Skip to content

Java: CWE-555 Query to detect plaintext credentials in Java properties files #5538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 12, 2021
Merged

Java: CWE-555 Query to detect plaintext credentials in Java properties files #5538

merged 6 commits into from
Apr 12, 2021

Conversation

luchua-bc
Copy link
Contributor

It's a very common issue that credentials are stored in plaintext in application’s properties files. Common credentials include but are not limited to LDAP, mail, database, proxy account, and so on. Credentials management issues occur with such a configuration. Storing plaintext credentials in a properties file allows anyone who can read the file access to the protected resource. Good credentials management guidelines require that credentials never be stored in plaintext.

This query detects plaintext credentials stored in Java properties files by checking common patterns of confidential credentials used in Java applications.

Please consider to merge the PR. Thanks.

@luchua-bc luchua-bc requested a review from a team as a code owner March 26, 2021 02:41
@luchua-bc luchua-bc mentioned this pull request Mar 26, 2021
Closed
1 task
smowton
smowton reviewed Mar 26, 2021
View reviewed changes
Marcono1234
Marcono1234 reviewed Mar 28, 2021
View reviewed changes
@luchua-bc luchua-bc force-pushed the java/credentials-in-properties branch from 77aa8a2 to 5ce3f9d Compare March 28, 2021 16:14
@luchua-bc luchua-bc force-pushed the java/credentials-in-properties branch from dac7b5b to 1349bf7 Compare March 30, 2021 11:26
smowton
smowton reviewed Apr 9, 2021
View reviewed changes
@luchua-bc
Copy link
Contributor Author

@smowton Thanks for reviewing this PR. However, as the relevant issue #327 has already been rejected and closed, do we still want to make changes to this query? Please advise.

@smowton
Copy link
Contributor

smowton commented Apr 9, 2021

It's up to you. I'm happy to merge the simple version of this as basically useful, if too simple for the bounty program.

@luchua-bc
Copy link
Contributor Author

OK, I will make the changes since it will be merged into main and I still believe it's a useful query.

smowton
smowton reviewed Apr 12, 2021
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also I believe some of the Spring additions are no longer required?

@luchua-bc
Copy link
Contributor Author

I've removed unused Java programs since the query only checks properties files now.

@smowton smowton merged commit 2656a52 into github:main Apr 12, 2021
@luchua-bc luchua-bc deleted the java/credentials-in-properties branch April 12, 2021 14:40
@smowton smowton self-assigned this May 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smowton smowton smowton approved these changes

+1 more reviewer

@Marcono1234 Marcono1234 Marcono1234 left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@smowton smowton

Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@luchua-bc @smowton @Marcono1234