Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2068

Hard-coded credentials are security-sensitive

    Details

    • Message:
      "xxxxx" detected in this variable name, review this potentially hard-coded credential.
    • List of parameters:
      • Key : credentialWords
      • Description : Comma separated list of words identifying potential credentials
      • Default value : password, passwd, pwd
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, Cobol, Flex, Objective-C, PL/I, PL/SQL, Python, RPG, VB6
    • Covered Languages:
      ABAP, C#, Go, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift, T-SQL, TypeScript, VB.Net
    • Irrelevant for Languages:
      HTML, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CERT:
      MSC03-J.
    • CWE:
      CWE-798, CWE-259
    • OWASP:
      A2
    • SANS Top 25:
      Porous Defenses
    • FindBugs:
      DMI_CONSTANT_DB_PASSWORD
    • FindSecBugs:
      HARD_CODE_PASSWORD
    • TSLint-SonarTS:
      no-hardcoded-credentials

      Description

      Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

      In the past, it has led to the following vulnerabilities:

      Credentials should be stored outside of the code in a configuration file, a database or secret management service.

      This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.

      It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ...

      Ask Yourself Whether

      • Credentials allows access to a sensitive component like a database, a file storage, an API or a service.
      • Credentials are used in production environments.
      • Application re-distribution is required before updating the credentials.

      You are at risk, if you answered yes to any of these questions.

      Recommended Secure Coding Practices

      • Store the credentials in a configuration file that is not pushed to the code repository.
      • Store the credentials in a database.
      • Use the secret management service of you cloud provider.
      • If the a password has been disclosed through the source code: change it.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-2069 Language-Specification Active Unassigned
          2.
          Swift RSPEC-2855 Language-Specification Active Unassigned
          3.
          PHP RSPEC-2965 Language-Specification Active Unassigned
          4.
          Cobol RSPEC-3383 Language-Specification Active Unassigned
          5.
          C# RSPEC-4020 Language-Specification Active Unassigned
          6.
          Go RSPEC-4513 Language-Specification Active Unassigned
          7.
          Kotlin RSPEC-4691 Language-Specification Active Unassigned
          8.
          ABAP RSPEC-4811 Language-Specification Active Unassigned
          9.
          VB.NET RSPEC-4877 Language-Specification Active Unassigned
          10.
          Apex RSPEC-5023 Language-Specification Active Unassigned
          11.
          Python RSPEC-5538 Language-Specification Active Unassigned
          12.
          JavaScript RSPEC-5591 Language-Specification Active Unassigned
          13.
          Xml RSPEC-5683 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated: