SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 117

changes.mady.by.user Jon O'Donnell

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Hard coding sensitive information, such as passwords, server IP addresses, and encryption keys can expose the information to attackers. Anyone who has access to the class files can decompile them and discover the sensitive information. Leaking data protected by International Traffic in Arms Regulations (ITAR) or the Health Insurance Portability and Accountability Act (HIPAA) can also have legal consequences. Consequently, programs must not hard code sensitive information.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC03-J

High

Probable

Medium

P12

L1

Automated Detection

ToolVersionCheckerDescription
CodeSonar

Include Page
CodeSonar_V
CodeSonar_V

JAVA.HARDCODED.PASSWD
JAVA.MISC.SD.EXT

Hardcoded Password (Java)
Sensitive Data Written to External Storage (Java)

Coverity7.5

HARDCODED_CREDENTIALS
CONFIG
FB.DMI_CONSTANT_DB_ PASSWORD
FB.DMI_EMPTY_DB_PASSWORD

Implemented
Fortify1.0

Password_Management
Password_Management__Hardcoded_Password

Partially implemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.MSC03.HCCS
CERT.MSC03.HCCK
CERT.MSC03.AHCA		Avoid passing hardcoded usernames/passwords/URLs to database connection methods
Avoid using hard-coded cryptographic keys
Avoid hard-coding the arguments to certain methods
PMD1.0AvoidUsingHardCodedIPPartially implemented
SonarQube
Include Page
SonarQube_V
SonarQube_V
S1313
S2068		Partially implemented

...

SEI CERT C Coding Standard

MSC18-C. Be careful while handling sensitive data, such as passwords, in program code

ISO/IEC TR 24772:2010

Hard-coded Password [XYP]

MITRE CWE

CWE-259, Use of Hard-Coded Password
CWE-798, Use of Hard-Coded Credentials

...