16 lines
1007 B
Plaintext
16 lines
1007 B
Plaintext
|
=== On 2015-10-23T18:35:38Z Ann Campbell Wrote:
|
||
|
|
FYI [~pierre-yves.nicolas]: COBOL subtask for RSPEC-2068 Credentials should not be hard-coded
|
||
|
|
|
||
|
|
=== On 2015-10-26T12:47:30Z Pierre-Yves Nicolas Wrote:
|
||
|
|
\[~ann.campbell.2] What should we check here? Should we look for look for a more or less hardcoded password used in a database connection? I think that for other languages, we took a different approach: we look for variables which name contains "password" and which are assigned a hardcoded value.
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
=== On 2015-10-26T13:28:15Z Ann Campbell Wrote:
|
||
|
|
\[~pierre-yves.nicolas] check out the Java code samples (RSPEC-2069), they parallel these quite closely. I.e. hard-coded strings used in the "password" position in a connection
|
||
|
|
|
||
|
|
=== On 2015-10-26T13:42:44Z Pierre-Yves Nicolas Wrote:
|
||
|
|
\[~ann.campbell.2] OK, but I think that the current implementation of the Java rule would not catch the case mentioned in the example if the variable name was "pwd" instead of "password".
|
||
|
|
|
||
|
|
include::../comments-and-links.adoc[]
|