Sonar "Credentials should not be hard-coded" Error

Question

In my application I have a ApplicationConstants.java class that serve for String Constants used in the application. I have public static final String PASSWORD = "password" as one of the constant. Sonar throws an error for that as below. Kindly let me know if there is a way to handle the same.

Sonar error: Description Assignee Resource New issue Credentials should not be hard-coded : Remove this hard-coded password. EnrollmentConstant.java false

Answer 1

If you're working on an internal project and just want to pass sonar without using any configuration or properties, then just rename the variable "PASSWORD" to something else.

Answer 2

If you're working with a spring boot project a simple solution could be instead of storing the password in the same java class store the password in the application.yml file and then read the property in the java class using @Value annotation over the variable password. I hope this will help

Answer 3

Add a StringEncryptor class, encrypt the password value, leave it encrypted, when you pass it there it will get the correct value!

public static class StringEncryptor
    {
        public static string GenerateAPassKey(string passphrase)
        {
            string passPhrase = passphrase;
            string saltValue = passphrase;
            string hashAlgorithm = "SHA1";
            int passwordIterations = 2;
            int keySize = 256;
            byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
            PasswordDeriveBytes pdb = new PasswordDeriveBytes(passPhrase, saltValueBytes, hashAlgorithm, passwordIterations);
            byte[] Key = pdb.GetBytes(keySize / 11);
            String KeyString = Convert.ToBase64String(Key);
            return KeyString;
        }

        public static string Encrypt(string plainStr, string KeyString)
        {
            RijndaelManaged aesEncryption = new RijndaelManaged();
            aesEncryption.KeySize = 256;
            aesEncryption.BlockSize = 128;
            aesEncryption.Mode = CipherMode.ECB;
            aesEncryption.Padding = PaddingMode.ISO10126;
            byte[] KeyInBytes = Encoding.UTF8.GetBytes(KeyString);
            aesEncryption.Key = KeyInBytes;
            byte[] plainText = ASCIIEncoding.UTF8.GetBytes(plainStr);
            ICryptoTransform crypto = aesEncryption.CreateEncryptor();
            byte[] cipherText = crypto.TransformFinalBlock(plainText, 0, plainText.Length);
            return Convert.ToBase64String(cipherText);
        }

        public static string Decrypt(string encryptedText, string KeyString)
        {
            RijndaelManaged aesEncryption = new RijndaelManaged();
            aesEncryption.KeySize = 256;
            aesEncryption.BlockSize = 128;
            aesEncryption.Mode = CipherMode.ECB;
            aesEncryption.Padding = PaddingMode.ISO10126;
            byte[] KeyInBytes = Encoding.UTF8.GetBytes(KeyString);
            aesEncryption.Key = KeyInBytes;
            ICryptoTransform decrypto = aesEncryption.CreateDecryptor();
            byte[] encryptedBytes = Convert.FromBase64CharArray(encryptedText.ToCharArray(), 0, encryptedText.Length);
            return ASCIIEncoding.UTF8.GetString(decrypto.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length));
        }
    }

Answer 4

For me, the main reason to not do this is this scenario: the password changes. Now you have to change the code, recompile, and redeploy. If you have it in a config file (or some other way of not having it directly in the code), you don't have to do all that. Worst case you have to bounce the server. Best case - your code can tell when the config file has changed and picks up the changes on the fly.

Answer 5

You need to store the Credentials outside of the code in a encrypted configuration file or database.At the Soanr end they have flag for the hardcoded password/username.So keep it in properties file or some other configuration file.Its also not suggested to keep the password in String object due to security reason because it is easy to extract strings from a compiled application.

Answer 6

you should either extract it to properties file. Here you can read how to do it

You can also put it on application server as a system property and expect it to be present on production machine (Wildfly server for example) and then read it using System.getProperty(key). This complicates deployment a little bit, but production password will not be present in project.

If you use Spring you can load value to bean using @Value annotation. Here you can read how to do this.

Answer 7

You should move the password to configuration.