ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2115/java/how-to-fix-it/java-se.adoc

27 lines
847 B
Plaintext
Raw Normal View History

Modify rule S2115: Update to LaYC format (APPSEC-799) (#2927) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
2023-08-25 14:34:42 +02:00
== How to fix it in Java SE
=== Code examples
The following code uses an empty password to connect to a Postgres database.
The vulnerability can be fixed by using a strong password retrieved from Properties. This `database.password` property is set during deployment. Its value should be strong and different for each database.
==== Noncompliant code example
[source,java,diff-id=201,diff-type=noncompliant]
----
Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "login", ""); // Noncompliant
----
==== Compliant solution
[source,java,diff-id=201,diff-type=compliant]
----
String password = System.getProperty("database.password");
Connection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "login", password);
----
=== Pitfalls
include::../../common/pitfalls/hard-coded.adoc[]
Reference in New Issue Copy Permalink