Create rule S7144: Bitbucket keys should not be disclosed (APPSEC-186…

…4) (#4476)
SonarSource · Nov 12, 2024 · c36fc7c · c36fc7c
1 parent 78497b8
commit c36fc7c
Show file tree

Hide file tree

Showing 3 changed files with 120 additions and 0 deletions.
diff --git a/rules/S7144/metadata.json b/rules/S7144/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7144/secrets/metadata.json b/rules/S7144/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "BitBucket OAuth credentials should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7144",
+  "sqKey": "S7144",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7144/secrets/rule.adoc b/rules/S7144/secrets/rule.adoc
@@ -0,0 +1,62 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If attackers gain access to a BitBucket OAuth credentials, they will be able to interact with BitBucket API on behalf of the compromised account.
+
+=== What is the potential impact?
+
+Bitbucket keys allow external services to access resources on a user’s behalf with the OAuth 2.0 protocol.
+They are used to authenticate applications, services, or APIs using BitBucket for login and access-control.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+
+==== Noncompliant code example
+
+[source,java,diff-id=1,diff-type=noncompliant,subs="attributes"]
+----
+props.set("bitbucket.oauth-key", "MP76PZGLQmw63rxZYJ") // Noncompliant
+props.set("bitbucket.oauth-secret", "ASgzPac3EPbXHbTSw6DyUagJZ8ThnUFG") // Noncompliant
+----
+
+==== Compliant solution
+
+[source,java,diff-id=1,diff-type=compliant,subs="attributes"]
+----
+props.set("bitbucket.oauth-key", System.getenv("BITBUCKET_OAUTH_KEY")
+props.set("bitbucket.oauth-secret", System.getenv("BITBUCKET_OAUTH_SECRET")
+----
+
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+* Bitbucket Support - https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/[Use OAuth on Bitbucket Cloud]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks