Skip to content
HCL AppScan CodeSweep

v2 -> v4 Migration (#128) #159

Sign in to view logs

v2 -> v4 Migration (#128)

v2 -> v4 Migration (#128) #159

GitHub Actions / AppScan CodeSweep #2 failed Jan 26, 2024 in 0s

Hardcoded password detected in Java code

Identified by HCL AppScan CodeSweep
Vulnerability: Authentication.Credentials.Unprotected
Severity: High

Details

Authentication.Credentials.Unprotected

Hardcoded password detected in Java code

Cause

The scanned Java code has a hard-coded password. This information could be used to break into the account if an an attacker or a malicious internal employee gains access to the code base.

Code samples

The following code compares a password with a default password hard-coded in the source code.

String DEFAULT_PASSWORD="admin123";
...
String password = user.getPassword();
if(user.isAdminUser() && password.equals(DEFAULT_PASSWORD)}{
    reConfigureApp();
}

Fix recommendation

Remove all hard-coded passwords from the source code.

External references

OWASP Use of hard-coded password

Copyright © 2021, 2023 HCL Technologies Limited | Disclaimer

Annotations

Check warning on line 30 in src/main/java/com/hcl/appscan/sdk/scanners/dynamic/DASTConstants.java

See this annotation in the file changed.

@github-actions github-actions / AppScan CodeSweep #2

Hardcoded password detected in Java code 

Vulnerability: Authentication.Credentials.Unprotected	[Severity: High]
Raw output 
{"file":"DASTConstants.java","filePath":"src/main/java/com/hcl/appscan/sdk/scanners/dynamic/DASTConstants.java","lineNumber":30,"columnNumber":0,"language":"Java","vulnName":"Hardcoded password detected in Java code","vulnType":"Authentication.Credentials.Unprotected","ruleName":"com.hcl.appscan.scanner.java.rules.HardCodedPasswordJava","context":"LOGIN_PASSWORD\t\t    = \"LoginPassword\";","severity":0,"codeFixes":[],"hashValues":{"0":968547050,"1":968547050,"2":1976069882,"3":1976069882,"4":1438159165,"5":1438159165}}

Check warning on line 33 in src/main/java/com/hcl/appscan/sdk/scanners/dynamic/DASTConstants.java

See this annotation in the file changed.

@github-actions github-actions / AppScan CodeSweep #2

Hardcoded password detected in Java code 

Vulnerability: Authentication.Credentials.Unprotected	[Severity: High]
Raw output 
{"file":"DASTConstants.java","filePath":"src/main/java/com/hcl/appscan/sdk/scanners/dynamic/DASTConstants.java","lineNumber":33,"columnNumber":0,"language":"Java","vulnName":"Hardcoded password detected in Java code","vulnType":"Authentication.Credentials.Unprotected","ruleName":"com.hcl.appscan.scanner.java.rules.HardCodedPasswordJava","context":"PASSWORD\t\t\t    = \"Password\";","severity":0,"codeFixes":[],"hashValues":{"0":-632616762,"1":-632616762,"2":963010286,"3":963010286,"4":1281635505,"5":1281635505}}
View more details on GitHub Actions