Feature #687: add basics for secret advisory (challenge 35)

Author: commjoen

…crets/challenges/docker/Challenge36.java …crets/challenges/docker/Challenge35.javasrc/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java renamed to src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java renamed to src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java

@@ -15,9 +15,9 @@
 @Slf4j
 @Component
 @Order(36)
-public class Challenge36 extends Challenge {
+public class Challenge35 extends Challenge {
 
-  public Challenge36(ScoreCard scoreCard) {
+  public Challenge35(ScoreCard scoreCard) {
     super(scoreCard);
   }
 
@@ -42,7 +42,7 @@ public int difficulty() {
     return Difficulty.EASY;
   }
 
-  /** {@inheritDoc} This is a crypto Documentation type of challenge */
+  /** {@inheritDoc} This is a Documentation type of challenge */
   @Override
   public String getTech() {
     return ChallengeTechnology.Tech.DOCUMENTATION.id;

src/main/resources/explanations/challenge35.adoc

@@ -0,0 +1,3 @@
+=== Reporting on Vulnerabilities
+
+A security researcher found a Google API key and together with the project leader https://github.com/commjoen[@commjoen] made a https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[Security Advisory]. The only thing @commjoen dit wrong, was actually publish the API key as part of the advisory. Can you spot the key?

src/main/resources/explanations/challenge35_hint.adoc

@@ -0,0 +1,13 @@
+This is a documentation challenge, which can be solved by going to the Github Advisory.
+
+1. Get to the key using the Github security advisory
+- Go to https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[the advisory].
+- Find the Google API key.
+- Copy it into the answer box.
+
+2. Follow the Github security advisory information
+- Go to https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[the advisory].
+- Find the version that is impacted (1.6.8RC1).
+- Open the tag at https://github.com/OWASP/wrongsecrets/tree/1.6.8RC1[Github].
+- Find the Google API key in challenge 35.
+- Copy it into the answer box.

src/main/resources/explanations/challenge35_reason.adoc

@@ -0,0 +1,3 @@
+*Why we need to be careful with vulnerability reports*
+
+When you report a vulnerability, or when you publish a security advisory, always be careful with the datails you spread with them. Hardcoded secrets found, especially those harder to rotate, should not be put into your security report itself and/or the publication.