From ec657c23c8fe524c21ae132bbe993e3245793b0f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 31 Aug 2023 13:34:15 +0200 Subject: [PATCH] APPSEC-1040: S6739(secrets) Detect Redis credentials (#2988) You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6739/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: daniel-teuchert-sonarsource Co-authored-by: Daniel Teuchert --- rules/S6739/metadata.json | 2 ++ rules/S6739/secrets/metadata.json | 58 +++++++++++++++++++++++++++++++ rules/S6739/secrets/rule.adoc | 41 ++++++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 rules/S6739/metadata.json create mode 100644 rules/S6739/secrets/metadata.json create mode 100644 rules/S6739/secrets/rule.adoc diff --git a/rules/S6739/metadata.json b/rules/S6739/metadata.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/rules/S6739/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6739/secrets/metadata.json b/rules/S6739/secrets/metadata.json new file mode 100644 index 0000000000..2c8f47d8c2 --- /dev/null +++ b/rules/S6739/secrets/metadata.json @@ -0,0 +1,58 @@ +{ + "title": "Redis credentials should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6739", + "sqKey": "S6739", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6739/secrets/rule.adoc b/rules/S6739/secrets/rule.adoc new file mode 100644 index 0000000000..fd4d2e21e8 --- /dev/null +++ b/rules/S6739/secrets/rule.adoc @@ -0,0 +1,41 @@ +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the credentials. + +:secret_type: credentials + + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: rediss://admin:password@example.com:8080/example +:example_name: redis-url +:example_env: REDIS_URL + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks