SonarSource · teemu-rytilahti-sonarsource · Oct 29, 2025 · Oct 22, 2025 · Oct 28, 2025 · Oct 29, 2025
diff --git a/rules/S8215/metadata.json b/rules/S8215/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S8215/secrets/metadata.json b/rules/S8215/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "Password hashes should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "BLOCKER"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "beta",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-8215",
+  "sqKey": "S8215",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "infeasible"
+}
diff --git a/rules/S8215/secrets/rule.adoc b/rules/S8215/secrets/rule.adoc
@@ -0,0 +1,81 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+Leaked password hashes allow attackers to perform offline brute-force or dictionary attacks, potentially recovering user passwords and compromising accounts.
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+// Optional: Give a general description of the secret and what it's used for.
+
+include::../../../shared_content/secrets/impact/generic_impact.adoc[]
+
+== How to fix it
+
+// 1. Revoke leaked secrets
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+// 2. Analyze recent use to identify misuse
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+// 3. Use a secret vault in the future
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+// 4. Never hard-code secrets
+
+include::../../../shared_content/secrets/fix/default.adoc[]
+
+// OAuth PKCE is very specific to OAuth 2.0
+// include::../../../shared_content/secrets/fix/oauth_pkce.adoc[]
+
+=== Code examples
+
+The following examples show example hashes from shadowed password files,
+but passwords hashes can also be stored in configuration files, databases, and source codes.
+
+==== Noncompliant code example
+
+[source,shell,diff-id=1,diff-type=noncompliant,subs="attributes"]
+----
+# MD5
+user:$1$0aI0baup$QSOwAQexU5cWBdkvRcJZM1:19000:0:99999:7:::
+
+# bcrypt
+user:$2y$10$DmFiNUeGvhCh9//LA0hCXujxAnwkKLsjt7OHob5IxhkSGKfgONkWK:19000:0:99999:7:::
+
+# SHA-256
+user:$5$CPoDVd6t59j/w6rR$Umw3LuzCDnYB5MosjcEmLo1Pvf6XPdgtbmUdXP0QBC.:19000:0:99999:7:::
+----
+
+==== Compliant solution
+
+[source,shell,diff-id=1,diff-type=compliant,subs="attributes"]
+----
+# MD5
+user:$1$salt$redactedhash:19000:0:99999:7:::
+
+# bcrypt
+user:$2y$salt$redactedhash:19000:0:99999:7:::
+
+# SHA-256
+user:$5$salt$redactedhash:19000:0:99999:7:::
+----
+
+// include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks