Update static rspec files (#283)

Author: jonas-wielage-sonarsource

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6290.html

@@ -1,30 +1,68 @@
+<p>Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
+code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
+exposed to an unintended audience.</p>
 <h2>Why is this an issue?</h2>
-<p>AWS credentials are designed to authenticate and authorize requests to AWS.</p>
-<p>If your application interacts with AWS then it requires AWS credentials to access all the resources it needs to function properly. Resources that
-can be accessed depend on the permission granted to the AWS account. These credentials may authenticate to the AWS account root user who has
-unrestricted access to all resources in your AWS account, including billing information.</p>
-<p>This rule flags instances of:</p>
+<p>In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
+Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
+services or resources.</p>
+<p>The trust issue can be more or less severe depending on the people’s role and entitlement.</p>
+<p>This rule detects the following leaks:</p>
 <ul>
-  <li> AWS Secret Access Key </li>
-  <li> AWS Access ID </li>
-  <li> AWS Session Token </li>
+  <li> AWS Secret Access Keys </li>
+  <li> AWS Access IDs </li>
+  <li> AWS Session Tokens </li>
 </ul>
-<h2>Recommended Secure Coding Practices</h2>
-<p>Only administrators should have access to the AWS credentials used by your application.</p>
-<p>As a consequence, AWS credentials should not be stored along with the application code as they would grant special privilege to anyone who has
-access to the application source code.</p>
-<p>Credentials should be stored outside of the code in a file that is never committed to your application code repository.</p>
-<p>If possible, a better alternative is to use your cloud provider’s service for managing secrets. On AWS this service is called <a
-href="https://aws.amazon.com/fr/secrets-manager/">Secrets Manager</a>.</p>
-<p>When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.</p>
+<h3>What is the potential impact?</h3>
+<p>Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret.</p>
+<h4>Phishing and spam</h4>
+<p>An attacker can use this secret to spam users or lure them into links to a malicious domain controlled by the attacker.</p>
+<p>Spam can cause users to be exposed to the following:</p>
+<ul>
+  <li> Unsolicited, inappropriate content, such as pornographic material </li>
+  <li> Fraudulent attempts to trick users into sending information or money </li>
+  <li> Abusive or hateful statements </li>
+  <li> False advertising or fraudulent claims </li>
+</ul>
+<p>Once a user has been phished on a legitimate-seeming third-party website, an attacker can collect the user’s credentials, bypass multi-factor
+authentication (MFA), and take over the user’s account on the trusted website.</p>
+<h4>Malware distribution</h4>
+<p>Due to this vulnerability, malware can be stored and spread, both to users of the service and to other potential targets.<br> A malware depends on
+the attacker’s intentions, as the following examples show:</p>
+<ul>
+  <li> Cryptojacking malware, whose goal is to "mine" cryptocurrencies on the affected computers or servers. </li>
+  <li> Spyware that spies out sensitive information from victims. </li>
+</ul>
+<p>In the worst case, malware can cause the target systems to be completely compromised and allow attackers to infiltrate the systems.</p>
+<h4>Financial loss</h4>
+<p>Financial losses can occur when a secret is used to access a paid third-party-provided service and is disclosed as part of the source code of
+client applications. Having the secret, each user of the application will be able to use it without limit to use the third party service to their own
+need, including in a way that was not expected.</p>
+<p>This additional use of the secret will lead to added costs with the service provider.</p>
+<p>Moreover, when rate or volume limiting is set up on the provider side, this additional use can prevent the regular operation of the affected
+application. This might result in a partial denial of service for all the application’s users.</p>
+<h2>How to fix it</h2>
+<p><strong>Revoke the secret</strong></p>
+<p>Revoke any leaked secrets and remove them from the application source code.</p>
+<p>Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the
+secret is revoked.</p>
+<p><strong>Use a secret vault</strong></p>
+<p>A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
+disclosure.</p>
+<p>Depending on the development platform and the leaked secret type, multiple solutions are currently available.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+props.set("aws-secret-access-key", "kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb")
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+props.set("aws-secret-access-key", System.getenv("AWS_SECRET_ACCESS_KEY"))
+</pre>
 <h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
-  <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
-  Authentication Failures </li>
-  <li> <a href="https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data
-  Exposure </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
-  <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/259">CWE-259 - Use of Hard-coded Password</a> </li>
+  <li> SANS - <a href="https://www.sans.org/top25-software-errors/#cat3">TOP 25 Most Dangerous Software Errors</a> </li>
 </ul>
 

