46 lines
3.1 KiB
Plaintext
46 lines
3.1 KiB
Plaintext
=== on 25 Nov 2014, 20:38:42 Freddy Mallet wrote:
|
|
\[~ann.campbell.2] and [~nicolas.peru], for a first implementation, I would do the following things :
|
|
|
|
* Search for all literals containing "password=xxxx"
|
|
* Search for all local variable whose names contains 'password' and which are initialized with a hardcoded literal.
|
|
|
|
=== on 15 Dec 2014, 10:14:47 Freddy Mallet wrote:
|
|
I've removed the tag "owasp-top10", as this vulnerability is no more part of OWASP Top 10 2013 in MITRE CWE referential
|
|
|
|
=== on 2 Feb 2015, 20:11:55 Sébastien Gioria wrote:
|
|
It's part of OWASP Top10 2013 A2
|
|
|
|
=== on 3 Feb 2015, 19:50:13 Ann Campbell wrote:
|
|
Thanks [~sebastien.gioria]
|
|
|
|
=== on 18 May 2017, 15:06:06 Ann Campbell wrote:
|
|
In addition to "password", "passwd", &etc. implementations of this rule should also look for translations (list compiled with the help of Google Translate):
|
|
|
|
|
|
achinsinsi, adgangskode, codice, contrasena, contrasenya, contrasinal, cynfrinair, facal-faire, facalfaire, fjaleklaim, focalfaire, geslo, haslo, heslo, iphasiwedi, jelszo, kalmarsirri, katalaluan, katasandi, kennwort, kode, kupuhipa, loluszais, losen, losenord, lozinka, lykilorth, mathkau, modpas, motdepasse, olelohuna, oroigbaniwole, parol, parola, parole, parool, pasahitza, pasiwedhi, passe, passord, passwort, passwuert, paswoodu, phasewete, salasana, sandi, senha, sifre, sifreya, slaptazois, tenimiafina, upufaalilolilo, wachtwoord, wachtwurd, wagwoord
|
|
|
|
=== on 2 Mar 2018, 10:09:05 Tibor Blenessy wrote:
|
|
For posterity, list of translated words was removed and replaced by customizable parameter, because this was raising too many false postives. See https://groups.google.com/a/sonarsource.com/forum/?utm_medium=email&utm_source=footer#!msg/dogfood-rules/QFT49lKYYGM/Q5ebuctTAgAJ[dogfood] and other discussions.
|
|
|
|
=== on 3 May 2018, 18:21:25 Tibor Blenessy wrote:
|
|
\[~freddy.mallet] why do you think that semantic analysis is required? Current implementations (at least in SonarJava, SonarTS, SonarGo) rely only on AST, checking literal value or identifier name.
|
|
|
|
=== on 16 May 2018, 12:15:16 Freddy Mallet wrote:
|
|
You're right [~tibor.blenessy] according to the current functional scope of this rule. I've updated the 'Analysis Level' field. Thanks
|
|
|
|
=== on 29 Oct 2019, 19:55:00 Ann Campbell wrote:
|
|
\[~tolun.ardahanli] the https://docs.sonarqube.org/latest/extend/adding-coding-rules/#header-4[rule writing guide] says titles should be plural when possible. (Call me if you want the English language reasons.) If there's a reason to make this one singular, then it now needs an article.
|
|
|
|
=== on 30 Oct 2019, 14:56:47 Tolun Ardahanli wrote:
|
|
\[~ann.campbell.2] Thank you for your sharing and suggestion. I updated.
|
|
|
|
=== on 3 Mar 2020, 11:04:08 Pavel Mikula wrote:
|
|
Hi [~pierre-loup.tristant],
|
|
|
|
|
|
Have you considered usage of term URI instead of URL? URI seems more generic to me and RFC 3986 defines URI and userInfo part of it. So I think URI should be prefered here.
|
|
|
|
=== on 3 Mar 2020, 15:14:17 Pierre-Loup Tristant wrote:
|
|
\[~pavel.mikula] I agree with you it should be URI instead or URL. You can go for "Review this hard-coded URI, which may contain a credential." as the new issue message.
|
|
|