All Downloads are FREE. Search and download functionalities are using the official Maven repository.
  • Log In
  • Register

    • org.sonar.plugins.secrets.configuration.odbc.yaml Maven / Gradle / Ivy

    provider:  
  metadata:
    name: ODBC and JDBC
    category: Database API Standard
    message: Make sure this database password gets changed and removed from the code.
  rules:
    - id: java-datasource-unquoted
      rspecKey: S6703
      metadata:
        name: Database passwords should not be disclosed
      detection:
        pre:
          scopes:
              - main
          include:
            content:
              - datasource
          reject:
            ext:
              - .adoc
              - .example
              - .html
              - .md
              - .mdx
              - .template
            paths:
              - "**/appsettings.Development.json"
              - "**/appsettings.Local.json"
        matching:
          # Matches `*.datasource.*.password=some-password` (where the second `*.` is optional).
          # There also needs to be a `*.datasource.*.username=` nearby.
          pattern: "\\b[0-9a-z_\\-\\.]+\\.datasource(?:\\.[0-9a-z_\\-\\.]+){0,400}\\.password[ \\t]*=[ \\t]*(?!\")([^\\s]+)"
          context:
            patternAround: "\\b[0-9a-z\\._\\-]+\\.datasource(?:\\.[0-9a-z\\._\\-]+){0,400}\\.username[ \\t]*="
        post:
          # Avoid matching values found on SourceGraph that look like dummy passwords or insertions.
          patternNot:
            - "^(?i)test$"
            - "^(?i)pass(word|wd)?$"
            - "^[Xx]{3,}$"
            - "^%[sv]$"
            - "^\\${1,2}\\w+$"
            - "^\\${1,2}[{(]"
      examples:
        - text: |
            spring.datasource.url= jdbc:postgresql://${DB_HOST}:${DB_PORT}/${DB_NAME}
            spring.datasource.username=${DB_USER}
            spring.datasource.password=${DB_PASSWORD}
          containsSecret: false
        - text: |
            spring.datasource.driverClassName = com.microsoft.sqlserver.jdbc.SQLServerDriver
            spring.datasource.username = xxx
            spring.datasource.password = xxx
          containsSecret: false
        - text: |
            spring.datasource.url=jdbc:postgresql://localhost:5432/petclinic
            spring.datasource.username=postgres
            spring.datasource.password=petclinic
            spring.datasource.driver-class-name=org.postgresql.Driver
          containsSecret: true
          match: petclinic
        - text: |
            spring.datasource.url=jdbc:postgresql://localhost:5432/petclinic
            spring.datasource.username=postgres
            spring.datasource.password=petclinic
            spring.datasource.driver-class-name=org.postgresql.Driver
          containsSecret: false
          fileName: Doc.adoc
        - text: |
            spring.datasource.driverClassName = org.h2.Driver
            spring.datasource.username = sa
            spring.datasource.password = 123456
          containsSecret: true
          match: "123456"
        - text: |
            app.datasource.cardholder.url=jdbc:mysql://localhost:3306/cardholderdb?createDatabaseIfNotExist=true
            app.datasource.cardholder.username=root
            app.datasource.cardholder.password=P@ssw0rd
            app.datasource.cardholder.driverClassName=com.mysql.cj.jdbc.Driver
          containsSecret: true
          match: P@ssw0rd

