Create rule S6777: Shippo tokens should not be disclosed (#3088)

You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6777/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: sebastien-andrivet-sonarsource <sebastien-andrivet-sonarsource@users.noreply.github.com> Co-authored-by: sebastien-andrivet-sonarsource <sebastien.andrivet@sonarsource.com>
2023-09-20 15:19:39 +02:00 · 2023-09-20 15:19:39 +02:00 · f4a5207fb8
commit f4a5207fb8
parent 732ed4108f
3 changed files with 143 additions and 0 deletions
--- a/rules/S6777/metadata.json
+++ b/rules/S6777/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6777/secrets/metadata.json
+++ b/rules/S6777/secrets/metadata.json
@ -0,0 +1,59 @@
+{
+    "title": "Shippo tokens should not be disclosed",
+    "type": "VULNERABILITY",
+    "code": {
+      "impacts": {
+        "SECURITY": "HIGH"
+      },
+      "attribute": "TRUSTWORTHY"
+    },
+    "status": "ready",
+    "remediation": {
+      "func": "Constant\/Issue",
+      "constantCost": "30min"
+    },
+    "tags": [
+      "cwe",
+      "cert"
+    ],
+    "extra": {
+      "replacementRules": [
+  
+      ]
+    },
+    "defaultSeverity": "Blocker",
+    "ruleSpecification": "RSPEC-6777",
+    "sqKey": "S6777",
+    "scope": "All",
+    "securityStandards": {
+      "CWE": [
+        798,
+        259
+      ],
+      "OWASP": [
+        "A3"
+      ],
+      "CERT": [
+        "MSC03-J."
+      ],
+      "OWASP Top 10 2021": [
+        "A7"
+      ],
+      "PCI DSS 3.2": [
+        "6.5.10"
+      ],
+      "PCI DSS 4.0": [
+        "6.2.4"
+      ],
+      "ASVS 4.0": [
+        "2.10.4",
+        "3.5.2",
+        "6.4.1"
+      ]
+    },
+    "defaultQualityProfiles": [
+      "Sonar way"
+    ],
+    "quickfix": "unknown"
+  }
+  
--- a/rules/S6777/secrets/rule.adoc
+++ b/rules/S6777/secrets/rule.adoc
@ -0,0 +1,82 @@
+Shippo is a multi-carrier shipping platform that helps businesses streamline their shipping processes. It provides a unified API and dashboard that allows businesses to connect with multiple shipping carriers. Shippo API tokens are used for authentication and authorization purposes when making API requests.
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+If a Shippo API token is leaked, it can have several consequences:
+
+==== Financial Loss
+
+If the leaked API token is used to generate shipping labels or make shipping-related transactions, it can result in financial loss. Unauthorized individuals may exploit the token to generate fraudulent labels or make unauthorized shipments, leading to additional shipping costs or potential chargebacks.
+==== Data Breach
+
+If the leaked API token is associated with a user account that has access to sensitive customer or business data, it can result in a data breach. This can lead to the exposure of personal information, shipping addresses, payment details, or other confidential data, potentially causing harm to your customers and your business reputation.
+
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,java,diff-id=1,diff-type=noncompliant]
+----
+Shippo.setApiKey('shippo_live_258d9b4c41a8cb88ca7fb4b12c65083f658435ac'); // Noncompliant
+
+HashMap<String, Object> addressMap = new HashMap<String, Object>();
+addressMap.put("name", "Mr. Hippo");
+addressMap.put("company", "Shippo");
+addressMap.put("street1", "215 Clayton St.");
+addressMap.put("city", "San Francisco");
+addressMap.put("state", "CA");
+addressMap.put("zip", "94117");
+addressMap.put("country", "US");
+addressMap.put("phone", "+1 555 341 9393");
+addressMap.put("email", "support@goshipppo.com");
+
+Address createAddress = Address.create(addressMap);
+----
+
+==== Compliant solution
+
+[source,java,diff-id=1,diff-type=compliant]
+----
+Shippo.setApiKey(System.getenv("SHIPPO_API_TOKEN"));
+
+HashMap<String, Object> addressMap = new HashMap<String, Object>();
+addressMap.put("name", "Mr. Hippo");
+addressMap.put("company", "Shippo");
+addressMap.put("street1", "215 Clayton St.");
+addressMap.put("city", "San Francisco");
+addressMap.put("state", "CA");
+addressMap.put("zip", "94117");
+addressMap.put("country", "US");
+addressMap.put("phone", "+1 555 341 9393");
+addressMap.put("email", "support@goshipppo.com");
+
+Address createAddress = Address.create(addressMap);
+----
+
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks