codeql
codeql copied to clipboard
github
Java: Additional hardcoded credentials candidates 3rd-party api calls
Included the methods that might receive hard-coded credential material in their parameters from some of the most used SSH, FTP, and MongoDB Java libraries in the Maven official repository to the SensitiveApi.qll library.
I can provide at least one valid result from each of the added services/libs but as these are credential disclosure issues, I would like to do that through a private channel.
This is straightforward enough that assuming seclab can confirm the results are reasonable I'd be happy to take it straight into the non-experimental library
This is straightforward enough that assuming seclab can confirm the results are reasonable I'd be happy to take it straight into the non-experimental library
I already have an issue open for this https://github.com/github/securitylab/issues/432, just need to know about the best way to provide the seclab with the results as they contain potentially confidential information.
Please add to the tests in java/ql/test/security/CWE-798 (and needed stubs to java/ql/test/stubs) (this is basically checking that all the method prototypes you've given here are spelled correctly)
Please add a change note in java/change-notes briefly summarising what has changed.
Will sure do @smowton. I should push the changes in the next couple of days.
Hey @smowton. I am going through a phase where dedicating time to this PR is almost impossible. Please, feel free to close it if you need.
In finally got some free time to work on this, so I've added tests at https://github.com/github/codeql/pull/10041