4dfe1364d7
* Add csharp to rule S6418 * initial commit * update wording to be about c# * revert greg's change * Update Default detections/sensitivity --------- Co-authored-by: alex-meseldzija-sonarsource <alex-meseldzija-sonarsource@users.noreply.github.com> Co-authored-by: Alex Meseldzija <alexander.meseldzija@sonarsource.com> Co-authored-by: Gregory Paidis <115458417+gregory-paidis-sonarsource@users.noreply.github.com>
15 lines
959 B
Plaintext
15 lines
959 B
Plaintext
Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.
|
|
|
|
|
|
In the past, it has led to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25510[CVE-2022-25510]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42635[CVE-2021-42635]
|
|
|
|
Secrets should be stored outside of the source code in a configuration file or a management service for secrets.
|
|
|
|
|
|
This rule detects {detections} having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value.
|
|
The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.
|
|
|