16 lines
1011 B
Plaintext
16 lines
1011 B
Plaintext
=== on 23 Oct 2015, 18:35:38 Ann Campbell wrote:
|
|
FYI [~pierre-yves.nicolas]: COBOL subtask for RSPEC-2068 Credentials should not be hard-coded
|
|
|
|
=== on 26 Oct 2015, 12:47:30 Pierre-Yves Nicolas wrote:
|
|
\[~ann.campbell.2] What should we check here? Should we look for look for a more or less hardcoded password used in a database connection? I think that for other languages, we took a different approach: we look for variables which name contains "password" and which are assigned a hardcoded value.
|
|
|
|
|
|
|
|
=== on 26 Oct 2015, 13:28:15 Ann Campbell wrote:
|
|
\[~pierre-yves.nicolas] check out the Java code samples (RSPEC-2069), they parallel these quite closely. I.e. hard-coded strings used in the "password" position in a connection
|
|
|
|
=== on 26 Oct 2015, 13:42:44 Pierre-Yves Nicolas wrote:
|
|
\[~ann.campbell.2] OK, but I think that the current implementation of the Java rule would not catch the case mentioned in the example if the variable name was "pwd" instead of "password".
|
|
|
|
include::../comments-and-links.adoc[]
|