From a93f663c3aeae9bae22d156467debb694c31d6fb Mon Sep 17 00:00:00 2001 From: Tohar Date: Wed, 10 Apr 2024 17:23:15 +0300 Subject: [PATCH 1/3] Refine the description for api_key_exposed_in_global_security and api_key_exposed_in_operation_security --- .../general/api_key_exposed_in_global_security/metadata.json | 4 ++-- .../api_key_exposed_in_operation_security/metadata.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json index 5bdc94edff4..2be52ff898e 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json @@ -3,7 +3,7 @@ "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "category": "Access Control", - "descriptionText": "API Keys should not be transported over network", + "descriptionText": "API Keys should be transported using a secure method such as HTTPS. Define a security scheme that uses a secure method to transport the API key.", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "f7f6e7fb", @@ -18,4 +18,4 @@ }, "cwe": "", "oldSeverity": "MEDIUM" -} \ No newline at end of file +} diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json index c1a68e04c4a..5fdfde27767 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json @@ -3,7 +3,7 @@ "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "category": "Access Control", - "descriptionText": "API Keys should not be transported over network", + "descriptionText": "API Keys should be transported using a secure method such as HTTPS. Define a security scheme that uses a secure method to transport the API key.", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", "platform": "OpenAPI", "descriptionID": "812604ac", @@ -18,4 +18,4 @@ }, "cwe": "", "oldSeverity": "LOW" -} \ No newline at end of file +} From 424ecae5c9ac6033a4dc3baa0fda0c06ba8ad308 Mon Sep 17 00:00:00 2001 From: Tohar Date: Thu, 11 Apr 2024 15:40:27 +0300 Subject: [PATCH 2/3] add "cloudProvider": "common" to metadata.json --- .../general/api_key_exposed_in_global_security/metadata.json | 3 ++- .../api_key_exposed_in_operation_security/metadata.json | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json index 2be52ff898e..84b7ec3b726 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json @@ -17,5 +17,6 @@ } }, "cwe": "", - "oldSeverity": "MEDIUM" + "oldSeverity": "MEDIUM", + "cloudProvider": "common" } diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json index 5fdfde27767..8265e84d61b 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json @@ -17,5 +17,6 @@ } }, "cwe": "", - "oldSeverity": "LOW" + "oldSeverity": "LOW", + "cloudProvider": "common" } From 01c3b600f6de2a34a45cc967de8f92af1654be6c Mon Sep 17 00:00:00 2001 From: Tohar Date: Thu, 11 Apr 2024 15:48:09 +0300 Subject: [PATCH 3/3] add "cloudProvider": "common" to metadata.json --- .../general/api_key_exposed_in_global_security/metadata.json | 2 +- .../general/api_key_exposed_in_operation_security/metadata.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json index 84b7ec3b726..e9fee146eda 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json @@ -13,7 +13,7 @@ "id": "533a0d13-6e89-4551-ae33-bce14e5849c1", "queryName": "API Key Exposed In Global Security (v2)", "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", - "descriptionText": "" + "descriptionText": "API Keys should be transported using a secure method such as HTTPS. Define a security scheme that uses a secure method to transport the API key." } }, "cwe": "", diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json index 8265e84d61b..6e661087b1b 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json @@ -13,7 +13,7 @@ "id": "392599e4-a4e2-403d-bc56-3fe05755782d", "queryName": "API Key Exposed In Operation Security (v2)", "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", - "descriptionText": "" + "descriptionText": "API Keys should be transported using a secure method such as HTTPS. Define a security scheme that uses a secure method to transport the API key." } }, "cwe": "",