Create rule S8365: Temporary files should be deleted after use in Jenkins pipelines

rules/S8365/groovy/metadata.json

@@ -0,0 +1,37 @@
+{
+  "title": "Temporary files should be deleted after use in Jenkins pipelines",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant/Issue",
+    "constantCost": "5 min"
+  },
+  "tags": [
+    "jenkins",
+    "security",
+    "cleanup"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-8365",
+  "sqKey": "S8365",
+  "scope": "All",
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "BLOCKER"
+    },
+    "attribute": "COMPLETE"
+  },
+  "securityStandards": {
+    "OWASP Top 10 2021": [
+      "A1"
+    ],
+    "CWE": [
+      200,
+      459
+    ]
+  }
+}

rules/S8365/groovy/rule.adoc

@@ -0,0 +1,70 @@
+This rule raises an issue when temporary files are created in Jenkins pipelines but are not explicitly deleted after use.
+
+== Why is this an issue?
+
+Jenkins pipelines often handle sensitive data through file uploads or temporary file creation. When these files are not properly cleaned up, they remain on the Jenkins master or workspace, creating security vulnerabilities.
+
+Temporary files may contain:
+
+* Uploaded configuration files with credentials
+* User data from form submissions  
+* Build artifacts with sensitive information
+* Intermediate processing files
+
+If these files are not deleted, they can be accessed by:
+
+* Other pipeline executions
+* Users with workspace access
+* Malicious actors who gain system access
+* Automated processes that scan file systems
+
+The Jenkins master and agent file systems are shared resources. Files left behind from one pipeline execution can be discovered and accessed by subsequent executions or other users, leading to data leakage and potential security breaches.
+
+Proper file cleanup is essential for maintaining data confidentiality and preventing unauthorized access to sensitive information in CI/CD environments.
+
+=== What is the potential impact?
+
+Sensitive data may be exposed to unauthorized users or processes. This can lead to credential theft, data breaches, or compliance violations. In shared Jenkins environments, temporary files from one project could be accessed by users of other projects.
+
+== How to fix it
+
+Always delete file objects created through Jenkins input steps after processing them. Use the delete() method to remove files from the Jenkins master.
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,groovy,diff-id=1,diff-type=noncompliant]
+----
+def inputFile = input message: 'Upload file', parameters: [file(name: 'data_upload')]
+writeFile(file: 'temp.dat', encoding: 'Base64', text: inputFile.read().getBytes().encodeBase64().toString())
+// File is not cleaned up // Noncompliant
+----
+
+==== Compliant solution
+
+[source,groovy,diff-id=1,diff-type=compliant]
+----
+def inputFile = input message: 'Upload file', parameters: [file(name: 'data_upload')]
+writeFile(file: 'temp.dat', encoding: 'Base64', text: inputFile.read().getBytes().encodeBase64().toString())
+// Remove the file from the master to avoid data leakage
+inputFile.delete()
+----
+
+== Resources
+
+=== Documentation
+
+ * Jenkins Pipeline File Input - https://www.jenkins.io/doc/pipeline/steps/pipeline-input-step/[Official documentation for Jenkins pipeline input step including file parameters]
+
+ * Jenkins Pipeline Utility Steps - https://www.jenkins.io/doc/pipeline/steps/pipeline-utility-steps/[Documentation for writeFile and other file manipulation steps in Jenkins pipelines]
+
+ * Jenkins Security Best Practices - https://www.jenkins.io/doc/book/security/[General security guidelines for Jenkins including file handling recommendations]
+
+=== Standards
+
+ * OWASP Top 10 2021 A1 - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Broken Access Control - improper file cleanup can lead to unauthorized data access]
+
+ * CWE 200 - https://cwe.mitre.org/data/definitions/200.html[Information Exposure - temporary files may expose sensitive information]
+
+ * CWE 459 - https://cwe.mitre.org/data/definitions/459.html[Incomplete Cleanup - failure to properly clean up temporary files]

rules/S8365/metadata.json

@@ -0,0 +1,2 @@
+{
+}