SONARPY-3117 Rule S7625: Using long-term access keys is security-sensitive (#429)

GitOrigin-RevId: 8ac60f4d76b5d0431a36b06afa11ab77f74f42aa

Author: Seppli11

python-checks/src/main/java/org/sonar/python/checks/AwsLongTermAccessKeysCheck.java

@@ -0,0 +1,107 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.Set;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckMap;
+
+@Rule(key = "S7625")
+public class AwsLongTermAccessKeysCheck extends PythonSubscriptionCheck {
+
+  private static final String ACCESS_KEY_MESSAGE = "Make sure using long-term access keys is safe here.";
+  private static final String SECRET_KEY_MESSAGE = "Make sure using long-term secret keys is safe here.";
+
+  record ClientMethod(String fqn, int awsAccessKeyIdArgIndex) {
+    public int awsSecretAccessKeyArgIndex() {
+      return awsAccessKeyIdArgIndex + 1;
+    }
+  }
+
+  private static final Set<ClientMethod> AWS_CLIENT_METHODS = Set.of(
+    new ClientMethod("boto3.client", 6),
+    new ClientMethod("boto3.resource", 6),
+    new ClientMethod("boto3.session.Session.client", 6),
+    new ClientMethod("boto3.session.Session.resource", 6),
+    new ClientMethod("boto3.session.Session", 0)
+  );
+
+  private TypeCheckMap<ClientMethod> awsClientTypeChecks;
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::initializeTypeCheckMap);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkCallExpression);
+  }
+
+  private void initializeTypeCheckMap(SubscriptionContext ctx) {
+    awsClientTypeChecks = new TypeCheckMap<>();
+    AWS_CLIENT_METHODS.forEach(clientMethod -> 
+      awsClientTypeChecks.put(ctx.typeChecker().typeCheckBuilder().isTypeOrInstanceWithName(clientMethod.fqn()), clientMethod));
+
+  }
+
+  private void checkCallExpression(SubscriptionContext ctx) {
+    var call = (CallExpression) ctx.syntaxNode();
+    ClientMethod clientMethod = awsClientTypeChecks.getForType(call.callee().typeV2());
+    if (clientMethod != null) {
+      RegularArgument accessKeyArgument = getAccessKeyArgument(clientMethod, call);
+      RegularArgument secretKeyArgument = getSecretKeyArgument(clientMethod, call);
+      if(accessKeyArgument != null && isLongTermKeyPassedAsArgument(accessKeyArgument)) {
+        ctx.addIssue(accessKeyArgument, ACCESS_KEY_MESSAGE);
+      } else if (secretKeyArgument != null && isLongTermKeyPassedAsArgument(secretKeyArgument)) {
+        ctx.addIssue(secretKeyArgument, SECRET_KEY_MESSAGE);
+      }
+    }
+  }
+
+  private static RegularArgument getSecretKeyArgument(ClientMethod clientMethod, CallExpression call) {
+    return TreeUtils.nthArgumentOrKeyword(clientMethod.awsSecretAccessKeyArgIndex(), "aws_secret_access_key", call.arguments());
+  }
+
+  private static RegularArgument getAccessKeyArgument(ClientMethod clientMethod, CallExpression call) {
+    return TreeUtils.nthArgumentOrKeyword(clientMethod.awsAccessKeyIdArgIndex(), "aws_access_key_id", call.arguments());
+  }
+
+  private static boolean isLongTermKeyPassedAsArgument(RegularArgument argument) {
+    // For the purpose of this rule, any string literal is considered a long-term key.
+    // Short-term keys seem to usually use a different mechanism. Furthermore, there is no way to distinguish between the two statically
+    Expression expression = argument.expression();
+    return isStringLiteral(expression) || isAssignedValueString(expression);
+  }
+
+  private static boolean isAssignedValueString(Expression expression) {
+    if(expression instanceof Name name) {
+      Expression assignedValue = Expressions.singleAssignedValue(name);
+      return assignedValue != null && isStringLiteral(assignedValue);
+    }
+    return false;
+  }
+
+  private static boolean isStringLiteral(Expression expr) {
+    return expr.is(Tree.Kind.STRING_LITERAL);
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -135,6 +135,7 @@ public Stream<Class<?>> getChecks() {
       AwsCustomMetricNamespaceCheck.class,
       AwsLambdaReturnValueAreSerializableCheck.class,
       AwsLambdaTmpCleanupCheck.class,
+      AwsLongTermAccessKeysCheck.class,
       AwsMissingPaginationCheck.class,
       AwsWaitersInsteadOfCustomPollingCheck.class,
       BackslashInStringCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7625.html

