Create rule S6437(Python): Credentials should not be hard-coded (#1609)

rules/S6437/python/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S6437/python/rule.adoc

@@ -0,0 +1,112 @@
+include::../description.adoc[]
+
+== Noncompliant Code Example
+
+[source,python]
+----
+from requests_oauthlib.oauth2_session import OAuth2Session
+
+scope = ['https://www.api.example.com/auth/example.data']
+
+oauth = OAuth2Session(
+    'example_client_id',
+    redirect_uri='https://callback.example.com/uri',
+    scope=scope)
+
+token = oauth.fetch_token(
+        'https://api.example.com/o/oauth2/token',
+        client_secret='example_Password') # Noncompliant
+
+data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata')
+----
+
+== Compliant Solution
+
+Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager[AWS Secrets Manager]:
+
+[source,python]
+----
+import boto3
+from requests_oauthlib.oauth2_session import OAuth2Session
+
+def get_client_secret():
+
+    session = boto3.session.Session()
+    client = session.client(service_name='secretsmanager', region_name='eu-west-1')
+
+    return client.get_secret_value(SecretId='example_oauth_secret_id')
+
+client_secret = get_client_secret()
+scope = ['https://www.api.example.com/auth/example.data']
+
+oauth = OAuth2Session(
+    'example_client_id',
+    redirect_uri='https://callback.example.com/uri',
+    scope=scope)
+
+token = oauth.fetch_token(
+        'https://api.example.com/o/oauth2/token',
+        client_secret=client_secret)
+
+data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata')
+----
+
+Using https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli[Azure Key Vault Secret]:
+
+[source,python]
+----
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+
+def get_client_secret():
+    vault_uri = "https://example.vault.azure.net"
+    credential = DefaultAzureCredential()
+    client = SecretClient(vault_url=vault_uri, credential=credential)
+
+    return client.get_secret('example_oauth_secret_name')
+
+client_secret = get_client_secret()
+scope = ['https://www.api.example.com/auth/example.data']
+
+oauth = OAuth2Session(
+    'example_client_id',
+    redirect_uri='https://callback.example.com/uri',
+    scope=scope)
+
+token = oauth.fetch_token(
+        'https://api.example.com/o/oauth2/token',
+        client_secret=client_secret)
+
+data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata')
+
+----
+
+== See
+
+* https://aws.amazon.com/fr/secrets-manager/[AWS] - Secret Manager
+* https://azure.microsoft.com/fr-fr/services/key-vault/[Azure] - Key Vault
+* https://cloud.google.com/secret-manager[GCP] - Secret Manager
+* https://www.vaultproject.io/[Hashicorp Vault] - Secret Management
+* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
+* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
+* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials
+* https://cwe.mitre.org/data/definitions/259.html[MITRE, CWE-259] - Use of Hard-coded Password
+* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information
+
+ifdef::env-github,rspecator-view[]
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+Revoke and change this password, as it is compromised.
+
+=== Highlighting
+
+Highlight the credential use and its initialization.
+
+'''
+endif::env-github,rspecator-view[]
+
+