Uploaded image for project: 'SonarCFamily'
  1. SonarCFamily
  2. CPP-2852

Add more hard-coded password detection patterns

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.15
    • Fix Version/s: None
    • Component/s: C, C++, Objective-C
    • Labels:
      None

      Description

      Hard-coded passwords are currently detected in limited set of cases (cf RSPEC).
      3 cases might be evaluated and maybe added:

      • Macros: they are very often used as global variable, especially in C.
        #define PASSWD secret
        
      • For function calls, we could apply the rule to names of parameters (which are a sort of variable). This could catch hard-coded credentials in calls.
        int connect( const std::string& Url, const std::string& Passwd);
        ...
        connect("124.234.56.7", "secret"); // "secret" is used for parameter Passwd, so we should raise an issue there
        
      • Still for the case of hard-coded credentials in function calls. Some libraries/frameworks do something like set(PASSWD, "secret)". So maybe flagging, such function calls with enum named with "passwd" and literals could work.
        curl_easy_setopt(easyhandle, CURLOPT_USERPWD, "myname:thesecret");
        

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              geoffray.adde Geoffray Adde
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: