Skip to content

Java: CWE-798 Query to detect hard-coded Azure credentials#5852

Merged
smowton merged 5 commits intogithub:mainfrom
luchua-bc:java/hardcoded-azure-credential
Sep 30, 2021
Merged

Java: CWE-798 Query to detect hard-coded Azure credentials#5852
smowton merged 5 commits intogithub:mainfrom
luchua-bc:java/hardcoded-azure-credential

Conversation

@luchua-bc
Copy link
Contributor

Microsoft Azure is one of the most popular cloud computing solutions for building, testing, deploying, and managing applications and services in the cloud.

Azure offers a well-maintained Java SDK for provisioning, managing, and using Azure resources from Java application code. The Azure SDK for Java is composed of many individual Java libraries that relate to specific Azure services.

The query detects calling Azure SDK with a hard-coded user name and password or client secret.

Please consider to merge the PR. Thanks.

@luchua-bc luchua-bc force-pushed the java/hardcoded-azure-credential branch from 50cad57 to fc7d340 Compare May 7, 2021 13:17
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a change note

@luchua-bc
Copy link
Contributor Author

Thanks @smowton for reviewing this PR. I've made all requested changes. Please re-review.

@smowton
Copy link
Contributor

smowton commented May 14, 2021

@aschackmull I note two of the predicates in SensitiveApi.qll say // Auto-generated using an auxiliary query run on the JDK source code.. Is it acceptable to add to the end of that list or is that aux query re-run periodically with the risk of overwriting these changes? Perhaps we should define additional predicates for manually-added methods outside the JDK?

Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm; over to @aschackmull for final review

@luchua-bc
Copy link
Contributor Author

@aschackmull @smowton I'll close this PR once @bananabr or another staff merges this query. Or please close it on my behalf.

@smowton smowton merged commit 60a023d into github:main Sep 30, 2021
@smowton
Copy link
Contributor

smowton commented Sep 30, 2021

Sorry, forgot about this because it wasn't in the bug bounty program any longer

@luchua-bc
Copy link
Contributor Author

@smowton Thanks for merging the code and closing the PR. I know it wasn't in the bug bounty program any longer as per the previous discussion and just want to have the code contributed to the code repository to have one less open PRs:-)

@luchua-bc luchua-bc deleted the java/hardcoded-azure-credential branch September 30, 2021 13:21
@bananabr
Copy link
Contributor

Hi @luchua-bc,

I can definitely work on merging this query. I had an impossible week but I plan to work on my PR soon.

@luchua-bc
Copy link
Contributor Author

Thanks @bananabr for the update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants