Uploaded image for project: 'SonarCFamily'
  1. SonarCFamily
  2. CPP-1847

Rule S2068: Credentials should not be hard-coded

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.15
    • Component/s: Rules
    • Labels:
      None

      Description

      Summary

      This rule detects potential hard-coded password based on:

      • Literal string format
      • Symbol names

      Code Samples

      https://github.com/SonarSource/security-expected-issues/tree/master/cc%2B%2B/rules/hotspots/RSPEC-2068

      Word list

      • password
      • passwd
      • pwd
      • passphrase

      FPs prevention

      Symbol name vs string content

      The implementation of this rule in other languages (like Java) highly relies on symbol names matching wordlist items to raise issues. The downside of this is that it raises many FPs when constants are used to avoid duplicated strings:

      std::string RESET_PASSWORD = "/users/resetUserPassword" 
      

      The logic is to avoid raising issue when the wordlist item is present in both symbol name and literal string value.

      std::string PASSED = "passed"; // Compliant
      std::string PASSWORD = "Password"; // Compliant
      std::string PASSWORD_INPUT = "[id='password']"; // Compliant
      std::string PASSWORD_PROPERTY = "custom.password"; // Compliant
      std::string TRUSTSTORE_PASSWORD = "trustStorePassword"; // Compliant
      std::string CONNECTION_PASSWORD = "connection.password"; // Compliant
      std::string RESETPWD = "/users/resetUserPassword"; // Compliant
      

      Empty strings

      Empty string should not be considered as hard-coded passwords.

      std::string EMPTY_PASSWORD = ""; // Compliant
      std::string variable1 = "login=a&password="; // Compliant
      std::string variable2 = "login=a&password= "; // Compliant
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              geoffray.adde Geoffray Adde
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: