SonarSource · jonas-wielage-sonarsource · Aug 17, 2023 · Aug 17, 2023
diff --git a/sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6338.html b/sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6338.html
@@ -1,25 +1,51 @@
+<p>Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
+code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
+exposed to an unintended audience.</p>
 <h2>Why is this an issue?</h2>
-<p>Azure Storage Account Keys are similar to the root password, allowing full access to Azure Storage Accounts.</p>
-<p>If the application interacts with Azure Cloud Storage services, access keys should be secured and not be disclosed.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<p>Only administrators should have access to storage account keys. To authorize an application to access an Azure Storage, it’s recommended to create
-a service principal and assign it the required privileges only. <a
-href="https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-msi?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#authenticate-with-the-azure-identity-library">Azure
-Identity SDK</a> provides several options such as <em>DefaultAzureCredential</em> that can be used to retrieve secrets from, for instance, environment
-variables.</p>
-<p>Storage account keys should not be stored with the application code or saved anywhere in plain text accessible to others. Consider using an <a
-href="https://azure.microsoft.com/en-us/services/key-vault/">Azure Key Vault</a> to store and manage keys.</p>
-<p>When credentials are disclosed in the application code, consider them as compromised and rotate them immediately.</p>
+<p>In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
+Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
+services or resources.</p>
+<p>The trust issue can be more or less severe depending on the people’s role and entitlement.</p>
+<h3>What is the potential impact?</h3>
+<p>Azure Storage Account Keys are used to authenticate and authorize access to Azure Storage resources, such as blobs, queues, tables, and files.
+These keys are used to authenticate requests made against the storage account.</p>
+<p>If an Azure Storage Account Key is leaked to an unintended audience, it can pose a significant security risk to your Azure Storage account.</p>
+<p>An attacker with access to your storage account key can potentially access and modify all the data stored in your storage account. They can also
+create new resources, delete existing ones, and perform other actions that can compromise the integrity and confidentiality of your data.</p>
+<p>In addition, an attacker with access to your storage account key can also incur charges on your account by creating and using resources, which can
+result in unexpected billing charges.</p>
+<h2>How to fix it</h2>
+<p><strong>Revoke the secret</strong></p>
+<p>Revoke any leaked secrets and remove them from the application source code.</p>
+<p>Before revoking the secret, ensure that no other applications or processes is using it. Other usages of the secret will also be impacted when the
+secret is revoked.</p>
+<p><strong>Analyze recent secret use</strong></p>
+<p>When available, analyze authentication logs to identify any unintended or malicious use of the secret since its disclosure date. Doing this will
+allow determining if an attacker took advantage of the leaked secret and to what extent.</p>
+<p>This operation should be part of a global incident response process.</p>
+<p><strong>Use a secret vault</strong></p>
+<p>A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
+disclosure.</p>
+<p>Depending on the development platform and the leaked secret type, multiple solutions are currently available.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+props.set("storage_key", "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==")
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+props.set("storage_key", System.getenv("STORAGE_KEY"))
+</pre>
 <h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
-  <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
-  Authentication Failures </li>
-  <li> <a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal">docs.microsoft.com</a> - Manage
-  storage account access keys </li>
-  <li> <a href="https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data
-  Exposure </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
-  <li> <a href="https://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
-  <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/259">CWE-259 - Use of Hard-coded Password</a> </li>
+  <li> SANS - <a href="https://www.sans.org/top25-software-errors/#cat3">TOP 25 Most Dangerous Software Errors</a> </li>
+</ul>
+<h3>Documentation</h3>
+<ul>
+  <li> Microsoft Documentation - <a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal">Manage
+  storage account access keys</a> </li>
 </ul>
 
diff --git a/sonar-text-plugin/src/main/resources/org/sonar/l10n/text/rules/text/S6389.json b/sonar-text-plugin/src/main/resources/org/sonar/l10n/text/rules/text/S6389.json
@@ -1,6 +1,12 @@
 {
   "title": "Using bidirectional characters is security-sensitive",
   "type": "SECURITY_HOTSPOT",
+  "code": {
+    "impacts": {
+      "SECURITY": "MEDIUM"
+    },
+    "attribute": "CLEAR"
+  },
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",

diff --git a/sonarpedia-secrets/sonarpedia.json b/sonarpedia-secrets/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "SECRETS"
   ],
-  "latest-update": "2023-08-07T09:33:29.463115100Z",
+  "latest-update": "2023-08-17T08:01:09.848962100Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true

diff --git a/sonarpedia-text/sonarpedia.json b/sonarpedia-text/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "TEXT"
   ],
-  "latest-update": "2023-05-12T06:10:47.094097868Z",
+  "latest-update": "2023-08-17T08:01:43.309196300Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true