Create rule S6764: WakaTime (APPSEC-1069) (#3052)

You can preview this rule
[here](https://sonarsource.github.io/rspec/#/rspec/S6764/secrets)
(updated a few minutes after each push).

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: sebastien-andrivet-sonarsource <sebastien-andrivet-sonarsource@users.noreply.github.com>
Co-authored-by: sebastien-andrivet-sonarsource <sebastien.andrivet@sonarsource.com>

rules/S6764/metadata.json

@@ -0,0 +1 @@
+{}

rules/S6764/secrets/metadata.json

@@ -0,0 +1,56 @@
+{
+  "title": "WakaTime tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": []
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6764",
+  "sqKey": "S6764",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}

rules/S6764/secrets/rule.adoc

@@ -0,0 +1,70 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If attackers gain access to your WakaTime OAuth token or secret, they can potentially use it to make unauthorized requests to the WakaTime API on your behalf.
+
+=== What is the potential impact?
+
+Attackers exploiting leaked WakaTime OAuth tokens or secrets can potentially access sensitive information, modify data, or perform actions on behalf of the user without their consent. The exact capabilities of the attackers will depend on the authorizations the corresponding application has been granted.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret.
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,python,diff-id=1,diff-type=noncompliant]
+----
+from rauth import OAuth2Service
+
+service = OAuth2Service(
+    client_id='d130uKF73fueZSCM9tUodIFN',
+    client_secret='waka_sec_ez0kI3tQlYVvYSJOAjoI5n3PpyG69HQl91TZKFjSdb0X0XXgY7dahXiPpAhYL2kNxqDBzHuHNuzCPr5d', # Noncompliant
+    name='wakatime',
+    authorize_url='https://wakatime.com/oauth/authorize',
+    access_token_url='https://wakatime.com/oauth/token',
+    base_url='https://wakatime.com/api/v1/')
+----
+
+==== Compliant solution
+
+[source,python,diff-id=1,diff-type=compliant]
+----
+import os
+from rauth import OAuth2Service
+
+service = OAuth2Service(
+    client_id=os.environ['WAKA_CLIENT_ID'],
+    client_secret=os.environ['WAKA_CLIENT_SECRET'],
+    name='wakatime',
+    authorize_url='https://wakatime.com/oauth/authorize',
+    access_token_url='https://wakatime.com/oauth/token',
+    base_url='https://wakatime.com/api/v1/')
+----
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+=== Documentation
+
+WakaTime API Documentation - https://wakatime.com/developers#authentication[WakaTime API Authenticationb]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]