SONARTEXT-328 Improve generic secret template (#4714)

* Revise the secret rspec template

* Set status=beta for new secrets

* Revert back to old values for example_{secret,name,env} vars

rspec-tools/rspec_template/single_language/secrets/metadata.json

@@ -7,7 +7,7 @@
     },
     "attribute": "TRUSTWORTHY"
   },
-  "status": "ready",
+  "status": "beta",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "30min"

rspec-tools/rspec_template/single_language/secrets/rule.adoc

@@ -1,3 +1,11 @@
+:example_env: ENV_VAR_NAME
+:example_name: java-property-name
+:example_secret: example_secret_value
+
+// Set value that can be used to refer to the type of secret in, for example:
+// "An attacker can use this {secret_type} to ..."
+// Commonly used values: access token, api key, application secret, application key or consumer key, service password, OAuth token, deployment password
+:secret_type: secret
 
 include::../../../shared_content/secrets/description.adoc[]
 
@@ -9,31 +17,92 @@ include::../../../shared_content/secrets/rationale.adoc[]
 
 // Optional: Give a general description of the secret and what it's used for.
 
-Below are some real-world scenarios that illustrate some impacts of an attacker
-exploiting the secret.
+include::../../../shared_content/secrets/impact/generic_impact.adoc[]
 
-// Set value that can be used to refer to the type of secret in, for example:
-// "An attacker can use this {secret_type} to ..."
-:secret_type: secret
+// Uncomment the following line, if specifying detailed impacts from below:
+// include::../../../shared_content/secrets/impact/specific_impact_intro.adoc[]
 
-// Where possible, use predefined content for common impacts. This content can
-// be found in the folder "shared_content/secrets/impact".
-// When using predefined content, search for any required variables to be set and include them in this file.
-// Not adding them will not trigger warnings.
+// Secret may allow hosting arbitrary files
+// include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
 
-//include::../../../shared_content/secrets/impact/some_impact.adoc[]
+// Secret may allow accessing or compromising sensitive data
+// include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+// Secret may allow uploading artifacts to services used elsewhere in the supply chain
+// This is specific for code and artifact repositories
+// include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+// Secret may be used to trigger workflows
+// This is webhook-specific
+// include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]
+
+// OAuth tokens may allow accessing 3rd party services
+// include::../../../shared_content/secrets/impact/oauth_token_compromise.adoc[]
+
+// Mailing service compromise may allow sending spam, which may result in account termination
+// include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[]
+
+// Sensitive information leak / identity impersonation, e.g., through leaked signing secret
+// include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
+
+// Audit trail discrepancies
+// include::../../../shared_content/secrets/impact/non_repudiation.adoc[]
+
+// Package repository secrets may allow access to source code etc.
+// include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+// Spamming automated calls may cause large bills and rate limited service access
+// include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[]
+
+// For blockchain specific tokens
+// include::../../../shared_content/secrets/impact/blockchain_data_exposure.adoc[]
+
+// Specific for banking / financial transaction tokens, causing financial loss
+// include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[]
+
+// Secret can be used to send spam or phish users
+// include::../../../shared_content/secrets/impact/phishing.adoc[]
+
+// Secret may allow modifying application data (object stores etc.)
+// include::../../../shared_content/secrets/impact/data_modification.adoc[]
+
+// Specific to services that are used to share PII (personal infos, chat logs, ..)
+// include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
+
+// Secret may allow accessing financial data, like CC information or confidential financial reports
+// include::../../../shared_content/secrets/impact/disclosure_of_financial_data.adoc[]
+
+// Secret may allow occurring financial losses through 3rd party API usage
+// include::../../../shared_content/secrets/impact/financial_loss.adoc[]
+
+// Secret may be used to modify dashboards to corrupt shown data
+// Requires setting service_name variable
+// :service_name: secret service
+// include::../../../shared_content/secrets/impact/dataviz_takeover.adoc[]
+
+// Secret is related to IaaS providers and can be used to change DNS, launch VMs, etc.
+// Requires setting service_name variable
+// :service_name: secret service
+// include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[]
 
 == How to fix it
 
+// 1. Revoke leaked secrets
 include::../../../shared_content/secrets/fix/revoke.adoc[]
 
+// 2. Analyze recent use to identify misuse
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+// 3. Use a secret vault in the future
 include::../../../shared_content/secrets/fix/vault.adoc[]
 
-=== Code examples
+// 4. Never hard-code secrets
+include::../../../shared_content/secrets/fix/default.adoc[]
 
-:example_secret: example_secret_value
-:example_name: java-property-name
-:example_env: ENV_VAR_NAME
+// OAuth PKCE is very specific to OAuth 2.0
+// include::../../../shared_content/secrets/fix/oauth_pkce.adoc[]
+
+=== Code examples
 
 include::../../../shared_content/secrets/examples.adoc[]
 

rules/S6652/secrets/rule.adoc

@@ -6,12 +6,7 @@ include::../../../shared_content/secrets/rationale.adoc[]
 
 === What is the potential impact?
 
-The consequences vary greatly depending on the situation and the secret-exposed
-audience. Still, two main scenarios should be considered.
-
-include::../../../shared_content/secrets/impact/financial_loss.adoc[]
-
-include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
+include::../../../shared_content/secrets/impact/generic_impact.adoc[]
 
 == How to fix it
 

rules/S6689/secrets/rule.adoc

@@ -10,12 +10,7 @@ GitHub tokens are used for authentication and authorization purposes when
 interacting with the GitHub API. They serve as a way to identify and
 authenticate users or applications that are making requests to the GitHub API.
 
-The consequences vary greatly depending on the situation and the secret-exposed
-audience. Still, two main scenarios should be considered.
-
-include::../../../shared_content/secrets/impact/financial_loss.adoc[]
-
-include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
+include::../../../shared_content/secrets/impact/generic_impact.adoc[]
 
 == How to fix it
 

rules/S6784/secrets/rule.adoc

@@ -9,12 +9,7 @@ include::../../../shared_content/secrets/rationale.adoc[]
 
 === What is the potential impact?
 
-The consequences vary greatly depending on the situation and the secret-exposed
-audience. Still, two main scenarios should be considered.
-
-include::../../../shared_content/secrets/impact/financial_loss.adoc[]
-
-include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
+include::../../../shared_content/secrets/impact/generic_impact.adoc[]
 
 == How to fix it
 

rules/S7169/secrets/rule.adoc

@@ -7,8 +7,7 @@ include::../../../shared_content/secrets/rationale.adoc[]
 
 === What is the potential impact?
 
-Below are some real-world scenarios that illustrate some impacts of an attacker
-exploiting the secret.
+include::../../../shared_content/secrets/impact/specific_impact_intro.adoc[]
 
 include::../../../shared_content/secrets/impact/data_compromise.adoc[]
 

shared_content/secrets/impact/generic_impact.adoc

@@ -0,0 +1,7 @@
+The consequences vary greatly depending on the situation and the secret-exposed
+audience. Still, two main scenarios should be considered.
+
+include::../../../shared_content/secrets/impact/financial_loss.adoc[]
+
+include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
+

shared_content/secrets/impact/specific_impact_intro.adoc

@@ -0,0 +1 @@
+Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret.