rspec/rules/S2068/description.adoc

Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.


In the past, it has led to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]

Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets. 


This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.


It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ...
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`In the past, it has led to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]`

Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ...`