mirror of
https://github.com/github/codeql.git
synced 2026-04-28 10:15:14 +02:00
Convert tests to inline expectations and fix one bug revealed doing so
Specifically Apache sshd defines its sensitive api calls on an inherited interface, and they need to be described that way for us to pick them up.
This commit is contained in:
Chris Smowton
@@ -442,8 +442,8 @@ private predicate otherApiCallableCredentialParam(string s) {
|
||||
"com.jcraft.jsch.JSch;getSession(String, String, int);0",
|
||||
"com.jcraft.jsch.JSch;getSession(String, String);0",
|
||||
"ch.ethz.ssh2.Connection;authenticateWithPassword(String, String);0",
|
||||
"org.apache.sshd.client.SshClient;connect(String, String, int);0",
|
||||
"org.apache.sshd.client.SshClient;connect(String, SocketAddress);0",
|
||||
"org.apache.sshd.client.session.ClientSessionCreator;connect(String, String, int);0",
|
||||
"org.apache.sshd.client.session.ClientSessionCreator;connect(String, SocketAddress);0",
|
||||
"net.schmizz.sshj.SSHClient;authPassword(String, char[]);0",
|
||||
"net.schmizz.sshj.SSHClient;authPassword(String, String);0",
|
||||
"com.sshtools.j2ssh.authentication.SshAuthenticationClient;setUsername(String);0",
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.HardcodedCredentialsSourceCall
|
||||
import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from
|
||||
|
||||
@@ -10,11 +10,11 @@ public class CredentialsTest {
|
||||
String url = "jdbc:mysql://localhost/test";
|
||||
String u = "admin"; // hard-coded credential (flow source)
|
||||
|
||||
DriverManager.getConnection(url, u, p); // sensitive call (flow target)
|
||||
DriverManager.getConnection(url, u, p); // $ HardcodedCredentialsApiCall
|
||||
test(url, u, p);
|
||||
}
|
||||
|
||||
public static void test(String url, String v, String q) throws SQLException {
|
||||
DriverManager.getConnection(url, v, q); // sensitive call (flow target)
|
||||
DriverManager.getConnection(url, v, q); // $ HardcodedCredentialsApiCall
|
||||
}
|
||||
}
|
||||
|
||||
@@ -15,12 +15,12 @@ public class FileCredentialTest {
|
||||
|
||||
String p = readText(new File(file));
|
||||
|
||||
DriverManager.getConnection("", "admin", p); // sensitive call (flow target)
|
||||
DriverManager.getConnection("", "admin", p); // $ HardcodedCredentialsApiCall
|
||||
test(url, u, p);
|
||||
}
|
||||
|
||||
public static void test(String url, String v, String q) throws SQLException {
|
||||
DriverManager.getConnection(url, v, q); // sensitive call (flow target)
|
||||
DriverManager.getConnection(url, v, q); // $ HardcodedCredentialsApiCall
|
||||
}
|
||||
|
||||
public static String readText(File f) throws IOException
|
||||
|
||||
@@ -4,7 +4,7 @@ import com.amazonaws.auth.BasicAWSCredentials;
|
||||
public class HardcodedAWSCredentials {
|
||||
public static void main(String[] args) {
|
||||
//BAD: Hardcoded credentials for connecting to AWS services
|
||||
//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead
|
||||
AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY");
|
||||
//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead
|
||||
AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY"); // $ HardcodedCredentialsApiCall
|
||||
}
|
||||
}
|
||||
@@ -6,8 +6,8 @@ public class HardcodedApacheFtpCredentials {
|
||||
public static void main(FTPClient client) {
|
||||
// BAD: Hardcoded credentials used for the session username and/or password.
|
||||
try {
|
||||
client.login("username", "password");
|
||||
client.login("username", "password", "blah");
|
||||
client.login("username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
client.login("username", "password", "blah"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
} catch(IOException e) { }
|
||||
}
|
||||
}
|
||||
@@ -5,8 +5,8 @@ import java.io.IOException;
|
||||
public class HardcodedApacheSshdCredentials {
|
||||
public static void main(SshClient client, AbstractClientSession session) {
|
||||
// BAD: Hardcoded credentials used for the session username and/or password.
