Merge branch 'master' into rule/add-RSPEC-S7145

SonarSource · Nov 7, 2024 · 1327013 · 1327013
2 parents 62cd1f2 + b790268
commit 1327013
Show file tree

Hide file tree

Showing 10 changed files with 209 additions and 7 deletions.
diff --git a/rules/S3281/xml/metadata.json b/rules/S3281/xml/metadata.json
@@ -3,8 +3,8 @@
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
-      "SECURITY": "HIGH",
-      "MAINTAINABILITY": "HIGH"
+      "SECURITY": "BLOCKER",
+      "MAINTAINABILITY": "BLOCKER"
     },
     "attribute": "COMPLETE"
   },

diff --git a/rules/S6096/common/resources/articles.adoc b/rules/S6096/common/resources/articles.adoc
@@ -1,3 +1,4 @@
 === Articles & blog posts
 
+* Sonar Blog - https://www.sonarsource.com/blog/the-hidden-flaws-of-archives-in-java/[The Hidden Flaws of Archives in Java]
 * Sonar Blog - https://www.sonarsource.com/blog/openrefine-zip-slip/[Unzipping Dangers: OpenRefine Zip Slip Vulnerability]
diff --git a/rules/S6937/jcl/metadata.json b/rules/S6937/jcl/metadata.json
@@ -8,7 +8,7 @@
   },
   "tags": [
   ],
-  "defaultSeverity": "Major",
+  "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-6937",
   "sqKey": "S6937",
   "scope": "All",
@@ -18,6 +18,6 @@
     "impacts": {
       "RELIABILITY": "HIGH"
     },
-    "attribute": "CONVENTIONAL"
+    "attribute": "LOGICAL"
   }
 }
diff --git a/rules/S6937/jcl/rule.adoc b/rules/S6937/jcl/rule.adoc
@@ -1,8 +1,12 @@
-In-stream procedures should always have a name.
-
 == Why is this an issue?
 
-In JCL, it is expected for a PROC statement inside of a job stream to have a name.
+In JCL, some statements require to have a label or name defined, otherwise it will trigger a JCL error.
+The statements that require a name/label are:
+* CNTL
+* JOB
+* NOTIFY
+* OUTPUT
+* in-stream PROC
 
 == How to fix it
 
@@ -32,4 +36,8 @@ In JCL, it is expected for a PROC statement inside of a job stream to have a nam
 
 === Documentation
 
+* https://www.ibm.com/docs/en/zos/3.1.0?topic=description-label-field[IBM Reference - CNTL Label field]
+* https://www.ibm.com/docs/en/zos/3.1.0?topic=d-name-field-5[IBM Reference - JOB Name field]
+* https://www.ibm.com/docs/en/zos/3.1.0?topic=statement-label-field[IBM Reference - NOTIFY Label field]
+* https://www.ibm.com/docs/en/zos/3.1.0?topic=d-name-field-6[IBM Reference - OUTPUT Name field]
 * https://www.ibm.com/docs/en/zos/3.1.0?topic=d-name-field-8[IBM reference - PROC statement - Name field]
diff --git a/rules/S7139/metadata.json b/rules/S7139/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7139/secrets/metadata.json b/rules/S7139/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "redirect.pizza API tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7139",
+  "sqKey": "S7139",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7139/secrets/rule.adoc b/rules/S7139/secrets/rule.adoc
@@ -0,0 +1,35 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+:secret_type: API token
+
+include::../../../shared_content/secrets/impact/phishing.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: rpi_GjPphKMMHgwqkE8cwwJAhhYFn4h0zMuk4eYdcKdtuGotHCZZX1AS1eorPIO8tcTA
+:example_name: redirect-pizza-key
+:example_env: REDIRECT_PIZZA_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
diff --git a/rules/S7140/metadata.json b/rules/S7140/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7140/secrets/metadata.json b/rules/S7140/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "SSLMate secrets should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7140",
+  "sqKey": "S7140",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7140/secrets/rule.adoc b/rules/S7140/secrets/rule.adoc
@@ -0,0 +1,42 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If an attacker gains access to an SSLMate secret, they might be able to gain access to the SSL/TLS certificate of organisations.
+
+=== What is the potential impact?
+
+SSLMate provides APIs used by organizations to issue and monitor SSL/TLS certificates.
+These certificates guaranty the authenticity of the organization's servers, and the confidentiality of the data exchanged with them.
+Depending on the permission granted to the API key, an attacker could potentially create, revoke, or modify SSL/TLS certificates of the organization.
+
+Creating certificates would allow attackers to impersonate the organization's servers. This leads to Man-In-The-Middle attacks that would
+affect both the confidentiality and integrity of the communications from clients
+to that server.
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+Also, revoke certificates that were issued since the leak. Doing so
+will ensure that all people and assets that rely on these certificates are aware of its compromise and stop trusting it.
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+
+=== Code examples
+
+:example_secret: k15341_bc5T6Zbfv5ozwrwb3qyn
+:example_name: sslmate.api_key
+:example_env: SSLMATE_API_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]