Update rules metadata (#1598)

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S3776.html

@@ -6,4 +6,9 @@ <h3>Documentation</h3>
 <ul>
   <li> <a href="https://www.sonarsource.com/docs/CognitiveComplexity.pdf">Cognitive Complexity</a> </li>
 </ul>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li> <a href="https://www.sonarsource.com/blog/5-clean-code-tips-for-reducing-cognitive-complexity/">5 Clean Code Tips for Reducing Cognitive
+  Complexity</a> </li>
+</ul>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6437.html

@@ -1,27 +1,43 @@
+<p>Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
+code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
+exposed to an unintended audience.</p>
 <h2>Why is this an issue?</h2>
-<p>A hard-coded secret has been found in your code. You should quickly list where this secret is used, revoke it, and then change it in every system
-that uses it.</p>
-<p>Passwords, secrets, and any type of credentials should only be used to authenticate a single entity (a person or a system).</p>
-<p>If you allow third parties to authenticate as another system or person, they can impersonate legitimate identities and undermine trust within the
-organization.<br> It does not matter if the impersonation is malicious: In either case, it is a clear breach of trust in the system, as the systems
-involved falsely assume that the authenticated entity is who it claims to be.<br> The consequences can be catastrophic.</p>
-<p>Keeping credentials in plain text in a code base is tantamount to sharing that password with anyone who has access to the source code and runtime
-servers.<br> Thus, it is a breach of trust, as these individuals have the ability to impersonate others.</p>
-<p>Secret management services are the most efficient tools to store credentials and protect the identities associated with them.<br> Cloud providers
-and on-premise services can be used for this purpose.</p>
-<p>If storing credentials in a secret data management service is not possible, follow these guidelines:</p>
-<ul>
-  <li> Do not store credentials in a file that an excessive number of people can access.
-    <ul>
-      <li> For example, not in code, not in a spreadsheet, not on a sticky note, and not on a shared drive. </li>
-    </ul>  </li>
-  <li> Use the production operating system to protect password access control.
-    <ul>
-      <li> For example, in a file whose permissions are restricted and protected with chmod and chown. </li>
-    </ul>  </li>
-</ul>
-<h3>Noncompliant code example</h3>
-<pre>
+<p>In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
+Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
+services or resources.</p>
+<p>The trust issue can be more or less severe depending on the people’s role and entitlement.</p>
+<h3>What is the potential impact?</h3>
+<p>The consequences vary greatly depending on the situation and the secret-exposed audience. Still, two main scenarios should be considered.</p>
+<h4>Financial loss</h4>
+<p>Financial losses can occur when a secret is used to access a paid third-party-provided service and is disclosed as part of the source code of
+client applications. Having the secret, each user of the application will be able to use it without limit to use the third party service to their own
+need, including in a way that was not expected.</p>
+<p>This additional use of the secret will lead to added costs with the service provider.</p>
+<p>Moreover, when rate or volume limiting is set up on the provider side, this additional use can prevent the regular operation of the affected
+application. This might result in a partial denial of service for all the application’s users.</p>
+<h4>Application’s security downgrade</h4>
+<p>A downgrade can happen when the disclosed secret is used to protect security-sensitive assets or features of the application. Depending on the
+affected asset or feature, the practical impact can range from a sensitive information leak to a complete takeover of the application, its hosting
+server or another linked component.</p>
+<p>For example, an application that would disclose a secret used to sign user authentication tokens would be at risk of user identity impersonation.
+An attacker accessing the leaked secret could sign session tokens for arbitrary users and take over their privileges and entitlements.</p>
+<h2>How to fix it</h2>
+<p><strong>Revoke the secret</strong></p>
+<p>Revoke any leaked secrets and remove them from the application source code.</p>
+<p>Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the
+secret is revoked.</p>
+<p><strong>Analyze recent secret use</strong></p>
+<p>When available, analyze authentication logs to identify any unintended or malicious use of the secret since its disclosure date. Doing this will
+allow determining if an attacker took advantage of the leaked secret and to what extent.</p>
+<p>This operation should be part of a global incident response process.</p>
+<p><strong>Use a secret vault</strong></p>
+<p>A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
+disclosure.</p>
+<p>Depending on the development platform and the leaked secret type, multiple solutions are currently available.</p>
+<h3>Code examples</h3>
+<p>The following code example is noncompliant because it uses a hardcoded secret value.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 from requests_oauthlib.oauth2_session import OAuth2Session
 
 scope = ['https://www.api.example.com/auth/example.data']
@@ -34,73 +50,44 @@ <h3>Noncompliant code example</h3>
 token = oauth.fetch_token(
         'https://api.example.com/o/oauth2/token',
         client_secret='example_Password') # Noncompliant
-
-data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata')
 </pre>
-<h3>Compliant solution</h3>
-<p>Using <a href="https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager">AWS Secrets Manager</a>:</p>
-<pre>
-import boto3
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+from os import environ
 from requests_oauthlib.oauth2_session import OAuth2Session
 
