Merge pull request #3729 from luchua-bc/java-hardcoded-aws-credentials

Java: Hardcoded AWS credentials

java/ql/src/Security/CWE/CWE-798/HardcodedAWSCredentials.java

@@ -0,0 +1,10 @@
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.BasicAWSCredentials;
+
+public class HardcodedAWSCredentials {
+	public static void main(String[] args) {
+		//Hardcoded credentials for connecting to AWS services
+		//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead 
+		AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY"); //sensitive call
+	}
+}

java/ql/src/Security/CWE/CWE-798/SensitiveApi.qll

@@ -129,7 +129,8 @@ private predicate javaApiCallablePasswordParam(string s) {
   s = "sun.tools.jconsole.ProxyClient;ProxyClient(String, int, String, String);3" or
   s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, int, String, String);3" or
   s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, String, String);2" or
-  s = "sun.tools.jconsole.ProxyClient;getCacheKey(String, int, String, String);3"
+  s = "sun.tools.jconsole.ProxyClient;getCacheKey(String, int, String, String);3" or
+  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);1"
 }
 
 /**
@@ -200,7 +201,8 @@ private predicate javaApiCallableUsernameParam(string s) {
   s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, String, String);1" or
   s = "sun.tools.jconsole.ProxyClient;getConnectionName(String, String);1" or
   s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, int, String, String);2" or
-  s = "sun.tools.jconsole.ProxyClient;getConnectionName(String, int, String);2"
+  s = "sun.tools.jconsole.ProxyClient;getConnectionName(String, int, String);2" or
+  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);0"
 }
 
 /**