• Home
• org.codehaus.sonar-plugins.java
• java-checks
• 3.2
• source code
• S2068.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S2068.html Maven / Gradle / Ivy

Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed.
Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.
Noncompliant Code Example

Connection conn = null;
try {
  conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
        "user=steve&password=blue"); // Noncompliant
  String uname = "steve";
  String password = "blue";
  conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
        "user=" + uname + "&password=" + password); // Noncompliant

Compliant Solution

Connection conn = null;
try {
  String uname = getEncryptedUser();
  String password = getEncryptedPass();
  conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
        "user=" + uname + "&password=" + password);

See


 MITRE, CWE-798 - Use of Hard-coded Credentials
 MITRE, CWE-259 - Use of Hard-coded Password
 SANS Top 25 - Porous Defenses
 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
 Derived from FindSecBugs rule Hard Coded Password