|
||||
client.connect("Username", "hostname", 22);
|
||||
client.connect("Username", null);
|
||||
session.addPasswordIdentity("password");
|
||||
client.connect("Username", "hostname", 22); // $ HardcodedCredentialsApiCall
|
||||
client.connect("Username", null); // $ HardcodedCredentialsApiCall
|
||||
session.addPasswordIdentity("password"); // $ HardcodedCredentialsApiCall
|
||||
}
|
||||
}
|
||||
@@ -15,8 +15,8 @@ public class HardcodedAzureCredentials {
|
||||
public void testHardcodedUsernamePassword(String input) {
|
||||
UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
|
||||
.clientId(clientId)
|
||||
.username(username)
|
||||
.password(clientSecret)
|
||||
.username(username) // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
.password(clientSecret) // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
.build();
|
||||
|
||||
SecretClient client = new SecretClientBuilder()
|
||||
@@ -43,7 +43,7 @@ public class HardcodedAzureCredentials {
|
||||
public void testHardcodedClientSecret(String input) {
|
||||
ClientSecretCredential defaultCredential = new ClientSecretCredentialBuilder()
|
||||
.clientId(clientId)
|
||||
.clientSecret(clientSecret)
|
||||
.clientSecret(clientSecret) // $ HardcodedCredentialsApiCall
|
||||
.tenantId(tenantId)
|
||||
.build();
|
||||
}
|
||||
|
||||
@@ -1,234 +0,0 @@
|
||||
edges
|
||||
| CredentialsTest.java:7:30:7:30 | p : String | CredentialsTest.java:13:39:13:39 | p |
|
||||
| CredentialsTest.java:7:30:7:30 | p : String | CredentialsTest.java:14:16:14:16 | p : String |
|
||||
| CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:7:30:7:30 | p : String |
|
||||
| CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:13:36:13:36 | u |
|
||||
| CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:14:13:14:13 | u : String |
|
||||
| CredentialsTest.java:14:13:14:13 | u : String | CredentialsTest.java:17:38:17:45 | v : String |
|
||||
| CredentialsTest.java:14:16:14:16 | p : String | CredentialsTest.java:17:48:17:55 | q : String |
|
||||
| CredentialsTest.java:17:38:17:45 | v : String | CredentialsTest.java:18:36:18:36 | v |
|
||||
| CredentialsTest.java:17:48:17:55 | q : String | CredentialsTest.java:18:39:18:39 | q |
|
||||
| FileCredentialTest.java:13:14:13:20 | "admin" : String | FileCredentialTest.java:19:13:19:13 | u : String |
|
||||
| FileCredentialTest.java:19:13:19:13 | u : String | FileCredentialTest.java:22:38:22:45 | v : String |
|
||||
| FileCredentialTest.java:22:38:22:45 | v : String | FileCredentialTest.java:23:36:23:36 | v |
|
||||
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String |
|
||||
| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String |
|
||||
| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String |
|
||||
| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String |
|
||||
| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | username |
|
||||
| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret |
|
||||
| HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret |
|
||||
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
|
||||
| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String |
|
||||
| HardcodedJschCredentials.java:13:28:13:37 | "password" : String | HardcodedJschCredentials.java:13:28:13:48 | getBytes(...) |
|
||||
| HardcodedMongoCredentials.java:5:58:5:67 | "password" : String | HardcodedMongoCredentials.java:5:58:5:81 | toCharArray(...) |
|
||||
| HardcodedMongoCredentials.java:6:65:6:74 | "password" : String | HardcodedMongoCredentials.java:6:65:6:88 | toCharArray(...) |
|
||||
| HardcodedMongoCredentials.java:7:63:7:72 | "password" : String | HardcodedMongoCredentials.java:7:63:7:86 | toCharArray(...) |
|
||||
| HardcodedMongoCredentials.java:8:67:8:76 | "password" : String | HardcodedMongoCredentials.java:8:67:8:90 | toCharArray(...) |
|
||||
| HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) |
|
||||
| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:18:46:18:87 | decode(...) |
|
||||
| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | HardcodedShiroKey.java:26:46:26:109 | decode(...) |
|
||||
| HardcodedSshjCredentials.java:9:39:9:48 | "password" : String | HardcodedSshjCredentials.java:9:39:9:62 | toCharArray(...) |
|
||||
| HardcodedTrileadSshCredentials.java:15:50:15:54 | "key" : String | HardcodedTrileadSshCredentials.java:15:50:15:68 | toCharArray(...) |
|
||||
| Test.java:9:16:9:22 | "admin" : String | Test.java:12:13:12:15 | usr : String |
|
||||
| Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr |
|
||||
| Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr |
|
||||
| Test.java:9:16:9:22 | "admin" : String | Test.java:18:39:18:41 | usr |
|
||||
| Test.java:10:17:10:24 | "123456" : String | Test.java:12:18:12:21 | pass : String |
|
||||
| Test.java:10:17:10:24 | "123456" : String | Test.java:15:41:15:44 | pass |
|
||||
| Test.java:10:17:10:24 | "123456" : String | Test.java:18:44:18:61 | toCharArray(...) |
|
||||
| Test.java:12:13:12:15 | usr : String | Test.java:29:38:29:48 | user : String |
|
||||
| Test.java:12:18:12:21 | pass : String | Test.java:29:51:29:65 | password : String |
|
||||
| Test.java:17:44:17:51 | "123456" : String | Test.java:17:44:17:65 | toCharArray(...) |
|
||||
| Test.java:20:16:20:39 | new byte[] : byte[] | Test.java:21:78:21:80 | key |
|
||||
| Test.java:23:17:23:26 | "abcdefgh" : String | Test.java:24:79:24:82 | key2 |
|
||||
| Test.java:29:38:29:48 | user : String | Test.java:30:36:30:39 | user |
|
||||
| Test.java:29:51:29:65 | password : String | Test.java:30:42:30:49 | password |
|
||||
nodes
|
||||
| CredentialsTest.java:7:30:7:30 | p : String | semmle.label | p : String |
|
||||
| CredentialsTest.java:7:34:7:41 | "123456" : String | semmle.label | "123456" : String |
|
||||
| CredentialsTest.java:11:14:11:20 | "admin" : String | semmle.label | "admin" : String |
|
||||
| CredentialsTest.java:13:36:13:36 | u | semmle.label | u |
|
||||
| CredentialsTest.java:13:39:13:39 | p | semmle.label | p |
|
||||
| CredentialsTest.java:14:13:14:13 | u : String | semmle.label | u : String |
|
||||
| CredentialsTest.java:14:16:14:16 | p : String | semmle.label | p : String |
|
||||
| CredentialsTest.java:17:38:17:45 | v : String | semmle.label | v : String |
|
||||
| CredentialsTest.java:17:48:17:55 | q : String | semmle.label | q : String |
|
||||
| CredentialsTest.java:18:36:18:36 | v | semmle.label | v |
|
||||
| CredentialsTest.java:18:39:18:39 | q | semmle.label | q |
|
||||
| FileCredentialTest.java:13:14:13:20 | "admin" : String | semmle.label | "admin" : String |
|
||||
| FileCredentialTest.java:18:35:18:41 | "admin" | semmle.label | "admin" |
|
||||
| FileCredentialTest.java:19:13:19:13 | u : String | semmle.label | u : String |
|
||||
| FileCredentialTest.java:22:38:22:45 | v : String | semmle.label | v : String |
|
||||
| FileCredentialTest.java:23:36:23:36 | v | semmle.label | v |
|
||||
| HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | semmle.label | "ACCESS_KEY" |
|
||||
| HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | semmle.label | "SECRET_KEY" |
|
||||
| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | semmle.label | "username" |
|
||||
| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | semmle.label | "password" |
|
||||
| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | semmle.label | "username" |
|
||||
| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | semmle.label | "password" |
|
||||
| HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | semmle.label | "password" |
|
||||
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
|
||||
| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
|
||||
| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | semmle.label | "username@example.onmicrosoft.com" : String |
|
||||
| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | semmle.label | this <.field> [post update] [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | semmle.label | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String |
|
||||
| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | semmle.label | parameter this [username] : String |
|
||||
| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | semmle.label | this <.field> [username] : String |
|
||||
| HardcodedAzureCredentials.java:18:13:18:20 | username | semmle.label | username |
|
||||
| HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | semmle.label | clientSecret |
|
||||
| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | semmle.label | clientSecret |
|
||||
| HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
|
||||
| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
|
||||
| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | semmle.label | "username" |
|
||||
| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | semmle.label | "password" |
|
||||
| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | semmle.label | "password" |
|
||||
| HardcodedJschCredentials.java:10:41:10:50 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedJschCredentials.java:11:42:11:51 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedJschCredentials.java:12:27:12:36 | "password" | semmle.label | "password" |
|
||||
| HardcodedJschCredentials.java:13:28:13:37 | "password" : String | semmle.label | "password" : String |
|
||||
| HardcodedJschCredentials.java:13:28:13:48 | getBytes(...) | semmle.label | getBytes(...) |
|
||||
| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedMongoCredentials.java:5:58:5:67 | "password" : String | semmle.label | "password" : String |
|
||||
| HardcodedMongoCredentials.java:5:58:5:81 | toCharArray(...) | semmle.label | toCharArray(...) |
|
||||
| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedMongoCredentials.java:6:65:6:74 | "password" : String | semmle.label | "password" : String |
|
||||
| HardcodedMongoCredentials.java:6:65:6:88 | toCharArray(...) | semmle.label | toCharArray(...) |
|
||||
| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedMongoCredentials.java:7:63:7:72 | "password" : String | semmle.label | "password" : String |
|
||||
| HardcodedMongoCredentials.java:7:63:7:86 | toCharArray(...) | semmle.label | toCharArray(...) |
|
||||
| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedMongoCredentials.java:8:67:8:76 | "password" : String | semmle.label | "password" : String |
|
||||
| HardcodedMongoCredentials.java:8:67:8:90 | toCharArray(...) | semmle.label | toCharArray(...) |
|
||||
| HardcodedMongoCredentials.java:9:44:9:48 | "key" | semmle.label | "key" |
|
||||
| HardcodedMongoCredentials.java:10:47:10:51 | "key" | semmle.label | "key" |
|
||||
| HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | semmle.label | "TEST123" : String |
|
||||
| HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | semmle.label | getBytes(...) |
|
||||
| HardcodedShiroKey.java:18:46:18:87 | decode(...) | semmle.label | decode(...) |
|
||||
| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | semmle.label | "4AvVhmFLUs0KTA3Kprsdag==" : String |
|
||||
| HardcodedShiroKey.java:26:46:26:109 | decode(...) | semmle.label | decode(...) |
|
||||
| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | semmle.label | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String |
|
||||
| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedSshjCredentials.java:8:37:8:46 | "password" | semmle.label | "password" |
|
||||
| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedSshjCredentials.java:9:39:9:48 | "password" : String | semmle.label | "password" : String |
|
||||
| HardcodedSshjCredentials.java:9:39:9:62 | toCharArray(...) | semmle.label | toCharArray(...) |
|
||||
| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | semmle.label | "password" |
|
||||
| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | semmle.label | "password" |
|
||||
| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | semmle.label | "key" |
|
||||
| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:15:50:15:54 | "key" : String | semmle.label | "key" : String |
|
||||
| HardcodedTrileadSshCredentials.java:15:50:15:68 | toCharArray(...) | semmle.label | toCharArray(...) |
|
||||
| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | semmle.label | "password" |
|
||||
| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | semmle.label | "password" |
|
||||
| Test.java:9:16:9:22 | "admin" : String | semmle.label | "admin" : String |
