Hello Java developers,
We enhanced the Java analysis engine so it detects the case where a hard-coded string is provided to a method that expects as a parameter a password, a secret, or a key. When such a situation is detected, the “credential” is considered as leaked because it is hard-coded in the code and so it is visible to anyone having access to the code.
The corresponding rule is:
- S6437: Credentials should not be hard-coded
Here is a harmless example extracted from Tomcat 7 test cases, to illustrate what this rule is capable of:
In this case, the rule S6437 knows the
KeyStore.load(InputStream stream, char password) signature and it expects as a second parameter a
password that should be kept private. Because of that, the rule can raise for sure a vulnerability because here obviously the second parameter is hard-coded.