SonarSource · pierre-loup-tristant-sonarsource · Nov 13, 2024 · Nov 8, 2024 · Nov 12, 2024 · Nov 13, 2024
diff --git a/rules/S7147/metadata.json b/rules/S7147/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7147/secrets/metadata.json b/rules/S7147/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "Atlassian secrets should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7147",
+  "sqKey": "S7147",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7147/secrets/rule.adoc b/rules/S7147/secrets/rule.adoc
@@ -0,0 +1,44 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If attackers gain access to Atlassian API tokens or OAuth credentials, they will be able to interact with Atlassian product APIs on behalf of the compromised account. This includes products such as Jira, Confluence, or BitBucket.
+
+=== What is the potential impact?
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/data_modification.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: ATATT3xFfGF0fMvPEsrw8suA4pUbNn7Ke4ymCtbDUUia0OuNj4Dj_c_z-4YnGzP3_uToXP2HUU9DX3DZhkF1VoF14QyiXMZ1y7FIxVmzc-RStczBTs2640JgH4BjAdpfiSkgrF8Qv0XShGg9DlYekSbLqSLQ2db3qfTzqUoDLPgjZu-b49SE=D65AD736
+:example_name: atlassian.api-token
+:example_env: ATLASSIAN_API_TOKEN
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+== Resources
+
+=== Documentation
+
+* Atlassian Support - https://confluence.atlassian.com/enterprise/using-personal-access-tokens-1026032365.html[Using personal access tokens]
+* Atlassian Support - https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/[OAuth 2.0 (3LO) apps]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]