diff --git a/rules/S6751/metadata.json b/rules/S6751/metadata.json new file mode 100644 index 00000000000..9e26dfeeb6e --- /dev/null +++ b/rules/S6751/metadata.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/rules/S6751/secrets/metadata.json b/rules/S6751/secrets/metadata.json new file mode 100644 index 00000000000..709a0dfc79b --- /dev/null +++ b/rules/S6751/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "PyPI tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6751", + "sqKey": "S6751", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} \ No newline at end of file diff --git a/rules/S6751/secrets/rule.adoc b/rules/S6751/secrets/rule.adoc new file mode 100644 index 00000000000..1559fc42c21 --- /dev/null +++ b/rules/S6751/secrets/rule.adoc @@ -0,0 +1,63 @@ +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +The exact consequences of a PyPI API token compromise can vary depending on the scope of the affected token. Depending on this factor, the attacker might get access to the full account the token is bound to or only to a project belonging to that user. + +In any case, such a compromise can lead to source code leaks, data leaks and even serious supply chain attacks. In general, a reputational loss is also a common threat. + +include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] + +include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +For PyPI, `keyring` is a recommended solution to securely store secrets. Further explanation is given in the example below. + +=== Code examples + +==== Noncompliant code example + +PyPI API tokens can be used to authenticate with PyPI by setting the token as a password in `.pypirc`. + +[source,text] +---- +[pypi] +username = __token__ +password = pypi-YBf3ZAIKOMPwNZ1VaQ0RAtjww5lI1az1CMLEOWgDQN56EPADfzRmgsENVcmIUh2mSBwYlTtyNKGmVlLm2MZD2aJOTWmD2EO5PMyWjvUY3Ii2CjsidALCNCNmvX8N8gcijBliFN2ciBCLgQdi2YYfGjA1kz19z1UBKg +---- + +==== Compliant solution + +Instead, Python's https://pypi.org/project/keyring/[`keyring` package] can be used to securely authenticate with PyPI. Once `keyring` is installed using pip, it should be used for authentication automatically. It is also possible to configure it manually using the following: + +[source,bash] +---- +pip config set --global global.keyring-provider subprocess +---- + +//=== How does this work? + +//=== Pitfalls + +=== Going the extra mile + +include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[] + +== Resources + +=== Documentation + +* pip Documentation - https://pip.pypa.io/en/stable/topics/authentication/#authentication[Authentication] + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks diff --git a/shared_content/secrets/fix/revoke.adoc b/shared_content/secrets/fix/revoke.adoc index 7d947e88748..ccfa7954409 100644 --- a/shared_content/secrets/fix/revoke.adoc +++ b/shared_content/secrets/fix/revoke.adoc @@ -3,6 +3,6 @@ Revoke any leaked secrets and remove them from the application source code. -Before revoking the secret, ensure that no other applications or processes is +Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the secret is revoked.