|
||||
| Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
|
||||
| Test.java:12:13:12:15 | usr : String | semmle.label | usr : String |
|
||||
| Test.java:12:18:12:21 | pass : String | semmle.label | pass : String |
|
||||
| Test.java:14:36:14:42 | "admin" | semmle.label | "admin" |
|
||||
| Test.java:14:45:14:52 | "123456" | semmle.label | "123456" |
|
||||
| Test.java:15:36:15:38 | usr | semmle.label | usr |
|
||||
| Test.java:15:41:15:44 | pass | semmle.label | pass |
|
||||
| Test.java:17:39:17:41 | usr | semmle.label | usr |
|
||||
| Test.java:17:44:17:51 | "123456" : String | semmle.label | "123456" : String |
|
||||
| Test.java:17:44:17:65 | toCharArray(...) | semmle.label | toCharArray(...) |
|
||||
| Test.java:18:39:18:41 | usr | semmle.label | usr |
|
||||
| Test.java:18:44:18:61 | toCharArray(...) | semmle.label | toCharArray(...) |
|
||||
| Test.java:20:16:20:39 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
|
||||
| Test.java:21:78:21:80 | key | semmle.label | key |
|
||||
| Test.java:23:17:23:26 | "abcdefgh" : String | semmle.label | "abcdefgh" : String |
|
||||
| Test.java:24:79:24:82 | key2 | semmle.label | key2 |
|
||||
| Test.java:29:38:29:48 | user : String | semmle.label | user : String |
|
||||
| Test.java:29:51:29:65 | password : String | semmle.label | password : String |
|
||||
| Test.java:30:36:30:39 | user | semmle.label | user |
|
||||
| Test.java:30:42:30:49 | password | semmle.label | password |
|
||||
subpaths
|
||||
#select
|
||||
| CredentialsTest.java:7:34:7:41 | "123456" | CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:13:39:13:39 | p | Hard-coded value flows to $@. | CredentialsTest.java:13:39:13:39 | p | sensitive API call |
|
||||
| CredentialsTest.java:7:34:7:41 | "123456" | CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:18:39:18:39 | q | Hard-coded value flows to $@. | CredentialsTest.java:18:39:18:39 | q | sensitive API call |
|
||||
| CredentialsTest.java:11:14:11:20 | "admin" | CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:13:36:13:36 | u | Hard-coded value flows to $@. | CredentialsTest.java:13:36:13:36 | u | sensitive API call |
|
||||
| CredentialsTest.java:11:14:11:20 | "admin" | CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:18:36:18:36 | v | Hard-coded value flows to $@. | CredentialsTest.java:18:36:18:36 | v | sensitive API call |
|
||||
| FileCredentialTest.java:13:14:13:20 | "admin" | FileCredentialTest.java:13:14:13:20 | "admin" : String | FileCredentialTest.java:23:36:23:36 | v | Hard-coded value flows to $@. | FileCredentialTest.java:23:36:23:36 | v | sensitive API call |
|
||||
| FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | Hard-coded value flows to $@. | FileCredentialTest.java:18:35:18:41 | "admin" | sensitive API call |
|
||||
| HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | sensitive API call |
|
||||
| HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | sensitive API call |
|
||||
| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | sensitive API call |
|
||||
| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | sensitive API call |
|
||||
| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | sensitive API call |
|
||||
| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | sensitive API call |
|
||||
| HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | Hard-coded value flows to $@. | HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | sensitive API call |
|
||||
| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive API call |
|
||||
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive API call |
|
||||
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | sensitive API call |
|
||||
| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | sensitive API call |
|
||||
| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | sensitive API call |
|
||||
| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | sensitive API call |
|
||||
| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | sensitive API call |
|
||||
| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | sensitive API call |
|
||||
| HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:10:41:10:50 | "Username" | sensitive API call |
|
||||
| HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:11:42:11:51 | "Username" | sensitive API call |
|
||||
| HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:12:27:12:36 | "password" | sensitive API call |
|
||||
| HardcodedJschCredentials.java:13:28:13:37 | "password" | HardcodedJschCredentials.java:13:28:13:37 | "password" : String | HardcodedJschCredentials.java:13:28:13:48 | getBytes(...) | Hard-coded value flows to $@. | HardcodedJschCredentials.java:13:28:13:48 | getBytes(...) | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:5:58:5:67 | "password" | HardcodedMongoCredentials.java:5:58:5:67 | "password" : String | HardcodedMongoCredentials.java:5:58:5:81 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:5:58:5:81 | toCharArray(...) | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:6:65:6:74 | "password" | HardcodedMongoCredentials.java:6:65:6:74 | "password" : String | HardcodedMongoCredentials.java:6:65:6:88 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:6:65:6:88 | toCharArray(...) | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:7:63:7:72 | "password" | HardcodedMongoCredentials.java:7:63:7:72 | "password" : String | HardcodedMongoCredentials.java:7:63:7:86 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:7:63:7:86 | toCharArray(...) | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:8:67:8:76 | "password" | HardcodedMongoCredentials.java:8:67:8:76 | "password" : String | HardcodedMongoCredentials.java:8:67:8:90 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:8:67:8:90 | toCharArray(...) | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:9:44:9:48 | "key" | sensitive API call |
|
||||
| HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:10:47:10:51 | "key" | sensitive API call |
|
||||
| HardcodedShiroKey.java:9:46:9:54 | "TEST123" | HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | sensitive API call |
|
||||
| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" | HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:18:46:18:87 | decode(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:18:46:18:87 | decode(...) | sensitive API call |
|
||||
| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" | HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | HardcodedShiroKey.java:26:46:26:109 | decode(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:26:46:26:109 | decode(...) | sensitive API call |
|
||||
| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | sensitive API call |
|
||||
| HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:37:8:46 | "password" | sensitive API call |
|
||||
| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | sensitive API call |
|
||||
| HardcodedSshjCredentials.java:9:39:9:48 | "password" | HardcodedSshjCredentials.java:9:39:9:48 | "password" : String | HardcodedSshjCredentials.java:9:39:9:62 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:9:39:9:62 | toCharArray(...) | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:15:50:15:54 | "key" | HardcodedTrileadSshCredentials.java:15:50:15:54 | "key" : String | HardcodedTrileadSshCredentials.java:15:50:15:68 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:50:15:68 | toCharArray(...) | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | sensitive API call |
|
||||
| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | sensitive API call |
|
||||
| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr | Hard-coded value flows to $@. | Test.java:15:36:15:38 | usr | sensitive API call |
|
||||
| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr | Hard-coded value flows to $@. | Test.java:17:39:17:41 | usr | sensitive API call |
|
||||
| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:18:39:18:41 | usr | Hard-coded value flows to $@. | Test.java:18:39:18:41 | usr | sensitive API call |
|
||||
| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:30:36:30:39 | user | Hard-coded value flows to $@. | Test.java:30:36:30:39 | user | sensitive API call |
|
||||
| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:15:41:15:44 | pass | Hard-coded value flows to $@. | Test.java:15:41:15:44 | pass | sensitive API call |
|
||||
| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:18:44:18:61 | toCharArray(...) | Hard-coded value flows to $@. | Test.java:18:44:18:61 | toCharArray(...) | sensitive API call |
|
||||
| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:30:42:30:49 | password | Hard-coded value flows to $@. | Test.java:30:42:30:49 | password | sensitive API call |
|
||||
| Test.java:14:36:14:42 | "admin" | Test.java:14:36:14:42 | "admin" | Test.java:14:36:14:42 | "admin" | Hard-coded value flows to $@. | Test.java:14:36:14:42 | "admin" | sensitive API call |
|
||||
| Test.java:14:45:14:52 | "123456" | Test.java:14:45:14:52 | "123456" | Test.java:14:45:14:52 | "123456" | Hard-coded value flows to $@. | Test.java:14:45:14:52 | "123456" | sensitive API call |
|
||||
| Test.java:17:44:17:51 | "123456" | Test.java:17:44:17:51 | "123456" : String | Test.java:17:44:17:65 | toCharArray(...) | Hard-coded value flows to $@. | Test.java:17:44:17:65 | toCharArray(...) | sensitive API call |
|
||||
| Test.java:20:16:20:39 | new byte[] | Test.java:20:16:20:39 | new byte[] : byte[] | Test.java:21:78:21:80 | key | Hard-coded value flows to $@. | Test.java:21:78:21:80 | key | sensitive API call |
|
||||
| Test.java:23:17:23:26 | "abcdefgh" | Test.java:23:17:23:26 | "abcdefgh" : String | Test.java:24:79:24:82 | key2 | Hard-coded value flows to $@. | Test.java:24:79:24:82 | key2 | sensitive API call |
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
import java
|
||||
import semmle.code.java.security.HardcodedCredentialsApiCallQuery
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class HardcodedCredentialsApiCallTest extends InlineExpectationsTest {
|
||||
HardcodedCredentialsApiCallTest() { this = "HardcodedCredentialsApiCallTest" }
|
||||
|
||||
override string getARelevantTag() { result = "HardcodedCredentialsApiCall" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "HardcodedCredentialsApiCall" and
|
||||
exists(DataFlow::Node sink, HardcodedCredentialApiCallConfiguration conf |
|
||||
conf.hasFlow(_, sink)
|
||||
|
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
|
||||
@@ -1 +0,0 @@
|
||||
| Test.java:36:26:36:32 | "admin" | Hard-coded value is $@ with password variable $@. | Test.java:36:10:36:33 | equals(...) | compared | Test.java:35:38:35:52 | password | password |
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
import java
|
||||
import semmle.code.java.security.HardcodedCredentialsComparison
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class HardcodedCredentialsComparisonTest extends InlineExpectationsTest {
|
||||
HardcodedCredentialsComparisonTest() { this = "HardcodedCredentialsComparisonTest" }
|
||||
|
||||
override string getARelevantTag() { result = "HardcodedCredentialsComparison" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "HardcodedCredentialsComparison" and
|
||||
exists(Expr sink | isHardcodedCredentialsComparison(sink, _, _) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
|
||||
@@ -1,106 +0,0 @@
|
||||
edges
|
||||
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String |
|
||||
| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String |
|
||||
| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String |
|
||||
| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String |
|
||||
| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | username |
|
||||
| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret |
|
||||
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
|
||||
| Test.java:10:17:10:24 | "123456" : String | Test.java:26:17:26:20 | pass |
|
||||
| User.java:2:30:2:39 | DEFAULT_PW : String | User.java:5:15:5:24 | DEFAULT_PW |
|
||||
| User.java:2:43:2:50 | "123456" : String | User.java:2:30:2:39 | DEFAULT_PW : String |
|
||||
nodes
|
||||
| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | semmle.label | "username" |
|
||||
| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | semmle.label | "password" |
|
||||
| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | semmle.label | "username" |
|
||||
| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | semmle.label | "password" |
|
||||
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
|
||||
| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
|
||||
| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | semmle.label | "username@example.onmicrosoft.com" : String |
|
||||
| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | semmle.label | this <.field> [post update] [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | semmle.label | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String |
|
||||
| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | semmle.label | parameter this [username] : String |
|
||||
| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | semmle.label | this <.field> [username] : String |
|
||||
| HardcodedAzureCredentials.java:18:13:18:20 | username | semmle.label | username |
|
||||
| HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | semmle.label | clientSecret |
|
||||
| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
|
||||
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
|
||||
| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | semmle.label | "username" |
|
||||
| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | semmle.label | "password" |
|
||||
| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | semmle.label | "password" |
|
||||
| HardcodedJschCredentials.java:10:41:10:50 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedJschCredentials.java:11:42:11:51 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedJschCredentials.java:12:27:12:36 | "password" | semmle.label | "password" |
|
||||
| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedMongoCredentials.java:9:44:9:48 | "key" | semmle.label | "key" |
|
||||
| HardcodedMongoCredentials.java:10:47:10:51 | "key" | semmle.label | "key" |
|
||||
| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedSshjCredentials.java:8:37:8:46 | "password" | semmle.label | "password" |
|
||||
| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | semmle.label | "password" |
|
||||
| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | semmle.label | "key" |
|
||||
| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | semmle.label | "password" |
|
||||
| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | semmle.label | "Username" |
|
||||
| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | semmle.label | "password" |
|
||||
| Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
|
||||
| Test.java:26:17:26:20 | pass | semmle.label | pass |
|
||||
| User.java:2:30:2:39 | DEFAULT_PW : String | semmle.label | DEFAULT_PW : String |
|
||||
| User.java:2:43:2:50 | "123456" : String | semmle.label | "123456" : String |
|
||||
| User.java:5:15:5:24 | DEFAULT_PW | semmle.label | DEFAULT_PW |
|
||||
subpaths
|
||||
#select
|
||||
| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | sensitive call |
|
||||
| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | sensitive call |
|
||||
| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | sensitive call |
|
||||
| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | sensitive call |
|
||||
| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive call |
|
||||
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive call |
|
||||
| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | sensitive call |
|
||||
| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | sensitive call |
|
||||
| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | sensitive call |
|
||||
| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | sensitive call |
|
||||
| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | sensitive call |
|
||||
| HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:10:41:10:50 | "Username" | sensitive call |
|
||||
| HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:11:42:11:51 | "Username" | sensitive call |
|
||||
| HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:12:27:12:36 | "password" | sensitive call |
|
||||
| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | sensitive call |
|
||||
| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | sensitive call |
|
||||
| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | sensitive call |
|
||||
| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | sensitive call |
|
||||
| HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:9:44:9:48 | "key" | sensitive call |
|
||||
| HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:10:47:10:51 | "key" | sensitive call |
|
||||
| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | sensitive call |
|
||||
| HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:37:8:46 | "password" | sensitive call |
|
||||
| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | sensitive call |
|
||||
| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | sensitive call |
|
||||
| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:26:17:26:20 | pass | Hard-coded value flows to $@. | Test.java:26:17:26:20 | pass | sensitive call |
|
||||
| User.java:2:43:2:50 | "123456" | User.java:2:43:2:50 | "123456" : String | User.java:5:15:5:24 | DEFAULT_PW | Hard-coded value flows to $@. | User.java:5:15:5:24 | DEFAULT_PW | sensitive call |
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
import java
|
||||
import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class HardcodedCredentialsSourceCallTest extends InlineExpectationsTest {
|
||||
HardcodedCredentialsSourceCallTest() { this = "HardcodedCredentialsSourceCallTest" }
|
||||
|
||||
override string getARelevantTag() { result = "HardcodedCredentialsSourceCall" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "HardcodedCredentialsSourceCall" and
|
||||
exists(DataFlow::Node sink, HardcodedCredentialSourceCallConfiguration conf |
|
||||
conf.hasFlow(_, sink)
|
||||
|
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
|
||||
@@ -5,7 +5,7 @@ public class HardcodedGanymedSsh2Credentials {
|
||||
public static void main(Connection conn) {
|
||||
// BAD: Hardcoded credentials used for the session username and/or password.
