diff --git a/rules/S3281/xml/metadata.json b/rules/S3281/xml/metadata.json index 66a9c11255f..1816dbc61ab 100644 --- a/rules/S3281/xml/metadata.json +++ b/rules/S3281/xml/metadata.json @@ -3,8 +3,8 @@ "type": "VULNERABILITY", "code": { "impacts": { - "SECURITY": "HIGH", - "MAINTAINABILITY": "HIGH" + "SECURITY": "BLOCKER", + "MAINTAINABILITY": "BLOCKER" }, "attribute": "COMPLETE" }, diff --git a/rules/S6096/common/resources/articles.adoc b/rules/S6096/common/resources/articles.adoc index f0800c027f3..936f0e0a3b9 100644 --- a/rules/S6096/common/resources/articles.adoc +++ b/rules/S6096/common/resources/articles.adoc @@ -1,3 +1,4 @@ === Articles & blog posts +* Sonar Blog - https://www.sonarsource.com/blog/the-hidden-flaws-of-archives-in-java/[The Hidden Flaws of Archives in Java] * Sonar Blog - https://www.sonarsource.com/blog/openrefine-zip-slip/[Unzipping Dangers: OpenRefine Zip Slip Vulnerability] diff --git a/rules/S6937/jcl/metadata.json b/rules/S6937/jcl/metadata.json index 84dd004352f..97e53fdb375 100644 --- a/rules/S6937/jcl/metadata.json +++ b/rules/S6937/jcl/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-6937", "sqKey": "S6937", "scope": "All", @@ -18,6 +18,6 @@ "impacts": { "RELIABILITY": "HIGH" }, - "attribute": "CONVENTIONAL" + "attribute": "LOGICAL" } } diff --git a/rules/S6937/jcl/rule.adoc b/rules/S6937/jcl/rule.adoc index cca376f72e6..b55d3ed288e 100644 --- a/rules/S6937/jcl/rule.adoc +++ b/rules/S6937/jcl/rule.adoc @@ -1,8 +1,12 @@ -In-stream procedures should always have a name. - == Why is this an issue? -In JCL, it is expected for a PROC statement inside of a job stream to have a name. +In JCL, some statements require to have a label or name defined, otherwise it will trigger a JCL error. +The statements that require a name/label are: +* CNTL +* JOB +* NOTIFY +* OUTPUT +* in-stream PROC == How to fix it @@ -32,4 +36,8 @@ In JCL, it is expected for a PROC statement inside of a job stream to have a nam === Documentation +* https://www.ibm.com/docs/en/zos/3.1.0?topic=description-label-field[IBM Reference - CNTL Label field] +* https://www.ibm.com/docs/en/zos/3.1.0?topic=d-name-field-5[IBM Reference - JOB Name field] +* https://www.ibm.com/docs/en/zos/3.1.0?topic=statement-label-field[IBM Reference - NOTIFY Label field] +* https://www.ibm.com/docs/en/zos/3.1.0?topic=d-name-field-6[IBM Reference - OUTPUT Name field] * https://www.ibm.com/docs/en/zos/3.1.0?topic=d-name-field-8[IBM reference - PROC statement - Name field] diff --git a/rules/S7139/metadata.json b/rules/S7139/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7139/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7139/secrets/metadata.json b/rules/S7139/secrets/metadata.json new file mode 100644 index 00000000000..c6f3e8520f3 --- /dev/null +++ b/rules/S7139/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "redirect.pizza API tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7139", + "sqKey": "S7139", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7139/secrets/rule.adoc b/rules/S7139/secrets/rule.adoc new file mode 100644 index 00000000000..e837d3bf9f7 --- /dev/null +++ b/rules/S7139/secrets/rule.adoc @@ -0,0 +1,35 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: API token + +include::../../../shared_content/secrets/impact/phishing.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: rpi_GjPphKMMHgwqkE8cwwJAhhYFn4h0zMuk4eYdcKdtuGotHCZZX1AS1eorPIO8tcTA +:example_name: redirect-pizza-key +:example_env: REDIRECT_PIZZA_KEY + +include::../../../shared_content/secrets/examples.adoc[] + + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + diff --git a/rules/S7140/metadata.json b/rules/S7140/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7140/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7140/secrets/metadata.json b/rules/S7140/secrets/metadata.json new file mode 100644 index 00000000000..9d653770434 --- /dev/null +++ b/rules/S7140/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "SSLMate secrets should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7140", + "sqKey": "S7140", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7140/secrets/rule.adoc b/rules/S7140/secrets/rule.adoc new file mode 100644 index 00000000000..82b0c815291 --- /dev/null +++ b/rules/S7140/secrets/rule.adoc @@ -0,0 +1,42 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +If an attacker gains access to an SSLMate secret, they might be able to gain access to the SSL/TLS certificate of organisations. + +=== What is the potential impact? + +SSLMate provides APIs used by organizations to issue and monitor SSL/TLS certificates. +These certificates guaranty the authenticity of the organization's servers, and the confidentiality of the data exchanged with them. +Depending on the permission granted to the API key, an attacker could potentially create, revoke, or modify SSL/TLS certificates of the organization. + +Creating certificates would allow attackers to impersonate the organization's servers. This leads to Man-In-The-Middle attacks that would +affect both the confidentiality and integrity of the communications from clients +to that server. + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +Also, revoke certificates that were issued since the leak. Doing so +will ensure that all people and assets that rely on these certificates are aware of its compromise and stop trusting it. + +include::../../../shared_content/secrets/fix/recent_use.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + + +=== Code examples + +:example_secret: k15341_bc5T6Zbfv5ozwrwb3qyn +:example_name: sslmate.api_key +:example_env: SSLMATE_API_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[]