add achufistov6_personal_org/build-gradle-password-hardcoded.yaml

semgrep · Jun 19, 2024 · 6649f00 · 6649f00
1 parent da164e5
commit 6649f00
Showing 1 changed file with 49 additions and 0 deletions.
diff --git a/achufistov6_personal_org/build-gradle-password-hardcoded.yaml b/achufistov6_personal_org/build-gradle-password-hardcoded.yaml
@@ -0,0 +1,49 @@
+rules:
+- id: build-gradle-password-hardcoded
+  message: A secret is hard-coded in the application. Secrets stored in source code,
+    such as credentials, identifiers, and other types of sensitive data, can be leaked
+    and used by internal or external malicious actors. It is recommended to rotate
+    the secret and retrieve them from a secure secret vault or Hardware Security Module
+    (HSM), alternatively environment variables can be used if allowed by your company
+    policy.
+  severity: WARNING
+  metadata:
+    likelihood: LOW
+    impact: HIGH
+    confidence: MEDIUM
+    category: security
+    subcategory:
+    - vuln
+    cwe:
+    - 'CWE-798: Use of Hard-coded Credentials'
+    cwe2020-top25: true
+    cwe2021-top25: true
+    cwe2022-top25: true
+    owasp:
+    - A07:2021 - Identification and Authentication Failures
+    references:
+    - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+    technology:
+    - secrets
+    vulnerability_class:
+    - Hard-coded Secrets
+    source_rule_url: https://semgrep.dev/playground/r/d8Ur5BA/achufistov6_personal_org.build-gradle-password-hardcoded
+  languages:
+  - kotlin
+  options:
+    symbolic_propagation: true
+  patterns:
+  - pattern-either:
+    - pattern: '$PASS = env[...] ?: $VALUE'
+  - metavariable-regex:
+      metavariable: $PASS
+      regex: (password|pass|passwd|loginPassword)
+  - metavariable-pattern:
+      language: generic
+      metavariable: $VALUE
+      patterns:
+      - pattern-either:
+        - pattern-regex: ^[A-Za-z0-9/+=]+$
+  paths:
+    include:
+    - build.gradle.kts