Modify rule S2068: Focus on passwords only (#4542)

SonarSource · Nov 27, 2024 · dc4e9af · dc4e9af
1 parent c284c59
commit dc4e9af
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 11 deletions.
diff --git a/rules/S2068/javascript/metadata.json b/rules/S2068/javascript/metadata.json
@@ -1,4 +1,5 @@
 {
+  "title": "Hard-coded passwords are security-sensitive",
   "defaultQualityProfiles": [
     "Sonar way"
   ]

diff --git a/rules/S2068/javascript/rule.adoc b/rules/S2068/javascript/rule.adoc
@@ -1,16 +1,37 @@
-include::../description.adoc[]
+Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.
 
-include::../ask-yourself.adoc[]
 
-include::../recommended.adoc[]
+In the past, it has led to the following vulnerabilities:
+
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]
+
+Passwords should be stored outside of the code in a configuration file, a database, or a management service for passwords.
+
+
+This rule flags instances of hard-coded passwords used in database and LDAP connections. It looks for hard-coded passwords in connection strings, and for variable names that match any of the patterns from the provided list.
+
+== Ask Yourself Whether
+
+* Passwords allow access to a sensitive component like a database, a file storage, an API or a service.
+* Passwords are used in production environments.
+* Application re-distribution is required before updating the passwords.
+
+There is a risk if you answered yes to any of those questions.
+
+== Recommended Secure Coding Practices
+
+* Store the passwords in a configuration file that is not pushed to the code repository.
+* Store the passwords in a database.
+* Use your cloud provider's service for managing passwords.
+* If a password has been disclosed through the source code: change it.
 
 == Sensitive Code Example
 
 ----
-var mysql = require('mysql');
+const mysql = require('mysql');
 
-var connection = mysql.createConnection(
-{
+const connection = mysql.createConnection({
   host:'localhost',
   user: "admin",
   database: "project",
@@ -25,9 +46,9 @@ connection.connect();
 
 [source,javascript]
 ----
-var mysql = require('mysql');
+const mysql = require('mysql');
 
-var connection = mysql.createConnection({
+const connection = mysql.createConnection({
   host: process.env.MYSQL_URL,
   user: process.env.MYSQL_USERNAME,
   password: process.env.MYSQL_PASSWORD,
@@ -36,17 +57,37 @@ var connection = mysql.createConnection({
 connection.connect();
 ----
 
-include::../see.adoc[]
+== See
+
+* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
+* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
+* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password]
+* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password]
+
 
 ifdef::env-github,rspecator-view[]
 
 '''
 == Implementation Specification
 (visible only on this page)
 
-include::../message.adoc[]
+=== Message
+
+Review this potentially hard-coded password.
+
+
+=== Parameters
+
+.passwordWords
+****
+
+----
+password, passwd, pwd, passphrase
+----
+
+Comma separated list of words identifying potential password
+****
 
-include::../parameters.adoc[]
 
 '''
 == Comments And Links