Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(java): empty database password rule (CWE-306) #208

Merged
merged 1 commit into from
Jan 31, 2024
Merged

feat(java): empty database password rule (CWE-306) #208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions rules/java/lang/empty_database_password.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
patterns:
- pattern: |
$<SQL_DRIVER_MANAGER>.getConnection($<_>, $<_>, $<EMPTY_STRING>)
filters:
- variable: SQL_DRIVER_MANAGER
regex: \A(java\.sql\.)?DriverManager\z
- variable: EMPTY_STRING
string_regex: \A\z

languages:
- java
severity: warning
metadata:
description: "Empty database password detected."
remediation_message: |
## Description

A database with an empty password is a security risk as its data is unprotected.
Database servers should be configured with appropriate authentication and restrictions, and their passwords should be stored and accessed securely - for example, through a Key Management Service (KMS).

## Remediations

❌ Do not configure database servers with empty passwords

✅ Always ensure secure password management practices

## Resources
- [OWASP hardcoded passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
cwe_id:
- 306
id: java_lang_empty_database_password
documentation_url: https://docs.bearer.com/reference/rules/java_lang_empty_database_password
18 changes: 18 additions & 0 deletions tests/java/lang/empty_database_password/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
const {
createNewInvoker,
getEnvironment,
} = require("../../../helper.js")
const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)

describe(ruleId, () => {
const invoke = createNewInvoker(ruleId, ruleFile, testBase)

test("empty_database_password", () => {
const testCase = "main.java"

const results = invoke(testCase)

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})
})
17 changes: 17 additions & 0 deletions tests/java/lang/empty_database_password/testdata/main.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
// Use bearer:expected java_lang_empty_database_password to flag expected findings
import java.sql.Connection;
import java.sql.DriverManager;

public class Foo
{
public static void bad() {
String url = "jdbc:mysql://localhost:3306/foo";
// bearer:expected java_lang_empty_database_password
Connection conn = DriverManager.getConnection(url, "root", "");
}

public static void ok() {
String url = "jdbc:mysql://localhost:3306/bar";
Connection conn = DriverManager.getConnection(url, "admin", "admin");
}
}
Loading