From c90cd5596df836ee7e3ac8e1fecb48560217f015 Mon Sep 17 00:00:00 2001
From: hendrik-buchwald-sonarsource
 <hendrik-buchwald-sonarsource@users.noreply.github.com>
Date: Tue, 9 Jul 2024 15:12:46 +0000
Subject: [PATCH 1/4] Create rule S7009

---
 rules/S7009/metadata.json         |  2 ++
 rules/S7009/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++
 rules/S7009/secrets/rule.adoc     | 50 +++++++++++++++++++++++++++
 3 files changed, 108 insertions(+)
 create mode 100644 rules/S7009/metadata.json
 create mode 100644 rules/S7009/secrets/metadata.json
 create mode 100644 rules/S7009/secrets/rule.adoc

diff --git a/rules/S7009/metadata.json b/rules/S7009/metadata.json
new file mode 100644
index 00000000000..2c63c085104
--- /dev/null
+++ b/rules/S7009/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7009/secrets/metadata.json b/rules/S7009/secrets/metadata.json
new file mode 100644
index 00000000000..88b4b42c781
--- /dev/null
+++ b/rules/S7009/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "SECRET_TYPE should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7009",
+  "sqKey": "S7009",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7009/secrets/rule.adoc b/rules/S7009/secrets/rule.adoc
new file mode 100644
index 00000000000..28f3a64def8
--- /dev/null
+++ b/rules/S7009/secrets/rule.adoc
@@ -0,0 +1,50 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+// Optional: Give a general description of the secret and what it's used for.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+// Set value that can be used to refer to the type of secret in, for example:
+// "An attacker can use this {secret_type} to ..."
+:secret_type: secret
+
+// Where possible, use predefined content for common impacts. This content can
+// be found in the folder "shared_content/secrets/impact".
+// When using predefined content, search for any required variables to be set and include them in this file.
+// Not adding them will not trigger warnings.
+
+//include::../../../shared_content/secrets/impact/some_impact.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: example_secret_value
+:example_name: java-property-name
+:example_env: ENV_VAR_NAME
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks

From 3560c0fa9aa4db2cdaa7c9e11fec4ef8cbadf13e Mon Sep 17 00:00:00 2001
From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com>
Date: Wed, 10 Jul 2024 14:05:51 +0200
Subject: [PATCH 2/4] Update RSPEC

---
 rules/S7009/secrets/metadata.json |  2 +-
 rules/S7009/secrets/rule.adoc     | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/rules/S7009/secrets/metadata.json b/rules/S7009/secrets/metadata.json
index 88b4b42c781..ef644a38636 100644
--- a/rules/S7009/secrets/metadata.json
+++ b/rules/S7009/secrets/metadata.json
@@ -1,5 +1,5 @@
 {
-  "title": "SECRET_TYPE should not be disclosed",
+  "title": "Scaleway secret keys should not be disclosed",
   "type": "VULNERABILITY",
   "code": {
     "impacts": {
diff --git a/rules/S7009/secrets/rule.adoc b/rules/S7009/secrets/rule.adoc
index 28f3a64def8..1ac080c67fd 100644
--- a/rules/S7009/secrets/rule.adoc
+++ b/rules/S7009/secrets/rule.adoc
@@ -14,14 +14,20 @@ exploiting the secret.
 
 // Set value that can be used to refer to the type of secret in, for example:
 // "An attacker can use this {secret_type} to ..."
-:secret_type: secret
+:secret_type: secret key
+
+:service_name: Scaleway
 
 // Where possible, use predefined content for common impacts. This content can
 // be found in the folder "shared_content/secrets/impact".
 // When using predefined content, search for any required variables to be set and include them in this file.
 // Not adding them will not trigger warnings.
 
-//include::../../../shared_content/secrets/impact/some_impact.adoc[]
+include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[]
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/data_modification.adoc[]
 
 == How to fix it
 
@@ -31,9 +37,9 @@ include::../../../shared_content/secrets/fix/vault.adoc[]
 
 === Code examples
 
-:example_secret: example_secret_value
-:example_name: java-property-name
-:example_env: ENV_VAR_NAME
+:example_secret: 2404784b-b2ff-436d-a59b-11922d6034cb
+:example_name: scaleway-key
+:example_env: SCALEWAY_KEY
 
 include::../../../shared_content/secrets/examples.adoc[]
 

From 0f0f56cfa9b2b6ccf9d349fe557af98cdfae2ca4 Mon Sep 17 00:00:00 2001
From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com>
Date: Thu, 11 Jul 2024 11:43:49 +0200
Subject: [PATCH 3/4] Update code sample

---
 rules/S7009/secrets/rule.adoc | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/rules/S7009/secrets/rule.adoc b/rules/S7009/secrets/rule.adoc
index 1ac080c67fd..c42a3a12bc1 100644
--- a/rules/S7009/secrets/rule.adoc
+++ b/rules/S7009/secrets/rule.adoc
@@ -41,7 +41,21 @@ include::../../../shared_content/secrets/fix/vault.adoc[]
 :example_name: scaleway-key
 :example_env: SCALEWAY_KEY
 
-include::../../../shared_content/secrets/examples.adoc[]
+==== Noncompliant code example
+
+[source,java,diff-id=1,diff-type=noncompliant,subs="attributes"]
+----
+props.set("scaleway-id", "SCWYGX3NJWHM615C0YHI");
+props.set("scaleway-key", "2404784b-b2ff-436d-a59b-11922d6034cb"); // Noncompliant
+----
+
+==== Compliant solution
+
+[source,java,diff-id=1,diff-type=compliant,subs="attributes"]
+----
+props.set("scaleway-id", System.getenv("SCALEWAY_ID"));
+props.set("scaleway-key", System.getenv("SCALEWAY_KEY"));
+----
 
 //=== How does this work?
 

From 23a1c117b64abef0e9cf7a2fad4d0a00f19b897a Mon Sep 17 00:00:00 2001
From: Hendrik Buchwald
 <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com>
Date: Fri, 12 Jul 2024 15:23:35 +0200
Subject: [PATCH 4/4] Update rules/S7009/secrets/rule.adoc

Co-authored-by: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com>
---
 rules/S7009/secrets/rule.adoc | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/rules/S7009/secrets/rule.adoc b/rules/S7009/secrets/rule.adoc
index c42a3a12bc1..c1bcf444bc5 100644
--- a/rules/S7009/secrets/rule.adoc
+++ b/rules/S7009/secrets/rule.adoc
@@ -37,10 +37,6 @@ include::../../../shared_content/secrets/fix/vault.adoc[]
 
 === Code examples
 
-:example_secret: 2404784b-b2ff-436d-a59b-11922d6034cb
-:example_name: scaleway-key
-:example_env: SCALEWAY_KEY
-
 ==== Noncompliant code example
 
 [source,java,diff-id=1,diff-type=noncompliant,subs="attributes"]