From 33a29b75553c93954c4af5b7e87a7b3af030a0a4 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 29 Jan 2024 15:16:07 +0100
Subject: [PATCH] Create rule S5332 (#3526)

---
 rules/S5332/kubernetes/metadata.json | 29 ++++++++++
 rules/S5332/kubernetes/rule.adoc     | 79 ++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)
 create mode 100644 rules/S5332/kubernetes/metadata.json
 create mode 100644 rules/S5332/kubernetes/rule.adoc

diff --git a/rules/S5332/kubernetes/metadata.json b/rules/S5332/kubernetes/metadata.json
new file mode 100644
index 00000000000..6908a72ec74
--- /dev/null
+++ b/rules/S5332/kubernetes/metadata.json
@@ -0,0 +1,29 @@
+{
+    "tags": [
+      "cwe"
+    ],
+    "securityStandards": {
+      "CWE": [
+        200,
+        319
+      ],
+      "OWASP": [
+      ],
+      "OWASP Mobile": [
+      ],
+      "MASVS": [
+      ],
+      "OWASP Top 10 2021": [
+      ],
+      "PCI DSS 3.2": [
+        "4.1",
+        "6.5.4"
+      ],
+      "PCI DSS 4.0": [
+        "4.2.1",
+        "6.2.4"
+      ],
+      "ASVS 4.0": [
+      ]
+    }
+}
diff --git a/rules/S5332/kubernetes/rule.adoc b/rules/S5332/kubernetes/rule.adoc
new file mode 100644
index 00000000000..91d2f1aa32b
--- /dev/null
+++ b/rules/S5332/kubernetes/rule.adoc
@@ -0,0 +1,79 @@
+include::../description.adoc[]
+
+== Ask Yourself Whether
+
+* Application data needs to be protected against tampering or leaks when transiting over the network.
+* Application data transits over an untrusted network.
+* Compliance rules require the service to encrypt data in transit.
+* OS-level protections against clear-text traffic are deactivated.
+
+There is a risk if you answered yes to any of those questions.
+
+== Recommended Secure Coding Practices
+
+* Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most common clear-text protocols:
+** Use ``++sftp++``, ``++scp++``, or ``++ftps++`` instead of ``++ftp++``.
+** Use ``++https++`` instead of ``++http++``.
+
+It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire application or system.
+
+== Sensitive Code Example
+
+[source,yaml]
+----
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: curl
+spec:
+  template:
+    spec:
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["curl"]
+        args: ["http://example.com/"] # Sensitive
+----
+
+== Compliant Solution
+
+[source,yaml]
+----
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: curl
+spec:
+  template:
+    spec:
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["curl"]
+        args: ["https://example.com/"]
+----
+
+== See
+
+* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor
+* https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information
+* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web]
+* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+== Message
+
+* Make sure that using clear-text protocols is safe here.
+
+== Highlighting
+
+Highlight the URL.
+
+'''
+
+endif::env-github,rspecator-view[]