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6292.html

@@ -1,23 +1,68 @@
+<p>Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
+code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
+exposed to an unintended audience.</p>
 <h2>Why is this an issue?</h2>
-<p>Amazon Marketplace Web Service credentials are designed to authenticate and authorize Amazon sellers.</p>
-<p>If your application interacts with Amazon MWS then it requires credentials to access all the resources it needs to function properly. The
+<p>In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
+Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
+services or resources.</p>
+<p>The trust issue can be more or less severe depending on the people’s role and entitlement.</p>
+<h3>What is the potential impact?</h3>
+<p>If your application interacts with Amazon MWS then it requires credentials to access all the resources it needs to function properly.<br> The
 credentials authenticate to a seller account which can have access to resources like products, orders, price or shipment information.</p>
-<h2>Recommended Secure Coding Practices</h2>
+<p>Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret.</p>
+<h4>Financial loss</h4>
+<p>Since this secret is used to process transaction-related operations, financial loss may also occur if transaction-related objects are corrupted or
+the account is tampered with.<br> This can range from indirect losses to direct unauthorized transfers of funds that can lead to bankruptcy or
+impoverishment of individuals.</p>
+<h4>Phishing and spam</h4>
+<p>An attacker can use this secret to spam users or lure them into links to a malicious domain controlled by the attacker.</p>
+<p>Spam can cause users to be exposed to the following:</p>
+<ul>
+  <li> Unsolicited, inappropriate content, such as pornographic material </li>
+  <li> Fraudulent attempts to trick users into sending information or money </li>
+  <li> Abusive or hateful statements </li>
+  <li> False advertising or fraudulent claims </li>
+</ul>
+<p>Once a user has been phished on a legitimate-seeming third-party website, an attacker can collect the user’s credentials, bypass multi-factor
+authentication (MFA), and take over the user’s account on the trusted website.</p>
+<h4>Malware distribution</h4>
+<p>Due to this vulnerability, malware can be stored and spread, both to users of the service and to other potential targets.<br> A malware depends on
+the attacker’s intentions, as the following examples show:</p>
+<ul>
+  <li> Cryptojacking malware, whose goal is to "mine" cryptocurrencies on the affected computers or servers. </li>
+  <li> Spyware that spies out sensitive information from victims. </li>
+</ul>
+<p>In the worst case, malware can cause the target systems to be completely compromised and allow attackers to infiltrate the systems.</p>
+<h4>Account termination</h4>
+<p>Unauthorized access to mailing service API keys can also result in resource abuse. Attackers can exploit the API keys to send a large volume of
+spam emails or perform other resource-intensive operations, causing a significant strain on the mailing service provider’s infrastructure.</p>
+<p>The service provider, being vigilant about such activities, may flag your account and take action against it. This could lead to the suspension or
+termination of the compromised account, thus causing significant inconvenience and potential loss of communication with your customers or
+partners.</p>
+<h2>How to fix it</h2>
 <p>Only administrators should have access to the MWS credentials used by your application.</p>
-<p>As a consequence, MWS credentials should not be stored along with the application code as they would grant special privilege to anyone who has
-access to the application source code.</p>
-<p>Credentials should be stored outside of the code in a file that is never committed to your application code repository.</p>
-<p>If possible, a better alternative is to use your cloud provider’s service for managing secrets. On AWS this service is called <a
-href="https://aws.amazon.com/fr/secrets-manager/">Secrets Manager</a>.</p>
-<p>When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.</p>
+<p><strong>Revoke the secret</strong></p>
+<p>Revoke any leaked secrets and remove them from the application source code.</p>
+<p>Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the
+secret is revoked.</p>
+<p><strong>Use a secret vault</strong></p>
+<p>A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
+disclosure.</p>
+<p>Depending on the development platform and the leaked secret type, multiple solutions are currently available.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+props.set("mws-key", "amzn.mws.3b8be74a-5f63-5770-5bad-19bd40c0ac65")
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+props.set("mws-key", System.getenv("MWS_KEY"))
+</pre>
 <h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
-  <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
-  Authentication Failures </li>
-  <li> <a href="https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data
-  Exposure </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
-  <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/259">CWE-259 - Use of Hard-coded Password</a> </li>
+  <li> SANS - <a href="https://www.sans.org/top25-software-errors/#cat3">TOP 25 Most Dangerous Software Errors</a> </li>
 </ul>
 

