Security Analysis - Password Management: Password in Configuration File

[lpalashevski]

OWASP Password Plaintext Storage

Recomended fix: Remove plain text passwords form configuraiton files stored inside applications:

• egeria/open-metadata-implementation/user-interfaces/ui-chassis/ui-chassis-spring/src/main/resources/application.properties
• egeria/open-metadata-implementation/server-chassis/server-chassis-spring/src/main/resources/application.properties

We need to check the impact and come up with mitigation plan.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

[planetf1]

We need to keep this open.

Passwords do feature in a number of places. Generally

• for tests
• in the case of the UI - hardcoded for the demo experience, can be configured out (should change default imo)
• samples have password such as our coco lab environment - only applies if sample helm chart installed
• passwords for keystore in the spring config files -- again this is only a default (and uses default certs)

I think we should do a more thorough review and ensure we have actions/mitigations or docs covering each case. However I'm not aware of any significant issues of immediate concern.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.