-def get_client_secret():
-
-    session = boto3.session.Session()
-    client = session.client(service_name='secretsmanager', region_name='eu-west-1')
-
-    return client.get_secret_value(SecretId='example_oauth_secret_id')
-
-client_secret = get_client_secret()
 scope = ['https://www.api.example.com/auth/example.data']
 
 oauth = OAuth2Session(
     'example_client_id',
     redirect_uri='https://callback.example.com/uri',
     scope=scope)
 
-token = oauth.fetch_token(
-        'https://api.example.com/o/oauth2/token',
-        client_secret=client_secret)
-
-data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata')
-</pre>
-<p>Using <a href="https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli">Azure Key Vault Secret</a>:</p>
-<pre>
-from azure.keyvault.secrets import SecretClient
-from azure.identity import DefaultAzureCredential
-
-def get_client_secret():
-    vault_uri = "https://example.vault.azure.net"
-    credential = DefaultAzureCredential()
-    client = SecretClient(vault_url=vault_uri, credential=credential)
-
-    return client.get_secret('example_oauth_secret_name')
-
-client_secret = get_client_secret()
-scope = ['https://www.api.example.com/auth/example.data']
-
-oauth = OAuth2Session(
-    'example_client_id',
-    redirect_uri='https://callback.example.com/uri',
-    scope=scope)
+password = environ.get('OAUTH_SECRET')
 
 token = oauth.fetch_token(
         'https://api.example.com/o/oauth2/token',
-        client_secret=client_secret)
-
-data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata')
+        client_secret=password)
 </pre>
+<h3>How does this work?</h3>
+<p>While the noncompliant code example contains a hard-coded password, the compliant solution retrieves the secret’s value from its environment. This
+allows to have an environment-dependent secret value and avoids storing the password in the source code itself.</p>
+<p>Depending on the application and its underlying infrastructure, how the secret gets added to the environment might change.</p>
 <h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> AWS Documentation - <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html">What is AWS Secrets Manager</a> </li>
+  <li> Azure Documentation - <a href="https://learn.microsoft.com/en-us/azure/key-vault/">Azure Key Vault</a> </li>
+  <li> Google Cloud - <a href="https://cloud.google.com/secret-manager/docs">Secret Manager documentation</a> </li>
+  <li> HashiCorp Developer - <a href="https://developer.hashicorp.com/vault/docs">Vault Documentation</a> </li>
+</ul>
+<h3>Standards</h3>
 <ul>
-  <li> <a href="https://aws.amazon.com/fr/secrets-manager/">AWS</a> - Secret Manager </li>
-  <li> <a href="https://azure.microsoft.com/fr-fr/services/key-vault/">Azure</a> - Key Vault </li>
-  <li> <a href="https://cloud.google.com/secret-manager">GCP</a> - Secret Manager </li>
-  <li> <a href="https://www.vaultproject.io/">Hashicorp Vault</a> - Secret Management </li>
-  <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
-  Authentication Failures </li>
-  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication">OWASP Top 10 2017 Category A2</a> - Broken Authentication </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/798.html">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/259.html">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
-  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
+  <li> OWASP - <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">Top 10 2021 - Category A7 - Identification and
+  Authentication Failures</a> </li>
+  <li> OWASP - <a href="https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication">Top 10 2017 - Category A2 - Broken Authentication</a>
+  </li>
+  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/798.html">CWE-798 - Use of Hard-coded Credentials</a> </li>
+  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/259.html">CWE-259 - Use of Hard-coded Password</a> </li>
 </ul>
 

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6735.json

@@ -14,7 +14,7 @@
   "ruleSpecification": "RSPEC-6735",
   "sqKey": "S6735",
   "scope": "All",
-  "quickfix": "unknown",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "HIGH"

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6741.json

@@ -14,7 +14,7 @@
   "ruleSpecification": "RSPEC-6741",
   "sqKey": "S6741",
   "scope": "All",
-  "quickfix": "unknown",
+  "quickfix": "covered",
   "code": {
     "impacts": {
       "MAINTAINABILITY": "MEDIUM",

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -213,7 +213,6 @@
     "S6730",
     "S6734",
     "S6735",
-    "S6740",
     "S6741",
     "S6742"
   ]

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "PY"
   ],
-  "latest-update": "2023-09-25T08:37:06.879611Z",
+  "latest-update": "2023-10-06T11:02:04.798788Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true