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6334.html

@@ -1,32 +1,50 @@
+<p>Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
+code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
+exposed to an unintended audience.</p>
 <h2>Why is this an issue?</h2>
-<p>Google API keys are used to authenticate applications that consume Google Cloud APIs. They are especially useful for accessing public data
-anonymously (like Google Maps), and are used to associate API requests with your project for quota and billing.</p>
-<p>API keys are not strictly secret as they are often embedded into client side code or mobile applications that consume Google Cloud APIs. Still,
-they should be secured and should never be treated as public information.</p>
-<p>An unrestricted Google API key being disclosed in a public source code would be used by malicious actors to consume Google APIs on the behalf of
-your application. This will have a financial impact as your organisation will be billed for the data consumed by the malicious actor. If your account
-has enabled quota to cap the API consumption of your application, this quota can be exceeded, leaving your application unable to request the Google
-APIs it requires to function properly.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<p>Only administrators should have access to the Google API keys used by your application.</p>
-<p>As a consequence, Google API keys should not be stored along with the application code as they could be disclosed to a large audience or could be
-made public.</p>
-<p>Google API keys should be stored outside of the code in a file that is never committed to your application code repository.</p>
-<p>If possible, a better alternative is to use your cloud provider’s service for managing secrets. On Google Cloud this service is called <a
-href="https://cloud.google.com/secret-manager">Secret Manager</a>.</p>
-<p>When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.</p>
-<p>In addition to secure storage, it’s important to apply <a
-href="https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions">restrictions</a> to API keys in order to mitigate the impacts when
-they are discovered by malicious actors.</p>
+<p>In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
+Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
+services or resources.</p>
+<p>The trust issue can be more or less severe depending on the people’s role and entitlement.</p>
+<h3>What is the potential impact?</h3>
+<p>Google API keys are used to authenticate applications that consume Google Cloud APIs.</p>
+<p>API keys are not strictly secret as they are often embedded into client-side code or mobile applications that consume Google Cloud APIs. Still,
+they should be secured.</p>
+<h4>Financial loss</h4>
+<p>An unrestricted Google API key being disclosed in a public source code could be used by malicious actors to consume Google APIs on behalf of your
+application.<br> This will have a financial impact as your organization will be billed for the data consumed by the malicious actor.</p>
+<h4>Denial of service</h4>
+<p>If your account has enabled quota to cap the API consumption of your application, this quota can be exceeded, leaving your application unable to
+request the Google APIs it requires to function properly.</p>
+<h2>How to fix it</h2>
+<p>Depending on the sensitivity of the key use, only administrators should have access to the Google API keys used by your application.</p>
+<p><strong>For client-facing keys</strong></p>
+<p>If the key must be sent to clients for the service to run properly, then it does not need to be revoked or added to a Vault, ignore the following
+sections.<br> However, it is important to apply <a href="https://cloud.google.com/docs/authentication/api-keys#securing">Google’s guidelines to secure
+the API keys</a>.</p>
+<p>These best practices will help mitigate abuse of this key.</p>
+<p><strong>Revoke the secret</strong></p>
+<p>Revoke any leaked secrets and remove them from the application source code.</p>
+<p>Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the
+secret is revoked.</p>
+<p><strong>Use a secret vault</strong></p>
+<p>A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
+disclosure.</p>
+<p>Depending on the development platform and the leaked secret type, multiple solutions are currently available.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+props.set("google-api-key", "zAIJf4Six4MjGwxvkarrf1LPUaCdyNSjzsyIoRI")
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+props.set("google-api-key", System.getenv("GOOGLE_API_KEY"))
+</pre>
 <h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
-  <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
-  Authentication Failures </li>
-  <li> <a href="https://cloud.google.com/docs/authentication/api-keys">Google Cloud</a> - Using API keys </li>
-  <li> <a href="https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data
-  Exposure </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
-  <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/259">CWE-259 - Use of Hard-coded Password</a> </li>
+  <li> SANS - <a href="https://www.sans.org/top25-software-errors/#cat3">TOP 25 Most Dangerous Software Errors</a> </li>
 </ul>