@@ -0,0 +1,55 @@
+<p>This rule raises an issue when long-term AWS access keys are used directly in code.</p>
+<h2>Why is this an issue?</h2>
+<p>Long-term AWS access keys remain valid until manually revoked, making them a significant security risk. Unlike temporary credentials, these keys
+don’t expire automatically and provide persistent access to your AWS resources. When hardcoded in applications, stored in configuration files, or used
+in environments where temporary credentials are available, they create unnecessary security exposure. AWS provides several alternatives like IAM
+roles, temporary credentials through AWS STS, and instance profiles that offer better security practices.</p>
+<h3>What is the potential impact?</h3>
+<p>If long-term access keys are compromised, attackers gain persistent access to your AWS resources until the keys are manually revoked. This can lead
+to unauthorized data access, resource manipulation, unexpected charges, and potential data breaches. The risk is particularly high when keys are
+embedded in mobile applications, used on EC2 instances, or stored in version control systems.</p>
+<h2>How to fix it</h2>
+<p>Use IAM roles or temporary credentials instead of hardcoded access keys to improve security and follow AWS best practices.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import boto3
+
+s3_client = boto3.client(
+    's3',
+    aws_access_key_id='AKIAIOSFODNN7EXAMPLE',
+    aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+) # Noncompliant: hardcoded access keys are used
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+import boto3
+import os
+
+sts_client = boto3.client('sts')
+assumable_role_arn = os.environ.get('ASSUMABLE_ROLE_ARN', 'arn:aws:iam::account-of-role-to-assume:role/name-of-role')
+assumed_role_object = sts_client.assume_role(
+    RoleArn=assumable_role_arn,
+    RoleSessionName="AssumeRoleSession1"
+)
+credentials = assumed_role_object['Credentials']
+s3_client = boto3.client('s3')
+
+s3_client = boto3.client(
+            's3',
+            aws_access_key_id=credentials['AccessKeyId'],
+            aws_secret_access_key=credentials['SecretAccessKey'],
+            aws_session_token=credentials['SessionToken']
+        )
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> AWS Documentation - <a href="https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html">Best practices for managing AWS
+  access keys</a> </li>
+  <li> AWS Documentation - <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html">Managing access keys for IAM
+  users</a> </li>
+  <li> AWS Documentation - <a href="https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html">AWS Security Token Service API Reference</a>
+  </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7625.json

@@ -0,0 +1,24 @@
+{
+  "title": "Long-term AWS access keys should not be used directly in code",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "aws"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7625",
+  "sqKey": "S7625",
+  "scope": "All",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "HIGH",
+      "SECURITY": "HIGH"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -295,8 +295,9 @@
     "S7617",
     "S7618",
     "S7621",
-    "S7622",
     "S7620",
+    "S7622",
+    "S7625",
     "S7632"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/AwsLongTermAccessKeysCheckTest.java

