-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java code with hardcoded credentials #159
Comments
Tnks for your report @rafaelrenanpacheco Currently at Horusec we only perform analyzes using the syntactic analysis method. With this we have some limitations and one of which we perform an analysis in search of exposed passwords based on the regexes below:
As in your case it is a variable |
Hello @wiliansilvazup! Thanks for the explanation, we will continue with our evaluation. If I understood correctly, what is missing now is some kind of semantic analysis. Please let us know when horusec get semantic analysis in its engine. Best regards, |
What happened:
We are evaluating horusec using a Java project that have hardcoded credentials on it. When we run the analysis, horusec did not warned us the use of hardcoded credentials on our java file. Maybe we are missing some configuration, so I'm opening this issue to discuss the code below and to understand if it should be reported as a security issue by the horusec analysis.
This is the code with hardcoded credentials:
In this example we are setting a plain text password and using it to open a database connection. Shouldn't horusec identify these lines as a security issue?
Environment:
The text was updated successfully, but these errors were encountered: