...
| Tool | Version | Checker | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| HARDCODED.AUTH HARDCODED.KEY HARDCODED.SALT MISC.PWD.PLAIN MISC.PWD.PLAINTRAN | Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Plaintext Storage of Password Plaintext Transmission of Password | ||||||||
| PC-lint Plus |
| 586 | Partially supported: reports functions that read passwords from the user or that take a password as an argument instead of prompting the user as well as insecure password erasure | ||||||||
| Polyspace Bug Finder |
| Checks for:
Sensitive heap memory not cleared before release Uncleared sensitive data in stack Unsafe standard encryption function Constant
| Sensitive data not cleared or released by memory routine Variable in stack is not cleared and contains sensitive data Function is not reentrant or uses a risky encryption algorithm Encryption or decryption key is constant instead of randomized or generated from a weak random number generator Initialization vector is constant instead of randomized Encryption or decryption key is generated from a weak random number generator Initialization vector is generated from a weak random number generator |
Rec. partially covered. |
Related Guidelines
| CERT Oracle Secure Coding Standard for Java | MSC03-J. Never hard code sensitive information |
| cCERT C Secure Coding Standard | MSC41-C. Never hard code sensitive information |
| MITRE CWE | CWE-259, Use of Hard-coded Password CWE-261, Weak Cryptography for Passwords CWE-311, Missing encryption of sensitive data CWE-319, Cleartext Transmission of Sensitive Information CWE-321, Use of Hard-coded Cryptographic Key CWE-326, Inadequate encryption strength CWE-798, Use of hard-coded credentials |
...