|
||||
try {
|
||||
conn.authenticateWithPassword("username", "password");
|
||||
conn.authenticateWithPassword("username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
} catch(IOException e) { }
|
||||
}
|
||||
}
|
||||
@@ -4,8 +4,8 @@ import com.sshtools.j2ssh.authentication.PasswordAuthenticationClient;
|
||||
public class HardcodedJ2sshCredentials {
|
||||
public static void main(SshAuthenticationClient client1, PasswordAuthenticationClient client2) {
|
||||
// BAD: Hardcoded credentials used for the session username and/or password.
|
||||
client1.setUsername("Username");
|
||||
client2.setUsername("Username");
|
||||
client2.setPassword("password");
|
||||
client1.setUsername("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
client2.setUsername("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
client2.setPassword("password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
}
|
||||
}
|
||||
@@ -7,10 +7,10 @@ public class HardcodedJschCredentials {
|
||||
public static void main(JSch jsch) {
|
||||
// BAD: Hardcoded credentials used for the session username and/or password.
|
||||
try {
|
||||
Session session = jsch.getSession("Username", "hostname");
|
||||
Session session2 = jsch.getSession("Username", "hostname", 22);
|
||||
session.setPassword("password");
|
||||
session2.setPassword("password".getBytes());
|
||||
Session session = jsch.getSession("Username", "hostname"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
Session session2 = jsch.getSession("Username", "hostname", 22); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
session.setPassword("password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
session2.setPassword("password".getBytes()); // $ HardcodedCredentialsApiCall
|
||||
} catch(JSchException e) { }
|
||||
}
|
||||
}
|
||||
@@ -2,11 +2,11 @@ import com.mongodb.MongoCredential;
|
||||
|
||||
public class HardcodedMongoCredentials {
|
||||
public static void test() {
|
||||
MongoCredential.createCredential("Username", "blah", "password".toCharArray());
|
||||
MongoCredential.createMongoCRCredential("Username", "blah", "password".toCharArray());
|
||||
MongoCredential.createPlainCredential("Username", "blah", "password".toCharArray());
|
||||
MongoCredential.createScramSha1Credential("Username", "blah", "password".toCharArray());
|
||||
MongoCredential.createGSSAPICredential("key");
|
||||
MongoCredential.createMongoX509Credential("key");
|
||||
MongoCredential.createCredential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
MongoCredential.createMongoCRCredential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
MongoCredential.createPlainCredential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
MongoCredential.createScramSha1Credential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
MongoCredential.createGSSAPICredential("key"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
MongoCredential.createMongoX509Credential("key"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
| Test.java:33:29:33:36 | password | Sensitive field is assigned a hard-coded $@. | Test.java:33:40:33:56 | "myOtherPassword" | value |
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
import java
|
||||
import semmle.code.java.security.HardcodedPasswordField
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class HardcodedPasswordFieldTest extends InlineExpectationsTest {
|
||||
HardcodedPasswordFieldTest() { this = "HardcodedPasswordFieldTest" }
|
||||
|
||||
override string getARelevantTag() { result = "HardcodedPasswordField" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "HardcodedPasswordField" and
|
||||
exists(Expr assigned | passwordFieldAssignedHardcodedValue(_, assigned) |
|
||||
assigned.getLocation() = location and
|
||||
element = assigned.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-798/HardcodedPasswordField.ql
|
||||
@@ -6,16 +6,16 @@ public class HardcodedShiroKey {
|
||||
//BAD: hard-coded shiro key
|
||||
public void testHardcodedShiroKey(String input) {
|
||||
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
|
||||
cookieRememberMeManager.setCipherKey("TEST123".getBytes());
|
||||
cookieRememberMeManager.setCipherKey("TEST123".getBytes()); // $ HardcodedCredentialsApiCall
|
||||
|
||||
}
|
||||
|
||||
|
||||
//BAD: hard-coded shiro key encoded by java.util.Base64
|
||||
//BAD: hard-coded shiro key encoded by java.util.Base64
|
||||
public void testHardcodedbase64ShiroKey1(String input) {
|
||||
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
|
||||
java.util.Base64.Decoder decoder = java.util.Base64.getDecoder();
|
||||
cookieRememberMeManager.setCipherKey(decoder.decode("4AvVhmFLUs0KTA3Kprsdag=="));
|
||||
cookieRememberMeManager.setCipherKey(decoder.decode("4AvVhmFLUs0KTA3Kprsdag==")); // $ HardcodedCredentialsApiCall
|
||||
|
||||
}
|
||||
|
||||
@@ -23,7 +23,7 @@ public class HardcodedShiroKey {
|
||||
//BAD: hard-coded shiro key encoded by org.apache.shiro.codec.Base64
|
||||
public void testHardcodedbase64ShiroKey2(String input) {
|
||||
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
|
||||
cookieRememberMeManager.setCipherKey(org.apache.shiro.codec.Base64.decode("6ZmI6I2j5Y+R5aSn5ZOlAA=="));
|
||||
cookieRememberMeManager.setCipherKey(org.apache.shiro.codec.Base64.decode("6ZmI6I2j5Y+R5aSn5ZOlAA==")); // $ HardcodedCredentialsApiCall
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -5,8 +5,8 @@ public class HardcodedSshjCredentials {
|
||||
public static void main(SSHClient client) {
|
||||
// BAD: Hardcoded credentials used for the session username and/or password.
|
||||
try {
|
||||
client.authPassword("Username", "password");
|
||||
client.authPassword("Username", "password".toCharArray());
|
||||
client.authPassword("Username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
client.authPassword("Username", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
}
|
||||
catch(IOException e) { }
|
||||
}
|
||||
|
||||
@@ -7,13 +7,13 @@ public class HardcodedTrileadSshCredentials {
|
||||
public static void main(Connection conn) {
|
||||
// BAD: Hardcoded credentials used for the session username and/or password.
|
||||
try {
|
||||
conn.authenticateWithPassword("Username", "password");
|
||||
conn.authenticateWithDSA("Username", "password", "key");
|
||||
conn.authenticateWithNone("Username");
|
||||
conn.getRemainingAuthMethods("Username");
|
||||
conn.isAuthMethodAvailable("Username", "method");
|
||||
conn.authenticateWithPublicKey("Username", "key".toCharArray(), "password");
|
||||
conn.authenticateWithPublicKey("Username", (File)null, "password");
|
||||
conn.authenticateWithPassword("Username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
conn.authenticateWithDSA("Username", "password", "key"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
conn.authenticateWithNone("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
conn.getRemainingAuthMethods("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
conn.isAuthMethodAvailable("Username", "method"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
conn.authenticateWithPublicKey("Username", "key".toCharArray(), "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
conn.authenticateWithPublicKey("Username", (File)null, "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
|
||||
} catch(IOException e) { }
|
||||
}
|
||||
}
|
||||
@@ -11,28 +11,28 @@ public class Test {
|
||||
|
||||
test(url, usr, pass); // flow through method
|
||||
|
||||
DriverManager.getConnection(url, "admin", "123456"); // hard-coded user/pass used directly in call
|
||||
DriverManager.getConnection(url, usr, pass); // hard-coded user/pass flows into API call
|
||||
DriverManager.getConnection(url, "admin", "123456"); // $ HardcodedCredentialsApiCall
|
||||
DriverManager.getConnection(url, usr, pass); // $ HardcodedCredentialsApiCall
|
||||
|
||||
new java.net.PasswordAuthentication(usr, "123456".toCharArray()); // flow into char[] array
|
||||
new java.net.PasswordAuthentication(usr, pass.toCharArray()); // flow through variable, then char[] array
|
||||
new java.net.PasswordAuthentication(usr, "123456".toCharArray()); // $ HardcodedCredentialsApiCall
|
||||
new java.net.PasswordAuthentication(usr, pass.toCharArray()); // $ HardcodedCredentialsApiCall
|
||||
|
||||
byte[] key = {1, 2, 3, 4, 5, 6, 7, 8}; // hard-coded cryptographic key, flowing into API call below
|
||||
javax.crypto.spec.SecretKeySpec spec = new javax.crypto.spec.SecretKeySpec(key, "AES");
|
||||
javax.crypto.spec.SecretKeySpec spec = new javax.crypto.spec.SecretKeySpec(key, "AES"); // $ HardcodedCredentialsApiCall
|
||||
|
||||
byte[] key2 = "abcdefgh".getBytes(); // hard-coded cryptographic key, flowing into API call below
|
||||
javax.crypto.spec.SecretKeySpec spec2 = new javax.crypto.spec.SecretKeySpec(key2, "AES");
|
||||
javax.crypto.spec.SecretKeySpec spec2 = new javax.crypto.spec.SecretKeySpec(key2, "AES"); // $ HardcodedCredentialsApiCall
|
||||
|
||||
passwordCheck(pass); // flow through
|
||||
passwordCheck(pass); // $ HardcodedCredentialsSourceCall
|
||||
}
|
||||
|
||||
public static void test(String url, String user, String password) throws SQLException {
|
||||
DriverManager.getConnection(url, user, password); // sensitive API call (flow target)
|
||||
DriverManager.getConnection(url, user, password); // $ HardcodedCredentialsApiCall
|
||||
}
|
||||
|
||||
public static final String password = "myOtherPassword"; // hard-coded password
|
||||
public static final String password = "myOtherPassword"; // $ HardcodedPasswordField
|
||||
|
||||
public static boolean passwordCheck(String password) {
|
||||
return password.equals("admin"); // hard-coded password comparison
|
||||
return password.equals("admin"); // $ HardcodedCredentialsComparison
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@ class User {
|
||||
private static final String DEFAULT_PW = "123456"; // hard-coded password
|
||||
private String pw;
|
||||
public User() {
|
||||
setPassword(DEFAULT_PW); // sensitive call
|
||||
setPassword(DEFAULT_PW); // $ HardcodedCredentialsSourceCall
|
||||
}
|
||||
public void setPassword(String password) {
|
||||
pw = password;
|
||||
|
||||
Reference in New Issue
Block a user