    - id: java-datasource-quoted
      rspecKey: S6703
      metadata:
        name: Database passwords should not be disclosed
      detection:
        pre:
          scopes:
            - main
          include:
            content:
              - datasource
          reject:
            ext:
              - .adoc
              - .example
              - .html
              - .md
              - .mdx
              - .template
            paths:
              - "**/appsettings.Development.json"
              - "**/appsettings.Local.json"
        matching:
          # Same as the file java-datasource-unquoted, except that the value is surrounded by double quotes.
          # This starts with a negative lookbehind to see if there's a double quote shortly before the string. This is
          # to prevent false negative matches with code like:
          #   param += " --spring.datasource.url=" + url
          #         + " --spring.datasource.username=" + username
          #         + " --spring.datasource.password=" + password;
          pattern: "(?
            # - %s
            # - {{MyPassword}}
            # - $(mypassword)
            # - ${mypassword}, $${mypassword}
            # - os.getenv("PASS")
            - "(?i)^(\\${1,2}[a-z_]*)?(db|my)?_?pass(word|wd)?"
            - "^\\[[\\w\\t \\-]+\\]$"
            - "^<[\\w\\t -]{1,10}>?"
            - "^\\${1,2}[{(]"
            - "^\\${1,2}\\w+$"
            - "\\$\\{\\w+(:-\\w+)?\\}"
            - "^\\{+[^}]*\\}+$"
            - "^`[a-z]+"
            - "\\b(get)?env(iron)?\\b"
            - "^None$"
            - "^\\${1,2}[a-z_]+pass(word)?$"
            - "^process\\.env\\."
      examples:
        - text: |
            return `jdbc:postgresql://${clone.db.host}:${clone.db.port}/DBNAME?user=${clone.db.username}&password=DBPASSWORD`
          containsSecret: false
        - text: |
            MYSQL_DSN="jdbc:mysql://database-server?user=myuser&password=password&sql_mode=STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION&useSSL=false"
            POSTGRES_DSN="jdbc:postgresql://database-server/mydb?user=myuser&password=password"
          containsSecret: false
        - text: |
            val jdbcDF = sparkSession.read
              .format("jdbc")
              .option("url", "jdbc:postgresql://database-server/mrui?user=mrui&password=password")
              .option("query", "select 123")
              .load()
          containsSecret: false
        - text: |
            ENV JDBC_URL="jdbc:postgresql://database-server/hello_world?user=dbuser&password=P@ssw0rd"
          containsSecret: true
          match: P@ssw0rd
        - text: |
            ENV JDBC_URL="jdbc:postgresql://database-server/hello_world?user=dbuser&password=P@ssw0rd"
          fileName: Doc.example
          containsSecret: false
        - text: |
            val sqlContext = new SQLContext(sc)
            val url = "jdbc:mysql://database-server:3306/retail_db?user=retail_dba&password=P@ssw0rd"
            sqlContext.load("jdbc", Map(
              "url" -> url,
              "dbtable" -> "departments")).collect().foreach(println)
          containsSecret: true
          match: P@ssw0rd
        - text: |
            connection_string = f"jdbc:mysql://localhost:3306/{d}?user={u}&password={p}"
          containsSecret: false

    - id: odbc-connection-string
      rspecKey: S6703
      metadata:
        name: Database passwords should not be disclosed
      detection:
        pre:
          scopes:
            - main
          include:
            content:
              - password
              - pwd
          reject:
            ext:
              - .adoc
              - .example
              - .html
              - .md
              - .mdx
              - .template
            paths:
              - "**/appsettings.Development.json"
              - "**/appsettings.Local.json"
        matching:
          # Connection strings are key=value pairs separated by semicolons. Keys are case-insensitive.
          # The password parameter can be either "password" or "pwd".
          # There must also be a username parameter ("user id" or "uid") and one other parameter that's used to indicate
          # which database to use.
          pattern: "(?i)[;\"](?:password|pwd)=([^;\"'\\r\\n]+)[;\"'\\r\\n]"
          context:
            matchEach:
              - patternAround: "(?i)\\b(?:user id|uid)="
              - matchEither:
                - patternAround: "(?i)\\bprovider="
                - patternAround: "(?i)\\bdata source="
                - patternAround: "(?i)\\binitial catalog="
                - patternAround: "(?i)\\bdatabase="
        post:
          # Avoid matching values found on SourceGraph that look like dummy passwords or insertions.
          patternNot:
            - "^(?i)test$"
            - "^(?i)pass(word|wd)?$"
            - "^(?i)pwd"
            - "^\\[?PLACEHOLDER\\]?$"
            - "^%[sv]$"
            - "^\\*{3,}$"
            - "^\\#\\{"
            - "^\\{{2,}"
            # Support for full and partial substitution
            - "\\{+[^}]++\\}+"
            # Azure RM templates
            - "parameters\\(+[^)]*\\)++"
            # Variable substitution
            - "\\{+[^}]*\\}++"
            # Potential FPs here are environment variables, templates and string substitutions, such as
            # - $my_password, $$my_password
            # - $db_password
            # - [mypass123]
            # - 
            # - %s
            # - {{MyPassword}}
            # - $(mypassword)
            # - ${mypassword}, $${mypassword}
            # - os.getenv("PASS")
            # - os.environ['PASS']
            - "(?i)^(\\${1,2}[a-z_]*)?(db|my)?_?pass(word|wd)?"
            - "^\\[[\\w\\t \\-]+\\]$"
            - "^<[\\w\\t -]{1,10}>?"
            - "^\\${1,2}[{(]"
            - "^\\${1,2}\\w+$"
            - "\\$\\{\\w+(:-\\w+)?\\}"
            - "^\\{+[^}]*\\}+$"
            - "^`[a-z]+"
            - "\\b(get)?env(iron)?\\b"
            - "^None$"
            - "^\\${1,2}[a-z_]+pass(word)?$"
            - "^process\\.env\\."
      examples:
        - text: |
            server   = self.configuration.get('server', '')
            user     = self.configuration.get('user', '')
            password = self.configuration.get('password', '')
            db       = self.configuration['example']
            port     = self.configuration.get('port', 1337)
            charset  = self.configuration.get('charset', 'UTF-8')
            driver   = self.configuration.get('driver', '{Example}')