@@ -0,0 +1,28 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class AwsLongTermAccessKeysCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/awsLongTermAccessKeys.py", new AwsLongTermAccessKeysCheck());
+  }
+}

python-checks/src/test/resources/checks/awsLongTermAccessKeys.py

@@ -0,0 +1,154 @@
+import boto3
+import os
+
+def get_temporary_credentials() -> str:
+    """Used for mocking the IAM role assuming part"""
+
+    return "AKIAIOSFODNN7EXAMPLE"
+
+def noncompliant_hardcoded_credentials():
+    s3_client = boto3.client(
+        's3',
+        aws_access_key_id='AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+
+    s3_resource = boto3.resource(
+        's3',
+        aws_access_key_id='AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+
+    s3_client = boto3.client(
+        's3',
+        None, # region_name
+        None, # api_version
+        None, # use_ssl
+        None, # verify
+        None, # endpoint_url
+        'AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+
+    s3_resource = boto3.resource(
+        's3',
+        None, # region_name
+        None, # api_version
+        None, # use_ssl
+        None, # verify
+        None, # endpoint_url
+        'AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+
+
+def noncompliant_session_with_credentials():
+    session = boto3.Session()
+    ec2_from_session = session.client('ec2', 
+        aws_access_key_id='AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+    s3_from_session = session.resource('s3', 
+        aws_access_key_id='AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+
+    session = boto3.session.Session()
+    ec2_from_session = session.client('ec2', 
+        aws_access_key_id='AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+
+    session = boto3.Session(
+        aws_access_key_id='AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+
+    session = boto3.Session(
+        'AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+    ec2_from_session = session.client('ec2', 
+        None, # region_name
+        None, # api_version
+        None, # use_ssl
+        None, # verify
+        None, # endpoint_url
+        'AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+    s3_from_session = session.resource('s3', 
+        None, # region_name
+        None, # api_version
+        None, # use_ssl
+        None, # verify
+        None, # endpoint_url
+        'AKIAIOSFODNN7EXAMPLE',  # Noncompliant
+        'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    )
+
+def noncompliant_variable_assignment():
+    access_key = 'AKIAIOSFODNN7EXAMPLE'
+    secret_key = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
+    lambda_client = boto3.client('lambda', 
+        aws_access_key_id=access_key,  # Noncompliant
+        aws_secret_access_key=secret_key
+    )
+
+def noncompliant_only_one_parameter():
+    s3_client = boto3.client(
+        's3',
+        aws_access_key_id='AKIAIOSFODNN7EXAMPLE',  # Noncompliant {{Make sure using long-term access keys is safe here.}}
+    )
+    s3_client = boto3.client(
+        's3',
+        aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE' # Noncompliant {{Make sure using long-term secret keys is safe here.}}
+    )
+
+  
+def compliant_environment_credentials():
+    s3_resource = boto3.resource(
+        's3',
+        aws_access_key_id=os.getenv('AWS_ACCESS_KEY_ID'),  
+        aws_secret_access_key=os.getenv('AWS_SECRET_ACCESS_KEY')
+    )
+
+def compliant_iam_roles():
+    s3_client_compliant = boto3.client('s3')
+    s3_resource_compliant = boto3.resource('s3')
+    ec2_client_compliant = boto3.client('ec2', region_name='us-east-1')
+
+    session = boto3.Session()
+    ec2_compliant = session.client('ec2')
+    s3_compliant = session.resource('s3')
+
+def compliant_temporary_credentials():
+    sts_client = boto3.client('sts')
+    assumed_role_object = sts_client.assume_role(
+        RoleArn='arn:aws:iam::account-of-role-to-assume:role/name-of-role',
+        RoleSessionName="AssumeRoleSession1"
+    )
+    credentials = assumed_role_object['Credentials']
+    
+    s3_client_temp = boto3.client(
+        's3',
+        aws_access_key_id=credentials['AccessKeyId'], 
+        aws_secret_access_key=credentials['SecretAccessKey'],
+        aws_session_token=credentials['SessionToken']
+    )
+
+def compliant_with_non_string_literals():
+    key = get_temporary_credentials()
+    s3_client = boto3.client(
+        's3',
+        aws_access_key_id=key, 
+        aws_secret_access_key=key
+    )
+
+def compliant_unknown_variable(access_key, secret_key):
+    s3_client = boto3.client(
+        's3',
+        aws_access_key_id=access_key, 
+        aws_secret_access_key=secret_key
+    )
+