The Wayback Machine - https://web.archive.org/web/20211003213957/https://github.com/github/codeql/pull/6716
Skip to content

/ codeql Public

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Additional hardcoded credentials candidates 3rd-party api calls #6716

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Java: Additional hardcoded credentials candidates 3rd-party api calls #6716

wants to merge 1 commit into from

Conversation

@bananabr
Copy link
Contributor

@bananabr bananabr commented Sep 18, 2021

Included the methods that might receive hard-coded credential material in their parameters from some of the most used SSH, FTP, and MongoDB Java libraries in the Maven official repository to the SensitiveApi.qll library.
Additional hardcoded credentials candidates 3rd-party api calls
29c03cd
@bananabr bananabr requested a review from as a code owner Sep 18, 2021
@github-actions github-actions bot added the Java label Sep 18, 2021
@owen-mc owen-mc changed the title Additional hardcoded credentials candidates 3rd-party api calls Java: Additional hardcoded credentials candidates 3rd-party api calls Sep 18, 2021
@bananabr
Copy link
Contributor Author

@bananabr bananabr commented Sep 19, 2021

I can provide at least one valid result from each of the added services/libs but as these are credential disclosure issues, I would like to do that through a private channel.

@bananabr bananabr mentioned this pull request Sep 20, 2021
Open
1 task
@bananabr
Copy link
Contributor Author

@bananabr bananabr commented Sep 22, 2021

Should I move this into an experimental query?

@smowton
Copy link
Contributor

@smowton smowton commented Sep 22, 2021

This is straightforward enough that assuming seclab can confirm the results are reasonable I'd be happy to take it straight into the non-experimental library

@bananabr
Copy link
Contributor Author

@bananabr bananabr commented Sep 22, 2021

This is straightforward enough that assuming seclab can confirm the results are reasonable I'd be happy to take it straight into the non-experimental library

I already have an issue open for this github/securitylab#432, just need to know about the best way to provide the seclab with the results as they contain potentially confidential information.

@smowton
Copy link
Contributor

@smowton smowton commented Sep 24, 2021

Please add to the tests in java/ql/test/security/CWE-798 (and needed stubs to java/ql/test/stubs) (this is basically checking that all the method prototypes you've given here are spelled correctly)

Please add a change note in java/change-notes briefly summarising what has changed.

@bananabr
Copy link
Contributor Author

@bananabr bananabr commented Sep 24, 2021

Will sure do @smowton. I should push the changes in the next couple of days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github/codeql-java codeql-java

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Java
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
@bananabr @smowton