Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-1891

Java analysis is less noisy when detecting hard-coded credentials (S2068)

    XMLWordPrintable

    Details

    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:

      Description

      WHY

      See EPIC MMF-1932

      WHAT

      Filter False-Positives

      The goal is to have additional logic to the rule so that the most obvious FPs are filtered:

      • Empty string SONARJAVA-3251
        String password = ""; // Compliant
        String pwd = ""; // Compliant
        
      • Strings that contain the wordlist item (potential string constants) SONARJAVA-3252
        String password = "Password"; // Compliant
        String pwd = "pwd"; // Compliant
        
        public class S2068 {
        
          private static final String PASSWORD = "Password"; // Compliant
          private static final String PASSWORD_INPUT = "[id='password']"; // Compliant
          private static final String PASSWORD_PROPERTY = "custom.password"; // Compliant
          private static final String TRUSTSTORE_PASSWORD = "trustStorePassword"; // Compliant
          private static final String CONNECTION_PASSWORD = "connection.password"; // Compliant
          private static final String RESET_PASSWORD = "/users/resetUserPassword"; // Compliant
        
        // ...
        }
        
      • Database query parameters SONARJAVA-3253
        String query1 = "password=?"; // Compliant
        String query2 = "password=:password"; // Compliant
        String query3 = "password=:param"; // Compliant
        String query4 = "password='"+pwd+"'"; // Compliant
        String query5 = "password=%s"; // Compliant
        

      Support URL user info

      SONARJAVA-3248

      The URL user info component can contain a hardcoded password:

      String url1 = "scheme://user:azerty123@domain.com"; // Sensitive
      String url2 = "scheme://user:@domain.com"; // Compliant
      String url3 = "scheme://user@domain.com:80"; // Compliant
      String url4 = "scheme://user@domain.com"; // Compliant
      String url5 = "scheme://domain.com/user:azerty123"; // Compliant
      

      HOW

      See linked tickets.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pierre-loup.tristant Pierre-Loup Tristant
              Reporter:
              pierre-loup.tristant Pierre-Loup Tristant
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: