Skip to content

Commit

Permalink
Create rule S7147
Browse files Browse the repository at this point in the history
  • Loading branch information
@pierre-loup-tristant-sonarsource
pierre-loup-tristant-sonarsource committed Nov 8, 2024
1 parent 0a28d74 commit 9a6c24f
Show file tree
Hide file tree
Showing 3 changed files with 102 additions and 0 deletions.
2 changes: 2 additions & 0 deletions rules/S7147/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
{
}
56 changes: 56 additions & 0 deletions rules/S7147/secrets/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"title": "Atlassian secrets should not be disclosed",
"type": "VULNERABILITY",
"code": {
"impacts": {
"SECURITY": "HIGH"
},
"attribute": "TRUSTWORTHY"
},
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "30min"
},
"tags": [
"cwe",
"cert"
],
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-7147",
"sqKey": "S7147",
"scope": "All",
"securityStandards": {
"CWE": [
798,
259
],
"OWASP": [
"A3"
],
"CERT": [
"MSC03-J."
],
"OWASP Top 10 2021": [
"A7"
],
"PCI DSS 3.2": [
"6.5.10"
],
"PCI DSS 4.0": [
"6.2.4"
],
"ASVS 4.0": [
"2.10.4",
"3.5.2",
"6.4.1"
],
"STIG ASD_V5R3": [
"V-222642"
]
},
"defaultQualityProfiles": [
"Sonar way"
],
"quickfix": "unknown"
}
44 changes: 44 additions & 0 deletions rules/S7147/secrets/rule.adoc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@

include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

If attackers gain access to Atlassian API tokens or OAuth credentials, they will be able to interact with Atlassian product APIs on behalf of the compromised account. This includes products such as Jira, Confluence, or BitBucket.

=== What is the potential impact?

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.

include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]

include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]

include::../../../shared_content/secrets/impact/data_compromise.adoc[]

include::../../../shared_content/secrets/impact/data_modification.adoc[]

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

:example_secret: ATATT3xFfGF0fMvPEsrw8suA4pUbNn7Ke4ymCtbDUUia0OuNj4Dj_c_z-4YnGzP3_uToXP2HUU9DX3DZhkF1VoF14QyiXMZ1y7FIxVmzc-RStczBTs2640JgH4BjAdpfiSkgrF8Qv0XShGg9DlYekSbLqSLQ2db3qfTzqUoDLPgjZu-b49SE=D65AD736
:example_name: atlassian.api-token
:example_env: ATLASSIAN_API_TOKEN

include::../../../shared_content/secrets/examples.adoc[]

== Resources

=== Documentation

* Atlassian Support - https://confluence.atlassian.com/enterprise/using-personal-access-tokens-1026032365.html[Using personal access tokens]
* Atlassian Support - https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/[OAuth 2.0 (3LO) apps]

include::../../../shared_content/secrets/resources/standards.adoc[]

0 comments on commit 9a6c24f

Please sign in to comment.