ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SONARTEXT-328 Improve generic secret template (#4714)

Browse Source 
* Revise the secret rspec template

* Set status=beta for new secrets

* Revert back to old values for example_{secret,name,env} vars
This commit is contained in:
teemu-rytilahti-sonarsource 2025-03-03 11:25:53 +01:00 committed by GitHub
parent 3077f8ce6e
commit d76bab68bd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 96 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rspec-tools/rspec_template/single_language/secrets/metadata.json
View File

@ -7,7 +7,7 @@
}, },
"attribute": "TRUSTWORTHY" "attribute": "TRUSTWORTHY"
}, },
"status": "ready", "status": "beta",
"remediation": { "remediation": {
"func": "Constant\/Issue", "func": "Constant\/Issue",
"constantCost": "30min" "constantCost": "30min"

97
rspec-tools/rspec_template/single_language/secrets/rule.adoc
View File

@ -1,3 +1,11 @@
:example_env: ENV_VAR_NAME
:example_name: java-property-name
:example_secret: example_secret_value
// Set value that can be used to refer to the type of secret in, for example:
// "An attacker can use this {secret_type} to ..."
// Commonly used values: access token, api key, application secret, application key or consumer key, service password, OAuth token, deployment password
:secret_type: secret
include::../../../shared_content/secrets/description.adoc[] include::../../../shared_content/secrets/description.adoc[]
@ -9,31 +17,92 @@ include::../../../shared_content/secrets/rationale.adoc[]
// Optional: Give a general description of the secret and what it's used for. // Optional: Give a general description of the secret and what it's used for.
Below are some real-world scenarios that illustrate some impacts of an attacker include::../../../shared_content/secrets/impact/generic_impact.adoc[]
exploiting the secret.
// Set value that can be used to refer to the type of secret in, for example: // Uncomment the following line, if specifying detailed impacts from below:
// "An attacker can use this {secret_type} to ..." // include::../../../shared_content/secrets/impact/specific_impact_intro.adoc[]
:secret_type: secret
// Where possible, use predefined content for common impacts. This content can // Secret may allow hosting arbitrary files
// be found in the folder "shared_content/secrets/impact". // include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
// When using predefined content, search for any required variables to be set and include them in this file.
// Not adding them will not trigger warnings.
//include::../../../shared_content/secrets/impact/some_impact.adoc[] // Secret may allow accessing or compromising sensitive data
// include::../../../shared_content/secrets/impact/data_compromise.adoc[]
// Secret may allow uploading artifacts to services used elsewhere in the supply chain
// This is specific for code and artifact repositories
// include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
// Secret may be used to trigger workflows
// This is webhook-specific
// include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]
// OAuth tokens may allow accessing 3rd party services
// include::../../../shared_content/secrets/impact/oauth_token_compromise.adoc[]
// Mailing service compromise may allow sending spam, which may result in account termination
// include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[]
// Sensitive information leak / identity impersonation, e.g., through leaked signing secret
// include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
// Audit trail discrepancies
// include::../../../shared_content/secrets/impact/non_repudiation.adoc[]
// Package repository secrets may allow access to source code etc.
// include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
// Spamming automated calls may cause large bills and rate limited service access
// include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[]
// For blockchain specific tokens
// include::../../../shared_content/secrets/impact/blockchain_data_exposure.adoc[]
// Specific for banking / financial transaction tokens, causing financial loss
// include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[]
// Secret can be used to send spam or phish users
// include::../../../shared_content/secrets/impact/phishing.adoc[]
// Secret may allow modifying application data (object stores etc.)
// include::../../../shared_content/secrets/impact/data_modification.adoc[]
// Specific to services that are used to share PII (personal infos, chat logs, ..)
// include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
// Secret may allow accessing financial data, like CC information or confidential financial reports
// include::../../../shared_content/secrets/impact/disclosure_of_financial_data.adoc[]
// Secret may allow occurring financial losses through 3rd party API usage
// include::../../../shared_content/secrets/impact/financial_loss.adoc[]
// Secret may be used to modify dashboards to corrupt shown data
// Requires setting service_name variable
// :service_name: secret service
// include::../../../shared_content/secrets/impact/dataviz_takeover.adoc[]
// Secret is related to IaaS providers and can be used to change DNS, launch VMs, etc.
// Requires setting service_name variable
// :service_name: secret service
// include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[]
== How to fix it == How to fix it
// 1. Revoke leaked secrets
include::../../../shared_content/secrets/fix/revoke.adoc[] include::../../../shared_content/secrets/fix/revoke.adoc[]
// 2. Analyze recent use to identify misuse
include::../../../shared_content/secrets/fix/recent_use.adoc[]
// 3. Use a secret vault in the future
include::../../../shared_content/secrets/fix/vault.adoc[] include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples // 4. Never hard-code secrets
include::../../../shared_content/secrets/fix/default.adoc[]
:example_secret: example_secret_value // OAuth PKCE is very specific to OAuth 2.0
:example_name: java-property-name // include::../../../shared_content/secrets/fix/oauth_pkce.adoc[]
:example_env: ENV_VAR_NAME
=== Code examples
include::../../../shared_content/secrets/examples.adoc[] include::../../../shared_content/secrets/examples.adoc[]

7
rules/S6652/secrets/rule.adoc
View File

@ -6,12 +6,7 @@ include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact? === What is the potential impact?
The consequences vary greatly depending on the situation and the secret-exposed include::../../../shared_content/secrets/impact/generic_impact.adoc[]
audience. Still, two main scenarios should be considered.
include::../../../shared_content/secrets/impact/financial_loss.adoc[]
include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
== How to fix it == How to fix it

7
rules/S6689/secrets/rule.adoc
View File

@ -10,12 +10,7 @@ GitHub tokens are used for authentication and authorization purposes when
interacting with the GitHub API. They serve as a way to identify and interacting with the GitHub API. They serve as a way to identify and
authenticate users or applications that are making requests to the GitHub API. authenticate users or applications that are making requests to the GitHub API.
The consequences vary greatly depending on the situation and the secret-exposed include::../../../shared_content/secrets/impact/generic_impact.adoc[]
audience. Still, two main scenarios should be considered.
include::../../../shared_content/secrets/impact/financial_loss.adoc[]
include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
== How to fix it == How to fix it

7
rules/S6784/secrets/rule.adoc
View File

@ -9,12 +9,7 @@ include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact? === What is the potential impact?
The consequences vary greatly depending on the situation and the secret-exposed include::../../../shared_content/secrets/impact/generic_impact.adoc[]
audience. Still, two main scenarios should be considered.
include::../../../shared_content/secrets/impact/financial_loss.adoc[]
include::../../../shared_content/secrets/impact/security_downgrade.adoc[]
== How to fix it == How to fix it

3
rules/S7169/secrets/rule.adoc
View File

@ -7,8 +7,7 @@ include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact? === What is the potential impact?
Below are some real-world scenarios that illustrate some impacts of an attacker include::../../../shared_content/secrets/impact/specific_impact_intro.adoc[]
exploiting the secret.
include::../../../shared_content/secrets/impact/data_compromise.adoc[] include::../../../shared_content/secrets/impact/data_compromise.adoc[]

7
shared_content/secrets/impact/generic_impact.adoc Normal file
View File

@ -0,0 +1,7 @@
The consequences vary greatly depending on the situation and the secret-exposed
audience. Still, two main scenarios should be considered.
include::../../../shared_content/secrets/impact/financial_loss.adoc[]
include::../../../shared_content/secrets/impact/security_downgrade.adoc[]

1
shared_content/secrets/impact/specific_impact_intro.adoc Normal file
View File

@ -0,0 +1 @@
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret.