secrets/fix/vault.adoc[]
include::../../../shared_content/secrets/fix/default.adoc[]
=== Code examples
==== Noncompliant code example
@ -74,4 +76,4 @@ include::../../../shared_content/secrets/resources/standards.adoc[]
* PostgreSQL Documentation - https://www.postgresql.org/docs/15/client-authentication.html[Client Authentication]
* PostgreSQL Documentation - https://www.postgresql.org/docs/current/runtime-config-logging.html[Error Reporting and Logging]
//=== Benchmarks
//=== Benchmarks

4
rules/S6703/secrets/rule.adoc
View File

@ -33,6 +33,8 @@ include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
include::../../../shared_content/secrets/fix/default.adoc[]
=== Code examples
==== Noncompliant code example
@ -62,4 +64,4 @@ public static string ConnectionString = String.format(
include::../../../shared_content/secrets/resources/standards.adoc[]
//=== Benchmarks
//=== Benchmarks

16
shared_content/secrets/fix/default.adoc Normal file
View File

@ -0,0 +1,16 @@
**Never hard-code secrets, not even the default values**
It is important that you do not hard-code secrets, even default values.
First, hard-coded default secrets are often short and can be easily compromised
even by attackers who do not have access to the code base.
Second, hard-coded default secrets can cause problems if they need to be
changed or replaced.
And most importantly, there is always the possibility to accidentally set
default secrets for production services, which can lead to security
vulnerabilities and make production insecure by default.
To minimize these risks, it is recommended to apply the above strategies, even
for the default settings.