ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6418/java/rule.adoc
Sebastien Andrivet daf0320d42
Fix link (#3986)
2024-06-11 09:28:41 +02:00

94 lines
2.9 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
[source,java]
----
private static final String MY_SECRET = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37";
public static void main(String[] args) {
MyClass.callMyService(MY_SECRET);
}
----
== Compliant Solution
Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secrets-manager[AWS Secrets Manager]:
[source,java]
----
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
public static void main(String[] args) {
SecretsManagerClient secretsClient = ...
MyClass.doSomething(secretsClient, "MY_SERVICE_SECRET");
}
public static void doSomething(SecretsManagerClient secretsClient, String secretName) {
GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()
.secretId(secretName)
.build();
GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);
String secret = valueResponse.secretString();
// do something with the secret
MyClass.callMyService(secret);
}
----
Using https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli[Azure Key Vault Secret]:
[source,java]
----
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
public static void main(String[] args) throws InterruptedException, IllegalArgumentException {
String keyVaultName = System.getenv("KEY_VAULT_NAME");
String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl(keyVaultUri)
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();
MyClass.doSomething(secretClient, "MY_SERVICE_SECRET");
}
public static void doSomething(SecretClient secretClient, String secretName) {
KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);
String secret = retrievedSecret.getValue(),
// do something with the secret
MyClass.callMyService(secret);
}
----
== See
* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials]
* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../parameters.adoc[]
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink