The Java analysis detects more precisely hard-coded passwords

Hello Java developers,

We enhanced the Java analysis engine so it detects the case where a hard-coded string is provided to a method that expects as a parameter a password, a secret, or a key. When such a situation is detected, the “credential” is considered as leaked because it is hard-coded in the code and so it is visible to anyone having access to the code.

The corresponding rule is:

  • S6437: Credentials should not be hard-coded

Here is a harmless example extracted from Tomcat 7 test cases, to illustrate what this rule is capable of:

In this case, the rule S6437 knows the KeyStore.load(InputStream stream, char[] password) signature and it expects as a second parameter a password that should be kept private. Because of that, the rule can raise for sure a vulnerability because here obviously the second parameter is hard-coded.