Add rules for hardcoded passwords used in various functions
Opened this issue · 0 comments
ericwb commented
Is your feature request related to a problem? Please describe.
Secrets such as passwords should never be hard-coded in the source code.
Describe the solution you'd like
Detect the password if certain function parameters resolve to a literal string value.
CWE-259
Describe alternatives you've considered
Could grep for all strings, but could result in many false postives.
Additional context
- java.net.PasswordAuthentication
- java.sql.DriverManager.getConnection
- javax.crypto.spec.PBEKeySpec
- javax.mail.Authenticator
- javax.security.auth.kerberos.KerberosKey
Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.