            conn = 'DRIVER = {};PORT = {};SERVER = {};DATABASE = {};UID = {};PWD = {}'
            conn = conn.format(driver, port, server, db, user, password)
          containsSecret: false

        - text: |
            $dbname = 'DRIVER={IBM DB2 ODBC DRIVER}' .
                     ';DATABASE=' . $this->_config['dbname'] .
                     ';HOSTNAME=' . $this->_config['host'] .
                     ';PORT='     . $this->_config['port'] .
                     ';PROTOCOL=' . $this->_config['protocol'] .
                     ';UID='      . $this->_config['username'] .
                     ';PWD='      . $this->_config['password'] .';';
          containsSecret: false

        - text: |
              "ConnectionStrings": {
                "DefaultConnection": "Server=tcp:url.windows.example.com,1433;Initial Catalog=sql-example;Persist Security Info=False;User ID={EXAMPLE_USER};Password={PASSWORD_HERE};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=60;"
                "sqlConnectionString": "concat('Data Source=',parameters('a'),';Initial Catalog=',parameters('b'),';User ID=',parameters('c'),';Password=',parameters('d'))"
              },
          containsSecret: false

        - text: |
            connStr := fmt.Sprintf("server=%s;database=%s;user id=%s;password=%s;",
              addr.Host,
              dsInfo.Database,
              dsInfo.User,
              dsInfo.DecryptedSecureJSONData["password"],
            )
          containsSecret: false
        - text: |
            
          containsSecret: false
        - text: |
            // rspec noncompliant example
            public static string ConnectionString = "server=database-server;uid=user;pwd=P@ssw0rd;database=ProductionData";
          containsSecret: true
          match: P@ssw0rd
        - text: |
            // rspec noncompliant example
            public static string ConnectionString = "server=database-server;uid=user;pwd=P@ssw0rd;database=ProductionData";
          fileName: Doc.html
          containsSecret: false
        - text: |
            // rspec compliant example
            public static string ConnectionString = String.format(
                "server=database-server;uid=user;pwd=%s;database=ProductionData",
                System.getenv("DB_PASSWORD")
            )
          containsSecret: false
        - text: |
            env:
              OrchardCore__ConnectionString: "server=database-server;uid=root;pwd=test123;database=test"
              OrchardCore__DatabaseProvider: "MySql"
          containsSecret: true
          match: test123
        - text: |
            connection_string = (
              f"Driver={{ODBC Driver 18 for SQL Server}};"
              f"Server={os.environ.get('DATABASE_HOST')};"
              f"Database={os.environ.get('DATABASE_NAME')};"
              f"UID={os.environ.get('DATABASE_UID')};"
              f"PWD={os.environ.get('DATABASE_PASS')};"
            )
          containsSecret: false




    © 2015 - 2025 Weber Informatics LLC | Privacy Policy