Merge pull request #5852 from luchua-bc/java/hardcoded-azure-credential

Java: CWE-798 Query to detect hard-coded Azure credentials
2025-12-24 04:36:35 +01:00 · 2021-09-30 14:11:29 +01:00
parent c1c63d0c28 7af1984348
commit 60a023d064
18 changed files with 896 additions and 6 deletions
--- a/java/ql/src/Security/CWE/CWE-798/SensitiveApi.qll
+++ b/java/ql/src/Security/CWE/CWE-798/SensitiveApi.qll
@@ -129,8 +129,7 @@ private predicate javaApiCallablePasswordParam(string s) {
  s = "sun.tools.jconsole.ProxyClient;ProxyClient(String, int, String, String);3" or
  s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, int, String, String);3" or
  s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, String, String);2" or
-  s = "sun.tools.jconsole.ProxyClient;getCacheKey(String, int, String, String);3" or
-  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);1"
+  s = "sun.tools.jconsole.ProxyClient;getCacheKey(String, int, String, String);3"
 }

 /**
@@ -201,8 +200,7 @@ private predicate javaApiCallableUsernameParam(string s) {
  s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, String, String);1" or
  s = "sun.tools.jconsole.ProxyClient;getConnectionName(String, String);1" or
  s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, int, String, String);2" or
-  s = "sun.tools.jconsole.ProxyClient;getConnectionName(String, int, String);2" or
-  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);0"
+  s = "sun.tools.jconsole.ProxyClient;getConnectionName(String, int, String);2"
 }

 /**
@@ -510,5 +508,10 @@ private predicate otherApiCallableCredentialParam(string s) {
  s =
    "org.springframework.security.core.userdetails.User;User(String, String, boolean, boolean, boolean, boolean, Collection<? extends GrantedAuthority>);0" or
  s =
-    "org.springframework.security.core.userdetails.User;User(String, String, boolean, boolean, boolean, boolean, Collection<? extends GrantedAuthority>);1"
+    "org.springframework.security.core.userdetails.User;User(String, String, boolean, boolean, boolean, boolean, Collection<? extends GrantedAuthority>);1" or
+  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);0" or
+  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);1" or
+  s = "com.azure.identity.UsernamePasswordCredentialBuilder;username(String);0" or
+  s = "com.azure.identity.UsernamePasswordCredentialBuilder;password(String);0" or
+  s = "com.azure.identity.ClientSecretCredentialBuilder;clientSecret(String);0"
 }