DART-245 Modify rule S7088: Make it a vulnerability

rules/S7088/dart/metadata.json

@@ -1,18 +1,54 @@
 {
   "title": "Pubspec urls should be secure",
-  "type": "CODE_SMELL",
+  "type": "VULNERABILITY",
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "2min"
   },
   "tags": [
+    "cwe"
   ],
   "defaultSeverity": "Critical",
   "ruleSpecification": "RSPEC-7088",
   "sqKey": "S7088",
   "scope": "All",
   "defaultQualityProfiles": ["Sonar way"],
+  "securityStandards": {
+    "CWE": [
+      319
+    ],
+    "OWASP Mobile": [
+      "M3"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M2",
+      "M5"
+    ],
+    "OWASP": [
+      "A3",
+      "A6"
+    ],
+    "OWASP Top 10 2021": [
+      "A2",
+      "A5"
+    ],
+    "PCI DSS 3.2": [
+      "4.1"
+    ],
+    "PCI DSS 4.0": [
+      "4.2.1"
+    ],
+    "ASVS 4.0": [
+      "9.1.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222562",
+      "V-222563",
+      "V-222598",
+      "V-222599"
+    ]
+  },
   "quickfix": "unknown",
   "code": {
     "impacts": {

rules/S7088/dart/rule.adoc

@@ -1,9 +1,38 @@
 == Why is this an issue?
 
-In the `pubspec.yaml` file there's a possibility to specify urls in various attributes: homepage, repository, issue_tracker, dependency repositories, etc. It is important to make sure that secure protocol is used in these urls. The `https` provide an additional layer of security by encrypting the transferred data and checking the TLS/SSL certificates. It is generally recommended to avoid using `http` or `git` protocols.
+Transport Layer Security (TLS) provides a secure channel between systems communicating over the internet by encrypting the data sent between them. TLS can be used with `http` and `git` URI schemes to build secure `https` and `git+https` channels respectively. 
+
+These secure protocols are essential for the confidentiality and the integrity of the communication performed when supply chain operations are performed, such as `dart pub get`, `flutter pub get`, `dart pub upgrade`, etc.
+
+In the https://dart.dev/tools/pub/pubspec[`pubspec.yaml` file], which is a file used by several Dart/Flutter commands, there's a possibility to specify URIs in various attributes: homepage, repository, issue_tracker, dependency repositories, etc. 
+
+It is important to make sure that secure schemes are used in all these URIs. The protocol used in the `https` scheme provide an additional layer of security by encrypting the transferred data and checking the TLS/SSL certificates. 
+
+It is generally recommended to avoid using `http` or `git` URIs that may potentially be used by Dart/Flutter commands to gather external data during any stage of the application build.
+
+=== What is the potential impact
+
+==== Man-in-the-middle (MitM) attacks
+
+An attacker can intercept the communication between the client and server, allowing them modify the data being transmitted.
+
+==== Supply chain attacks
+
+Without the verification provided by HTTPS certificates, attackers could redirect package requests to malicious servers that mimic legitimate package repositories. 
+
+For example, an attacker could inject malicious code into a Dart package being downloaded, which could compromise the security of the application being built.
+
+This can cause further security breaches inside the organization, but will also affect clients if the malicious code gets added to any products, as a part of a production dependency or as code generated by a tampered development dependency.
+
+Distributing code that (unintentionally) contains backdoors or malware can lead to widespread security vulnerabilities, reputational damage, and potential legal liabilities.
+
+==== Credetials exposure
+
+Sensitive information, such as API keys or user credentials used to interact with the remote repository of Dart/Flutter packages, could be exposed during transmission. This could lead to unauthorized access to the application or its data.
 
 == How to fix it
-Replace unsecure `http` or `git` protocols with `https`.
+
+Replace unsecure `http` or `git` URI schemas with `https`.
 
 === Code examples
 
@@ -38,12 +67,28 @@ git:
 ----
 
 == Resources
+
 === Documentation
 
 * Dart Docs - https://dart.dev/tools/linter-rules/secure_pubspec_urls[Dart Linter rule - secure_pubspec_urls]
 * Dart Docs - https://dart.dev/tools/pub/pubspec[pubspec]
 * Wikipedia - https://en.wikipedia.org/wiki/HTTPS[HTTPS]
 
+=== Standards
+
+* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
+* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
+* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication[Mobile Top 10 2016 Category M3 - Insecure Communication]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m2-inadequate-supply-chain-security[Mobile Top 10 2024 Category M2 - Inadequate Supply Chain Security]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication[Mobile Top 10 2024 Category M5 - Insecure Communication]
+* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222562[Application Security and Development: V-222562] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222563[Application Security and Development: V-222563] - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222598[Application Security and Development: V-222598] - The application must maintain the confidentiality and integrity of information during preparation for transmission.
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222599[Application Security and Development: V-222599] - The application must maintain the confidentiality and integrity of information during reception.
+
 ifdef::env-github,rspecator-view[]
 
 '''