SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 72

changes.mady.by.user Masaki Kubo

Saved on

compared with

New Version 73

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
public final Connection getConnection() throws SQLException {
  char[] username = new char[16];
  char[] password = new char[16];
  // Username and password are read at runtime from a secure config file
  returnConnection connection = DriverManager.getConnection(
      "jdbc:mysql://localhost/dbName",
      username.toString(), password.toString());
  for (int i = username.length - 1; i >= 0; i--) {  
    username[i] = 0;
  }
  for (int i = password.length - 1; i >= 0; i--) {  
    password[i] = 0;
  }
  return connection;
}

It is also permissible to prompt the user for the user name and password at runtime.

...

CERT C Secure Coding Standard

MSC18-C. Be careful while handling sensitive data, such as passwords, in program code

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="233bac8369054686-6aabb7dc-40464184-8214b58f-81eaa487f8545a6606f11603"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

Hard-coded Password [XYP]

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-259. Use of hard-coded password

 

CWE-798. Use of hard-coded credentials

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b5aa269029de19c6-b504e27f-47f5496e-9a2ba0bb-f001c9b007b054ba686d5a69"><ac:plain-text-body><![CDATA[

[[Chess 2007

AA. References#Chess 07]]

11.2, Outbound Passwords: Keep Passwords out of Source Code

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="67937b05d9424401-99ddea73-4f8d403a-9e7bb7cc-b2e172714a9197ca55ce9c84"><ac:plain-text-body><![CDATA[

[[Fortify 2008

AA. References#Fortify 08]]

Unsafe Mobile Code: Database Access

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="34c8bd3774350b30-1fb86f1b-4cbb4777-9065b336-1d16b27ed89c7eb3a2fbb6f8"><ac:plain-text-body><![CDATA[

[[Gong 2003

AA. References#Gong 03]]

9.4, Private Object State and Object Immutability

]]></ac:plain-text-body></ac:structured-macro>

...