Java: support more libraries in hardcoded-credentials queries #10041

smowton · 2022-08-13T13:08:47Z

This is abandoned external PR #6716, but I have also written tests and ported the hardcoded-creds queries to use inline-expectations tests so it's practically possible to verify that the results are as expected.

…ctations

Specifically Apache sshd defines its sensitive api calls on an inherited interface, and they need to be described that way for us to pick them up.

java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll

java/ql/lib/semmle/code/java/security/SensitiveApi.qll

atorralba

LGTM! Thanks for doing this.

I always wonder, though — how much of this should be covered by secret scanning and not CodeQL?

java/ql/lib/semmle/code/java/security/HardcodedCredentialsComparison.qll

Daniel Santos and others added 4 commits August 13, 2022 12:39

Additional hardcoded credentials candidates 3rd-party api calls

60e0f09

Add stubs and tests for new hardcoded-credential sinks

0a6ccbc

Split up hardcoded creds queries, ready for conversion to inline expe…

ddb0846

…ctations

Convert tests to inline expectations and fix one bug revealed doing so

b62e9dc

Specifically Apache sshd defines its sensitive api calls on an inherited interface, and they need to be described that way for us to pick them up.

smowton requested a review from a team as a code owner August 13, 2022 13:08

github-actions bot added the Java label Aug 13, 2022

smowton mentioned this pull request Aug 13, 2022

Java: Additional hardcoded credentials candidates 3rd-party api calls #6716

Closed

github-advanced-security bot found potential problems Aug 13, 2022

View reviewed changes

java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll Fixed Show fixed Hide fixed

smowton added 2 commits August 13, 2022 14:20

Add missing qldoc

8bea2a5

Add change note

c5e46f7

github-actions bot added the documentation label Aug 13, 2022

github-advanced-security bot found potential problems Aug 13, 2022

View reviewed changes

java/ql/lib/semmle/code/java/security/SensitiveApi.qll Fixed Show fixed Hide fixed

Spelling

ca4ef65

smowton requested a review from a team as a code owner August 15, 2022 10:13

github-actions bot added the Go label Aug 15, 2022

smowton added 3 commits August 15, 2022 12:08

Adjust test to moved and expanded stubs

38c0557

Remove non-ascii char

c40ec72

Fix qldoc wording

e27d62b

smowton force-pushed the AddSensitiveApiCalls branch from 4ef22b7 to e27d62b Compare August 15, 2022 11:08

github-actions bot removed the Go label Aug 15, 2022

atorralba previously approved these changes Aug 23, 2022

View reviewed changes

atorralba reviewed Aug 23, 2022

View reviewed changes

java/ql/lib/semmle/code/java/security/HardcodedCredentialsComparison.qll Show resolved Hide resolved

Add java imports

131d604

smowton dismissed atorralba’s stale review via 131d604 August 23, 2022 08:41

atorralba approved these changes Aug 23, 2022

View reviewed changes

smowton merged commit 0a7350f into github:main Aug 23, 2022

xcorail mentioned this pull request Aug 23, 2022

Additional hardcoded credentials candidates 3rd-party api calls github/securitylab#432

Closed

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Java: support more libraries in hardcoded-credentials queries #10041

Java: support more libraries in hardcoded-credentials queries #10041

Uh oh!

smowton commented Aug 13, 2022

Uh oh!

Uh oh!

Uh oh!

atorralba left a comment

Uh oh!

Uh oh!

Uh oh!

Java: support more libraries in hardcoded-credentials queries #10041

Java: support more libraries in hardcoded-credentials queries #10041

Uh oh!

Conversation

smowton commented Aug 13, 2022

Uh oh!

Uh oh!

Uh oh!

atorralba left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!