File tree Expand file tree Collapse file tree 3 files changed +451
-0
lines changed Expand file tree Collapse file tree 3 files changed +451
-0
lines changed Original file line number Diff line number Diff line change 1+ id : java-jwt-hardcoded-secret-java
2+ severity : warning
3+ language : java
4+ message : >-
5+ A hard-coded credential was detected. It is not recommended to store
6+ credentials in source-code, as this risks secrets being leaked and used by
7+ either an internal or external malicious adversary. It is recommended to
8+ use environment variables to securely provide credentials or retrieve
9+ credentials from a secure vault or HSM (Hardware Security Module).
10+ note : >-
11+ [CWE-798] Use of Hard-coded Credentials.
12+ [REFERENCES]
13+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
14+ utils :
15+ $ALGO.$HMAC("$Y") :
16+ kind : string_literal
17+ inside :
18+ stopBy : end
19+ kind : local_variable_declaration
20+ all :
21+ - has :
22+ stopBy : neighbor
23+ kind : type_identifier
24+ regex : ' ^Algorithm$'
25+ - has :
26+ stopBy : neighbor
27+ kind : variable_declarator
28+ all :
29+ - has :
30+ stopBy : neighbor
31+ pattern : $$$
32+ - has :
33+ stopBy : neighbor
34+ kind : method_invocation
35+ all :
36+ - has :
37+ stopBy : neighbor
38+ pattern : $$$
39+ - has :
40+ stopBy : neighbor
41+ kind : identifier
42+ regex : (^HMAC384|HMAC256|HMAC512$)
43+ - has :
44+ stopBy : neighbor
45+ kind : argument_list
46+ has :
47+ stopBy : neighbor
48+ kind : string_literal
49+ pattern : $S
50+ $ALGO.$HMAC($SECRET) :
51+ kind : string_literal
52+ all :
53+ - inside :
54+ stopBy : neighbor
55+ kind : variable_declarator
56+ all :
57+ - has :
58+ stopBy : neighbor
59+ kind : identifier
60+ pattern : $T
61+ - has :
62+ stopBy : neighbor
63+ kind : string_literal
64+ pattern : $S
65+ - inside :
66+ stopBy : end
67+ kind : class_declaration
68+ has :
69+ stopBy : end
70+ kind : method_declaration
71+ has :
72+ stopBy : end
73+ kind : local_variable_declaration
74+ all :
75+ - has :
76+ stopBy : neighbor
77+ kind : type_identifier
78+ regex : ' ^Algorithm$'
79+ - has :
80+ stopBy : neighbor
81+ kind : variable_declarator
82+ all :
83+ - has :
84+ stopBy : neighbor
85+ kind : identifier
86+ - has :
87+ stopBy : neighbor
88+ kind : method_invocation
89+ all :
90+ - has :
91+ stopBy : neighbor
92+ pattern : $$$
93+ - has :
94+ stopBy : neighbor
95+ kind : identifier
96+ regex : (^HMAC384|HMAC256|HMAC512$)
97+ - has :
98+ stopBy : neighbor
99+ kind : argument_list
100+ has :
101+ stopBy : neighbor
102+ kind : identifier
103+ pattern : $T
104+ rule :
105+ kind : string_literal
106+ any :
107+ - matches : $ALGO.$HMAC("$Y")
108+ - matches : $ALGO.$HMAC($SECRET)
109+ constraints :
110+ S :
111+ not :
112+ regex : ^""$
You can’t perform that action at this time.
0 commit comments