Finding hard coded passwords

security
rules

(Boris) #1

Hello,
I am trying to understand if it is possible to find hard coded passwords in code with SQ? Has anybody used SQ for this purpose? If so,can you please tell how it works? Just looking for some variables like “PWD” or “PASSWORD” or using mor sophisticated methodologies?

thanks in advance.


(Adam Gabryś) #2

SonarSource provides a rule for such purposes: Credentials should not be hard-coded.


(Nicolas Peru) #3

and you can check the implementation to see it is quite naive/brute force approach in java : https://github.com/SonarSource/sonar-java/blob/dfdf526f4b3446e181e6a869be9410400ce0499e/java-checks/src/main/java/org/sonar/java/checks/HardCodedCredentialsCheck.java


(Boris) #4

Yeap…I understand that it is the best we can do with SC,right? No sophisticated methodology…

Thanks.


(Nicolas Peru) #5

I am not sure what you are looking for but to find hardcoded password there can only be so much techniques to highlight pieces of code where something is hardcoded.

Could you eventually clarify what you have in mind ?


(Boris) #6

The thing is i dont have something well defined in mind. What i know is ; i have to find hardcoded passwords with maximum accuracy. This is the requirement.

Only the solution i can think of is what you suggested: Search for piece of code. But it is obvious that still some passwords may be missed and there may be false positives.

So i am wondering, may be there is a better way or technique that i cant just think of.

Just to give an example; sometime ago i was trying to find and classify code files according to programming languages those codes were programmed with. Only way i could think of was looking at the extension of the file name. But after some research on internet i found an algorithm. With this algorith it was possible to train the code with sample code pieces and then code was able to find programming languages used with %95 accuracy.

Hope this explains.