Create rule S6336: Alibaba Cloud AccessKeys should not be disclosed (#224)

2021-09-08 11:31:19 +02:00 · 2021-09-08 11:31:19 +02:00 · fd0ff1ab0f
commit fd0ff1ab0f
parent 2fa87a7098
6 changed files with 74 additions and 0 deletions
--- a/rules/S6336/description.adoc
+++ b/rules/S6336/description.adoc
@ -0,0 +1,8 @@
+AccessKeys are long term credentials designed to authenticate and authorize requests to Alibaba Cloud.
+
+If your application interacts with Alibaba Cloud then it requires AccessKeys to access all the resources it needs to function properly. Resources that can be accessed depend on the permissions granted to the Alibaba Cloud account. These credentials may authenticate to the account root user who has unrestricted access to all resources in your Alibaba Cloud account, including billing information.
+
+This rule flags instances of:
+
+* Alibaba Cloud AccessKey ID
+* Alibaba Cloud AccessKey secret
--- a/rules/S6336/metadata.json
+++ b/rules/S6336/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6336/recommended.adoc
+++ b/rules/S6336/recommended.adoc
@ -0,0 +1,11 @@
+== Recommended Secure Coding Practices
+
+Only administrators should have access to the AccessKeys used by your application.
+
+As a consequence, AccessKeys should not be stored along with the application code as they would grant special privilege to anyone who has access to the application source code.
+
+AccessKeys should be stored outside of the code in a file that is never committed to your application code repository.
+
+If possible, a better alternative is to use your cloud provider's service for managing secrets. On AlibabaCloud this service is called https://www.alibabacloud.com/help/doc-detail/152001.htm[Secrets Manager].
+
+When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.
--- a/rules/S6336/secrets/metadata.json
+++ b/rules/S6336/secrets/metadata.json
@ -0,0 +1,41 @@
+{
+  "title": "Alibaba Cloud AccessKeys should not be disclosed",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "sans-top25-porous",
+    "owasp-a3"
+  ],
+  "extra": {
+    "coveredLanguages": [
+      
+    ],
+    "replacementRules": [
+      
+    ]
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6336",
+  "sqKey": "S6336",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ]
+}
--- a/rules/S6336/secrets/rule.adoc
+++ b/rules/S6336/secrets/rule.adoc
@ -0,0 +1,5 @@
+include::../description.adoc[]
+
+include::../recommended.adoc[]
+
+include::../see.adoc[]
--- a/rules/S6336/see.adoc
+++ b/rules/S6336/see.adoc
@ -0,0 +1,7 @@
+== See
+
+* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
+* https://cwe.mitre.org/data/definitions/798[MITRE, CWE-798] - Use of Hard-coded Credentials
+* https://cwe.mitre.org/data/definitions/259[MITRE, CWE-259] - Use of Hard-coded Password
+* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information
+* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses