ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

APPSEC-1040: S6739(secrets) Detect Redis credentials (#2988)

Browse Source 
You can preview this rule
[here](https://sonarsource.github.io/rspec/#/rspec/S6739/secrets)
(updated a few minutes after each push).

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com>
Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com>
This commit is contained in:
github-actions[bot] 2023-08-31 13:34:15 +02:00 committed by GitHub
parent 62c5e35e40
commit ec657c23c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 101 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/S6739/metadata.json Normal file
View File

@ -0,0 +1,2 @@
{
}

58
rules/S6739/secrets/metadata.json Normal file
View File

@ -0,0 +1,58 @@
{
"title": "Redis credentials should not be disclosed",
"type": "VULNERABILITY",
"code": {
"impacts": {
"SECURITY": "HIGH"
},
"attribute": "TRUSTWORTHY"
},
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "30min"
},
"tags": [
"cwe",
"cert"
],
"extra": {
"replacementRules": [
]
},
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-6739",
"sqKey": "S6739",
"scope": "All",
"securityStandards": {
"CWE": [
798,
259
],
"OWASP": [
"A3"
],
"CERT": [
"MSC03-J."
],
"OWASP Top 10 2021": [
"A7"
],
"PCI DSS 3.2": [
"6.5.10"
],
"PCI DSS 4.0": [
"6.2.4"
],
"ASVS 4.0": [
"2.10.4",
"3.5.2",
"6.4.1"
]
},
"defaultQualityProfiles": [
"Sonar way"
],
"quickfix": "unknown"
}

41
rules/S6739/secrets/rule.adoc Normal file
View File

@ -0,0 +1,41 @@
include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact?
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the credentials.
:secret_type: credentials
include::../../../shared_content/secrets/impact/data_compromise.adoc[]
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples
:example_secret: rediss://admin:password@example.com:8080/example
:example_name: redis-url
:example_env: REDIS_URL
include::../../../shared_content/secrets/examples.adoc[]
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
include::../../../shared_content/secrets/resources/standards.adoc[]
//=== Benchmarks