From fb80d384469cfde9ad4c58b19a03a72b6d7974ed Mon Sep 17 00:00:00 2001 From: elsapet Date: Wed, 31 Jan 2024 13:17:21 +0200 Subject: [PATCH] feat(java): empty database password rule (#208) --- rules/java/lang/empty_database_password.yml | 32 +++++++++++++++++++ .../java/lang/empty_database_password/test.js | 18 +++++++++++ .../testdata/main.java | 17 ++++++++++ 3 files changed, 67 insertions(+) create mode 100644 rules/java/lang/empty_database_password.yml create mode 100644 tests/java/lang/empty_database_password/test.js create mode 100644 tests/java/lang/empty_database_password/testdata/main.java diff --git a/rules/java/lang/empty_database_password.yml b/rules/java/lang/empty_database_password.yml new file mode 100644 index 000000000..bb81968d6 --- /dev/null +++ b/rules/java/lang/empty_database_password.yml @@ -0,0 +1,32 @@ +patterns: + - pattern: | + $.getConnection($<_>, $<_>, $) + filters: + - variable: SQL_DRIVER_MANAGER + regex: \A(java\.sql\.)?DriverManager\z + - variable: EMPTY_STRING + string_regex: \A\z + +languages: + - java +severity: warning +metadata: + description: "Empty database password detected." + remediation_message: | + ## Description + + A database with an empty password is a security risk as its data is unprotected. + Database servers should be configured with appropriate authentication and restrictions, and their passwords should be stored and accessed securely - for example, through a Key Management Service (KMS). + + ## Remediations + + ❌ Do not configure database servers with empty passwords + + ✅ Always ensure secure password management practices + + ## Resources + - [OWASP hardcoded passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password) + cwe_id: + - 306 + id: java_lang_empty_database_password + documentation_url: https://docs.bearer.com/reference/rules/java_lang_empty_database_password diff --git a/tests/java/lang/empty_database_password/test.js b/tests/java/lang/empty_database_password/test.js new file mode 100644 index 000000000..21cb8d19f --- /dev/null +++ b/tests/java/lang/empty_database_password/test.js @@ -0,0 +1,18 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("empty_database_password", () => { + const testCase = "main.java" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) +}) \ No newline at end of file diff --git a/tests/java/lang/empty_database_password/testdata/main.java b/tests/java/lang/empty_database_password/testdata/main.java new file mode 100644 index 000000000..38fd38058 --- /dev/null +++ b/tests/java/lang/empty_database_password/testdata/main.java @@ -0,0 +1,17 @@ +// Use bearer:expected java_lang_empty_database_password to flag expected findings +import java.sql.Connection; +import java.sql.DriverManager; + +public class Foo +{ + public static void bad() { + String url = "jdbc:mysql://localhost:3306/foo"; + // bearer:expected java_lang_empty_database_password + Connection conn = DriverManager.getConnection(url, "root", ""); + } + + public static void ok() { + String url = "jdbc:mysql://localhost:3306/bar"; + Connection conn = DriverManager.getConnection(url, "admin", "admin"); + } +} \ No newline at end of file